Tag Archives: Site-to-Site VPN

IPsec Site-to-Site VPN Palo Alto <-> Cisco Router w/ VTI

2014-07-18Cisco Systems, IPsec/VPN, Palo Alto NetworksCisco Router, IPsec, Palo Alto Networks, Site-to-Site VPNJohannes Weber

One more VPN article. Even one more between a Palo Alto firewall and a Cisco router. But this time I am using a virtual tunnel interface (VTI) on the Cisco router which makes the whole VPN set a “route-based VPN”. That is: Both devices decide their traffic flow merely based on the routing table and not on access-list entries. In my opinion, this is the best way to build VPNs, because there is a single instance (the routing table) on which a network admin must rely on in order to investigate the traffic flow.

Note that I also wrote a blog post about the “policy-based VPN” between a Cisco router and the Palo Alto firewall. This here is mostly the same on the Palo Alto side while some other commands are issued on the Cisco router.

Continue reading IPsec Site-to-Site VPN Palo Alto <-> Cisco Router w/ VTI →

IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box

2014-06-25Cisco Systems, FRITZ!Box, IPsec/VPN, TemplateCisco Router, FRITZ!Box, IPsec, Site-to-Site VPNJohannes Weber

Der Titel sagt eigentlich schon alles: Es geht um das Herstellen eines S2S-Tunnels zwischen einem Cisco Router (statische IPv4) und einer FRITZ!Box (dynamische IP). Ich liste nachfolgend alle Befehle für den IOS Router sowie die Konfigurationsdatei für die FRITZ!Box auf. Für eine etwas detaillierte Beschreibung des VPNs für die FRITZ!Box verweise ich auf diesen Artikel von mir, bei dem ich zwar ein VPN zu einem anderen Produkt hergestellt habe, aber etwas mehr auf die Schritte der Konfiguration eingegangen bin.

Continue reading IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box →

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router

2014-06-23Cisco Systems, IPsec/VPN, Juniper NetworksCisco Router, IPsec, Juniper ScreenOS, Juniper SSG, Site-to-Site VPNJohannes Weber

Similar to all my other site-to-site VPN articles, here are the configurations for a VPN tunnel between a Juniper ScreenOS SSG firewall and a Cisco IOS router. Due to the VPN Monitor of the SSG firewall, the tunnel is established directly after the configuration and stays active all the time without the need of “real” traffic.

I am using the policy-based VPN solution on the Cisco router and not the virtual tunnel interface (VTI) approach. That is: No route is needed on the router while the Proxy IDs must be set on the Juniper firewall. (However, I also documented the route-based VPN solution between a ScreenOS firewall and a Cisco router here.)

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router →

IPsec Site-to-Site VPN Palo Alto <-> Cisco Router

2014-06-20Cisco Systems, IPsec/VPN, Palo Alto NetworksCisco Router, IPsec, Palo Alto Networks, Site-to-Site VPNJohannes Weber

This time I configured a static S2S VPN between a Palo Alto firewall and a Cisco IOS router. Here comes the tutorial:

I am not using a virtual interface (VTI) on the Cisco router in this scenario, but the classical policy-based VPN solution. That is, no route entry is needed on the Cisco machine. However, the Palo Alto implements all VPNs with tunnel interfaces. Hence, a route to the tunnel and Proxy IDs must be configured. (I also wrote a guide for a route-based VPN between a Cisco router and a Palo Alto firewall here.)

Continue reading IPsec Site-to-Site VPN Palo Alto <-> Cisco Router →

Site-to-Site VPNs with Diffie-Hellman Group 14

2014-04-10Crypto, IPsec/VPNBits of Security, Brute-Force, Diffie-Hellman, IKE, IPsec, Juniper ScreenOS, Palo Alto Networks, Perfect Forward Secrecy, Site-to-Site VPNJohannes Weber

When talking about VPNs it is almost always clear that they are encrypted. However, it is not so clear on which security level a VPN is established. Since the Perfect Forward Secrecy (PFS) values of “DH group 5” etc. do not clearly specify the “bits of security”, it is a misleading assumption that the security is 256 bits due to the symmetric AES-256 cipher. It is not! Diffie-Hellman group 5 has only about 89 bits of security…

Therefore, common firewalls implement DH group 14 which has a least a security level of approximately 103 bits. I tested such a site-to-site VPN tunnel between a Palo Alto and a Juniper ScreenOS firewall which worked without any problems.

Continue reading Site-to-Site VPNs with Diffie-Hellman Group 14 →

Bidirectional Policy Rules on a Palo Alto Firewall

2014-02-11Design/Policy, Palo Alto Networks, SecurityPalo Alto Networks, Policy, Site-to-Site VPNJohannes Weber

The Palo Alto firewall supports policy entries that refer to multiple source and destination zones. This is useful especially when there are branch offices with multiple zones and a site-to-site VPN to the main office. In this scenario, every zone in the branch office might have a “permit any any” to the main office and vice versa, while the zones on the branch office should not have a permit among themselves. (Of course, the traffic on the main office is restricted and not permitted generally.) Here are two ways to accomplish that scenario.

