The purpose of this article is to demonstrate how to configure an IPSec VPN using IKEv2 with pre-shared keys between a Cisco ASA and Palo Alto Firewall. This article includes a detailed video and step by step instructions on how to accomplish this.

Topology

Palo Alto Firewall 8.1

Configure Address Objects
Objects>Addresses>Add

Configure Tunnel Interface
Network>Interface>Tunnel tab>add

Configure IKE Crypto Profile
Network>Network Profiles>IKE Crypto>Add
Configure IKE Gateway
Network>Network Profiles>IKE Gateway>Add
Configure IPSec Crypto Profile
Network>Network Profiles>IPSec Crypto>Add
Configure IPSec Tunnel
Network>IPSec Tunnels>Add

Configure Routing
Network>Virtual Routers>default>Add

Configure Security Policy
Policies>Security>add

Cisco ASA Firewall 9.9(1)

Configure interesting traffic ACL

access-list VPN-PALO-1 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Configure IKEv2 Policy

crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 20
 prf sha256
 lifetime seconds 28800

Configure IPSec Proposal

crypto ipsec ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
 protocol esp encryption aes-256
 protocol esp integrity sha-256

Configure Crypto Map

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 match address VPN-PALO-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set peer 3.3.3.3
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set security-association lifetime seconds 28800
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 interface OUTSIDE

Configure Group Policy

group-policy 3.3.3.3 internal
group-policy 3.3.3.3 attributes
 vpn-tunnel-protocol ikev2

Configure Tunnel Group

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy 3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
 ikev2 remote-authentication pre-shared-key key123
 ikev2 local-authentication pre-shared-key key123

Advertisements