IPSec Palo Alto Cisco ASA Firewall. Palo Alto PANOS 8.1.10
. , PANOS. IPSec VPN. . IPSec IP- . , !

IPSec VPN Cisco ASA Palo Alto
- IPSec Cisco ASA Palo Alto
, IP- Palo Alto, Cisco ASA. IP- Palo Alto Cisco ASA ( , ). IP- 1.1.1.1
Cisco ASA 2.2.2.2
Palo Alto :

, LAN 192.168.1.0/24
Cisco ASA, , LAN 192.168.2.0/24
Palo Alto. , ping
.
admin@PA-220> ping host 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data 64 bytes from 1.1.1.1: icmp_seq1 ttl=64 time=0.177 ms 64 bytes from 1.1.1.1: icmp_seq2 ttl=64 time=0.157 ms
IPSec Palo Alto
-, IPSec Palo Alto. 1 2 IPSec Palo Alto .
Palo Alto
-, Palo Alto. , Network >> Zones>> Add
. . .

Palo Alto
IPSec. , Network >> Interfaces>> Tunnel
. , . , , 1. IP- IPv4 IPv6. , Advanced
, .

IKE Crypto Profile [ 1 IPSec]
1 IPSec. Network >> Network Profiles >> IKE Crypto >> Add
. IKE Crypto profile
. DH , . 8 . .

Crypto Profile IPSec [ 2 IPSec]
2 IPSec. Network>> Network Profiles >> IPSec Crypto >> Add
. , IPSec. IPsec . ESP (Encapsulation Security Protocol) AH (Authentication Header) IPSec. DH, . 1 . .

IKE
Network >> Network Profiles >> IKE Gateways >> Add
. (General)
IKE. Interface
/ -, ethernet1/1
, IP- 2.2.2.2
. Peer IP Address Type
IP
. Peer address
, 1.1.1.1
. Authentication
, . . (Pre Shared Key
) (Certificate
). (Pre-shared Key
). (Pre-shared Key
) , FortiGate Firewall. Local Identification
Peer Identification
IP-.

Advanced Option
, IKEv1
Ike Crypto Profile
, 3.

IPSec
IKE IPSec Crypto profile IPSec. IPSec. Network >> IPSec Tunnels >> Add
. IPSec. , 2. Ike Gateway
IPsec Crypto Profile
, 3 5 .

(IDs
) - . 192.168.1.0/24
192.168.2.0/24
LAN.

IPSec
, VPN . Policies >> Security >> Add
, .

. Network >> Virtual Routers >> Default >> Static Routes >> Add
. , .. 192.168.1.0/24
. , 2.

IPSec Palo Alto. IPSec FortiGate Firewall.
IPSec Cisco ASA
IPSec Cisco ASA. , , Cisco ASA 9.8 (1)
. IPSec .
IPSec Cisco ASA:
- 1 (IKEv1)
- (Tunnel Group) (Pre-Shared Key)
- 2 (IPSec)
- ACL (Extended ACL) (Crypto Map)
, 1 Cisco ASA. Cisco ASA
1 (IKEv1) Cisco ASA
ciscoasa(config)# crypto ikev1 enable outside ciscoasa(config)# crypto ikev1 policy 10 ciscoasa(config-ikev1-policy)# authentication pre-share ciscoasa(config-ikev1-policy)# encryption 3des ciscoasa(config-ikev1-policy)# hash md5 ciscoasa(config-ikev1-policy)# group 2 ciscoasa(config-ikev1-policy)# lifetime 7200
.
- Encryption: 3des 1
- : md5 .
- Group: 2 2
- Authentication
- Lifetime: 7200 86400 1
Cisco ASA IKEv1 , . , :
ciscoasa(config)# crypto ikev1 enable outside
Cisco ASA
. GNS3 .
ciscoasa(config)# tunnel-group 2.2.2.2 type ipsec-l2l ciscoasa(config)# tunnel-group 2.2.2.2 ipsec-attributes ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key GNS3Network
IPSec IKEv1 ( 2)
IPSec 2
ciscoasa(config-ikev1-policy)# crypto ipsec ikev1 transform-set ESP-AES-SHA esp-3des esp-md5-hmac ciscoasa(config)# crypto ipsec security-association lifetime seconds 7200
.
- ESP: ESP , IPSec
- 3DES: 3DES
- MD5: MD5 ,
- 7200 : IPSec Phase2
(Crypto MAP) ACL (Extended ACL) IPSec Cisco ASA
. ACL, . , . (ACL).
ACL
ciscoasa(config)# object-group network local-network ciscoasa(config-network-object-group)# network-object 192.168.1.0 255.255.255.0 ciscoasa(config-network-object-group)# object-group network remote-network ciscoasa(config-network-object-group)# network-object 192.168.2.0 255.255.255.0 ciscoasa(config-network-object-group)# access-list asa-paloalto-vpn extended permit ip object-group local-network object-group remote-network
ciscoasa(config)# crypto map outside_map 10 match address asa-paloalto-vpn ciscoasa(config)# crypto map outside_map 10 set pfs group2 ciscoasa(config)# crypto map outside_map 10 set peer 2.2.2.2 ciscoasa(config)# crypto map outside_map 10 set ikev1 transform-set ESP-ASE-SHA
ciscoasa(config)# crypto map outside_map interface outside
IPSec Wireshark
IPSec. IPSec , . , CLI Palo Alto IPSec:
admin@PA-VM>test vpn ipsec-sa admin@PA-VM>test vpn ipsec-sa
Device >> IPSec
IPSec! UP
, , :

. Palo Alto Cisco ASA.
ciscoasa# ping 192.168.2.1 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: ?!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 30/30/30 ms
- ARP. .
: IP Cisco ASA (.. ), .
ciscoasa(config)# management-access inside
IPSec
, IPSec, Cisco ASA Cisco.
IPSec Cisco ASA
ciscoasa# show running-config ipsec ciscoasa# show running-config crypto ikev1 ciscoasa# show running-config crypto map
IPSec- Palo Alto
Monitor >> System
"(subtype eq vpn)"
. , VPN.
IPSec, IPSec:
admin@PA-CM>test vpn ipsec-sa admin@PA-CM>test vpn ipsec-sa
IPSec Wireshark
IPSec ESP (Encapsulating Security Payload) IPsec, , , . , ESP- ,
IPSec Cisco ASA Palo Alto. . IPSec VPN IP-.