Continue reading Bidirectional Policy Rules on a Palo Alto Firewall →

IPsec Site-to-Site VPN Cisco ASA <-> AVM FRITZ!Box

2014-01-28Cisco ASA, FRITZ!Box, IPsec/VPN, TemplateCisco ASA, FRITZ!Box, IPsec, Site-to-Site VPNJohannes Weber

Mit diesem Beitrag möchte ich zeigen, wie man ein Site-to-Site VPN von der FRITZ!Box zu einer Cisco ASA Firewall aufbaut. Mein Laboraufbau entspricht dabei dem typischen Fall, bei dem die FRITZ!Box hinter einer dynamischen IP hängt (klassisch: DSL-Anschluss), während die ASA eine statische IP geNATet bekommt.

Beide Geräte habe ein policy-based VPN implementiert, so dass das hier endlich mal ein Fall ist, wo man nicht durch den Mix einer route-based VPN-Firewall und einer policy-based VPN-Firewall durcheinander kommt. Man muss bei beiden Geräten einfach das eigene sowie das remote Netzwerk eintragen, ohne weitere Routen zu ändern.

Continue reading IPsec Site-to-Site VPN Cisco ASA <-> AVM FRITZ!Box →

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA

2014-01-28Cisco ASA, IPsec/VPN, Juniper NetworksCisco ASA, IPsec, Juniper ScreenOS, Juniper SSG, Site-to-Site VPNJohannes Weber

This post describes the steps to configure a Site-to-Site VPN between a Juniper ScreenOS firewall and the Cisco ASA firewall. With the correct IKE and IPsec parameters as well as the correct Proxy IDs on both sides, the VPN establishment works without any problems. And since the Juniper firewall can ping an IPv4 address on the remote side through the tunnel (VPN Monitor), the VPN tunnel is established by the firewalls themselves without the need for initial traffic.

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA →

IPsec Site-to-Site VPN Palo Alto <-> Cisco ASA

2014-01-27Cisco ASA, IPsec/VPN, Palo Alto NetworksCisco ASA, IPsec, Palo Alto Networks, Site-to-Site VPNJohannes Weber

I configured a static Site-to-Site IPsec VPN tunnel between the Cisco ASA firewall and the Palo Alto next-generation firewall. If the same phase 1 & 2 parameters are used and the correct Proxy IDs are entered, the VPN works without any problems though the ASA uses a policy-based VPN while the PA implements a route-based VPN.

I made a few screenshots from the VPN configuration of both firewalls which I will show here. I am also listing a few more hints corresponding to these two firewalls.

Continue reading IPsec Site-to-Site VPN Palo Alto <-> Cisco ASA →

IPsec Site-to-Site VPN Palo Alto <-> AVM FRITZ!Box

2013-12-10FRITZ!Box, IPsec/VPN, Palo Alto Networks, TemplateFRITZ!Box, IPsec, Palo Alto Networks, Site-to-Site VPNJohannes Weber

Wer im Büro auf eine Palo Alto Networks Firewall setzt und von zu Hause hinter seiner FRITZ!Box per VPN im Büro arbeiten möchte, der muss die richtigen Einstellungen auf beiden Geräten finden. Genau das habe ich getan und stelle hier die entsprechenden Details online. Viel Spaß dabei. ;)

Continue reading IPsec Site-to-Site VPN Palo Alto <-> AVM FRITZ!Box →

IPsec Site-to-Site VPN Juniper ScreenOS <-> AVM FRITZ!Box

2013-12-02FRITZ!Box, IPsec/VPN, Juniper Networks, TemplateFRITZ!Box, IPsec, Juniper ScreenOS, Juniper SSG, Site-to-Site VPNJohannes Weber

Hier kommen die Einstellungen die nötig sind, um ein Site-to-Site VPN zwischen einer AVM FRITZ!Box und einer Juniper ScreenOS Firewall herzustellen. Neben einigen Anleitungen im Netz habe ich selber ein paar Einstellungen getestet, um eine möglichst detaillierte *.cfg Datei zu haben. Außerdem ist erfreulicherweise anzumerken, dass die Juniper auch ein statisches VPN zu einer dynamischen Adresse erlaubt und somit sogar beide Seite einen Verbindungsaufbau initiieren können. Mit dem VPN Monitor von Juniper wird der Tunnel konstant “up” gehalten.

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS <-> AVM FRITZ!Box →

IPsec Site-to-Site VPN Palo Alto <-> Juniper ScreenOS

2013-11-19IPsec/VPN, Juniper Networks, Palo Alto NetworksIPsec, Juniper ScreenOS, Juniper SSG, Palo Alto Networks, Site-to-Site VPNJohannes Weber

For a quick documentation on how to build a Site-to-Site IPsec VPN tunnel between a Palo Alto Networks firewall and a Juniper ScreenOS device I am listing the configuration screenshots here.

It is quite easy because both firewalls implement route-based VPNs. That is: The tunnel must not be configured with Proxy IDs or the like. It is simply built upon the correct parameters for IKE and IPsec. The related traffic can then be routed into the tunnel afterwards. And since the tunnel monitor from the Palo Alto firewall triggers the tunnel to be built even though no real traffic flows through it, the admin immediately sees green status bubbles in the GUI and can be sure that the tunnel establishment was successful. Continue reading IPsec Site-to-Site VPN Palo Alto <-> Juniper ScreenOS →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP