Palo Alto Networks Knowledgebase: Configuring IPSec VPN between PAN-OS and Check Point Edge / Safe@Office
Configuring IPSec VPN between PAN-OS and Check Point Edge / Safe@Office
Created On 02/07/19 23:56 PM - Last Updated 02/07/19 23:56 PM
This document outlines the basic steps involved in establishing a tunnel between a Palo Alto Networks device and a Check Point UTM-1 Edge. The UTM-1 Edge might also be referred to as VPN-1 Edge, SofaWare, or Safe@Office appliances. All the named Check Point devices run SofaWare’s Embedded NGX code. The firmware versions used in this document are:
PAN-OS version 4.0.1
SofaWare Embedded NGX version 8.0.42
Note: This document is not relevant to Check Point VPN-1 running on Secure Platform, Nokia IPSO appliances, Solaris or Windows.
Navigate to Network > IKE Gateways (click New):
Enter Remote IKE Gateway name, Local interface and IP, remote Gateway IP, and Pre-Shared Key.
Navigate to Network > Interfaces, and at the bottom of the page choose to create a new Tunnel Interface:
Navigate to Network > IPSec Tunnels (click New):
Enter a name, choose the tunnel interface (above), and choose the IKE Gateway (above). All other fields are populated automatically.
Click Show advanced options and enter local and remote proxy IDs:
Navigate to Network > Virtual Routers. Open the appropriate VR, and add a static route to the networks behind the Edge device:
Be sure that the interface is the tunnel interface from above, and Next Hop is None.
Navigate to the Policies tab > Security. Add new rules to allow IKE/IPSec traffic between the gateways, and desired traffic inside the tunnel:
Commit the changes.
Now we'll set up VPN on the Edge side.
Navigate to VPN > VPN Sites.
Click New Sites.
Choose Site-to-Site VPN in the Wizard:
Enter the IP of the Palo Alto Networks device (must be the same IP configured on the Palo Alto Networks as the Local IP above):
Specify VPN configuration:
Enter the IP Subnet(s) behind the Palo Alto Networks device:
Choose Authentication method of Shared Secret:
Enter the pre-shared key configured on the Palo Alto Networks device:
Set Security Methods Phase 1 and Phase 2 to Automatic:
Allow the tunnel to connect:
Give the VPN site a name:
Make sure to check Keep this site alive.
Verify that the tunnel is established:
Send a ping from each side to the other (if allowed by policies):
On the Palo Alto Networks device, navigate to the Network Tab > IPSec Tunnels:
Verify that the lights are green for both Phase 1 and Phase 2 status.
On the UTM-1 Edge, navigate to the Reports > Tunnels tab and verify that the tunnel is established: