Palo Alto Networks Knowledgebase: Configuring IPSec VPN between PAN-OS and Check Point Edge / Safe@Office

Configuring IPSec VPN between PAN-OS and Check Point Edge / Safe@Office

9327
Created On 02/07/19 23:56 PM - Last Updated 02/07/19 23:56 PM
VPNs
Resolution

Overview

This document outlines the basic steps involved in establishing a tunnel between a Palo Alto Networks device and a Check Point UTM-1 Edge.  The UTM-1 Edge might also be referred to as VPN-1 Edge, SofaWare, or Safe@Office appliances.  All the named Check Point devices run SofaWare’s Embedded NGX code.  The firmware versions used in this document are:

  • PAN-OS version 4.0.1
  • SofaWare Embedded NGX version 8.0.42

 

Note: This document is not relevant to Check Point VPN-1 running on Secure Platform, Nokia IPSO appliances, Solaris or Windows.

  1. Navigate to Network > IKE Gateways (click New):

    a1.png

  2. Enter Remote IKE Gateway name, Local interface and IP, remote Gateway IP, and Pre-Shared Key.
  3. Navigate to Network > Interfaces, and at the bottom of the page choose to create a new Tunnel Interface:

    a2.png

  4. Navigate to Network > IPSec Tunnels (click New):

    a3.png

  5. Enter a name, choose the tunnel interface (above), and choose the IKE Gateway (above). All other fields are populated automatically.
  6. Click Show advanced options and enter local and remote proxy IDs:

    a4.png

  7. Click OK:

    a5.png

  8. Navigate to Network > Virtual Routers. Open the appropriate VR, and add a static route to the networks behind the Edge device:
  9. Be sure that the interface is the tunnel interface from above, and Next Hop is None.

    a6.png

  10. Navigate to the Policies tab > Security. Add new rules to allow IKE/IPSec traffic between the gateways, and desired traffic inside the tunnel:

    a7.png

  11. Commit the changes.

Now we'll set up VPN on the Edge side.

 

  1. Navigate to VPN > VPN Sites.

    a8.png

  2. Click New Sites.
  3. Choose Site-to-Site VPN in the Wizard:

    a9.png

  4. Enter the IP of the Palo Alto Networks device (must be the same IP configured on the Palo Alto Networks as the Local IP above):

    a10.png

  5. Specify VPN configuration:

    a11.png

  6. Enter the IP Subnet(s) behind the Palo Alto Networks device:

    a12.png

  7. Choose Authentication method of Shared Secret:

    a13.png

  8. Enter the pre-shared key configured on the Palo Alto Networks device:

    a14.png

  9. Set Security Methods Phase 1 and Phase 2 to Automatic:

    a15.png

  10. Allow the tunnel to connect:

    a16.png

  11. Give the VPN site a name:

    a17.png

  12. Make sure to check Keep this site alive.
  13. Verify that the tunnel is established:
    • Send a ping from each side to the other (if allowed by policies):

      a18.png

    • On the Palo Alto Networks device, navigate to the Network Tab > IPSec Tunnels:

      a19.png

    • Verify that the lights are green for both Phase 1 and Phase 2 status.
    • On the UTM-1 Edge, navigate to the Reports > Tunnels tab and verify that the tunnel is established:

      a20.png

 

owner: jfarkas



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLhCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language