Category Archives: IPsec/VPN

Details about IPsec VPNs between different firewalls, etc.

PQC VPN-Tunnel with Palo

IPsec/VPN, Palo Alto Networks, Post-Quantum (PQC), , , , , ,

As the advent of practical quantum computing draws closer, security vendors are increasingly introducing post-quantum cryptographic (PQC) algorithms to protect existing security architectures against future threats. One important use case is site-to-site VPN connectivity, where organisations must address the “harvest now, decrypt later” risk – the possibility that encrypted traffic captured today could be decrypted by quantum computers in the future.

To mitigate this threat, Palo Alto Networks has implemented several approaches for quantum-resistant VPN tunnels, including Post-Quantum Preshared Keys (PPK), Key Encapsulation Mechanisms (KEM), and Quantum Key Distribution (QKD). Each method offers a different balance of security, complexity, and operational requirements.

In this blog post, we will examine these approaches in detail, with a particular focus on KEM-based solutions, which are generally considered the preferred path forward. We will also demonstrate how to configure a site-to-site VPN tunnel that combines traditional Diffie-Hellman (DH) key exchange with post-quantum algorithms such as Kyber (standardised by NIST as ML-KEM), providing both classical and quantum-resistant security.

Continue reading PQC VPN-Tunnel with Palo

Redundant VPN with Failover on a Palo NGFW

Internet Access, IPsec/VPN, Palo Alto Networks, Tutorial/Howto, , , , , ,

This goes out to anyone who uses more than one Site-to-Site VPN tunnel between two locations that are secured by firewalls from Palo Alto Networks. Using two (or even more) VPN tunnels, you need an automatic way to failover the traffic flow from one VPN to the other in case of failures. Here’s how to accomplish that requirement:

Continue reading Redundant VPN with Failover on a Palo NGFW

Route-Based VPN Tunnel FortiGate <-> Cisco ASA

Cisco ASA, Fortinet, IPsec/VPN, , , , , ,

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel FortiGate <-> Cisco ASA

Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

Cisco ASA, IPsec/VPN, Palo Alto Networks, , , , ,

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a Palo Alto Networks firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

OSPFv3 with IPsec Authentication

Authentication, Cisco Systems, IPsec/VPN, IPv6, Routing, , , , , , , , , , , , , ,

Here comes a small lab consisting of three Cisco routers in which I used OSPFv3 for IPv6 with IPsec authentication. I am listing the configuration commands and some show commands. Furthermore, I am publishing a pcapng file so that you can have a look at it with Wireshark by yourself.

Continue reading OSPFv3 with IPsec Authentication

Route- vs. Policy-Based VPN Tunnels

Design/Policy, IPsec/VPN, , , , , , , , , , , , ,

There are two methods of site-to-site VPN tunnels: route-based and policy-based. While some of you may already be familiar with this, some may have never heard of it. Some firewalls only implement one of these types, so you probably don’t have a chance to configure the other one anyway. Too bad since route-based VPNs have many advantages over policy-based ones which I will highlight here.

I had many situations in which network admins did not know the differences between those two methods and simply configured “some kind of” VPN tunnel regardless of any methodology. In this blogpost I am explaining the structural differences between them along with screenshots of common firewalls. I am explaining all the advantages of route-based VPNs and listing a table comparing some firewalls regarding their VPN features.

Continue reading Route- vs. Policy-Based VPN Tunnels

True Random PSK Generator on a Raspi

Crypto, IPsec/VPN, Raspberry Pi, , , , , , , , ,

In my previous blogpost I talked about the true random number generator (TRNG) within the Raspberry Pi. Now I am using it for a small online pre-shared key (PSK) generator at https://random.weberlab.de (IPv6-only) that you can use e.g. for site-to-site VPNs. Here are some details how I am reading the binary random data and how I built this small website.

Continue reading True Random PSK Generator on a Raspi

IKE Solutions

IPsec/VPN, ,

Some time ago I published a pcap file with some challenges – this time four falsified configured IPsec VPN connections. If you have not solved it by now you should first download the pcap file and should give it a try.

Remember the scenario: You need to prove that the wrong VPN settings are not on your side (the four routers) but on the headquarters firewall side. Not an easy job. Now here are the solutions:

Continue reading IKE Solutions

IKEv1 & IKEv2 Capture

IPsec/VPN, Memorandum, Security, , , , , , ,

It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session initiations with IKEv1 main mode as well as with IKEv2 to see some basic differences.

Of course I know that all VPN protocols are encrypted – hence you won’t see that much data. But at least you can see the basic message flow such as “only 4 messages with IKEv2” while some more for legacy IKEv1. I won’t go into the protocol details at all. I am merely publishing two pcap files so that anyone can have a look at a VPN session initiation. A few Wireshark screenshots complete the blogpost.

Continue reading IKEv1 & IKEv2 Capture

IKE Challenges

IPsec/VPN, , , , ,

A few month ago I published many Layer 2/3 challenges on my blog. Beside the happy feedback I got some remarks that the challenges were to easy at all because you only needed the display filter at Wireshark while no deep protocol knowledge.

Ok, “challenge excepted” ;) here I have some more protocol related challenges for you: With this post I am publishing a pcap which has four site-to-site IPsec VPN connections inside. On the first half of the pcap all four of them are wrongly configured, hence, not working. –> What are the reasons for that? <–

Continue reading IKE Challenges

IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

Fortinet, IPsec/VPN, IPv6, Palo Alto Networks, , , , , ,

And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the differences within the configuration and some listings from common CLI outputs for both firewalls.

Continue reading IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate

Fortinet, IPsec/VPN, IPv6, Palo Alto Networks, , , , ,

Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6 only. I am using it for tunneling both Internet Protocols: IPv6 and legacy IP.

While it was quite easy to bring the tunnel “up”, I had some problems tunneling both Internet Protocols over the single phase 2 session. The reason was some kind of differences within the IPsec tunnel handling between those two firewall vendors. Here are the details along with more than 20 screenshots and some CLI listings.

Continue reading IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate

Juniper ScreenOS VPN Speedtests

Bandwidth/Delay, IPsec/VPN, Juniper Networks, , , , , ,

Just for fun some more VPN throughput tests, this time for the late Juniper ScreenOS firewalls. I did the same iperf TCP tests as in my labs for Fortinet and Palo Alto, while I was using six different phase1/2 proposals = crypto algorithms. The results were as expected with one exception.

Continue reading Juniper ScreenOS VPN Speedtests

Palo Alto VPN Speedtests

Bandwidth/Delay, IPsec/VPN, Palo Alto Networks, , , , ,

Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.

Continue reading Palo Alto VPN Speedtests