How to Configure Certificate-Based Authentication for IKE on PAN-OS 6.0

How to Configure Certificate-Based Authentication for IKE on PAN-OS 6.0

34497
Created On 09/25/18 17:46 PM - Last Modified 08/05/19 20:36 PM


Resolution

Overview

PAN-OS 6.0 introduced the ability to use certificates for IKE authentication. This document describes how to configure IKE authentication using self-signed certificates on a pair of Palo Alto Networks firewalls running PAN-OS 6.0.

 

Steps

  1. Generate a CA (Certificate Authority) certificate on one of the Palo Alto Networks firewalls. This certificate will be used to sign the client certificates for the authentication.
    Root_CA.png
  2. Export the CA certificate:
    Export.png
    Then import it into the peer firewall:
    Import_Cert.PNG
  3. Now generate on a client certificate on both firewalls and sign each one with the imported CA certificate.
    PA-3000 Series:
    Screen Shot 2013-11-15 at 14.16.25.png
    PA-2000 Series:
    Screen Shot 2013-11-15 at 14.17.19.png
  4. Create a Certificate Profile on both firewalls and add the CA certificate, as shown in the following example:
    Screen Shot 2013-11-15 at 14.23.07.png
  5. Create an IKE gateway on each firewall and select Certificate for the Authentication setting. In the following example, "Distinguished Name" (DN) is used as identification. The DN is the same as the Common Name of the certificate.
    PA-3000 Series:
    Screen Shot 2013-11-15 at 14.24.06.png
    PA-2000 Series:
    Screen Shot 2013-11-15 at 14.24.40.png
  6. Create an ipsec tunnel on both firewalls:
    Screen Shot 2013-11-15 at 14.27.17.png
  7. Send traffic through the vpn tunnel to verify that it comes up.
    PA-3000 Series:
    Screen Shot 2013-11-15 at 14.28.55.png
    PA-2000 Series:
    Screen Shot 2013-11-15 at 14.29.43.png

 

owner: rvanderveken



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJdCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language