VTI with Palo Alto

Created by Yuriy Andamasov, Modified on Fri, 12 Jan 2024 at 04:42 PM by Srividya Anantapatnaikuni

Article review date
2024-01-08
Validated for VyOS versions
1.2.5, 1.3.5

Palo Alto Networks is a network security equipment manufacturer.

In this example we setup IPsec with VTI between a Palo Alto firewall and VyOS.

Palo Alto side

set network interface tunnel units tunnel. ip 
set network interface tunnel units tunnel. interface-management-profile

set vsys vsys1 zone vyos-pa-zone network layer3 tunnel.

set network ike crypto-profiles ike-crypto-profiles vyos-pa-ike encryption aes256
set network ike crypto-profiles ike-crypto-profiles vyos-pa-ike hash sha256
set network ike crypto-profiles ike-crypto-profiles vyos-pa-ike dh-group group14
set network ike crypto-profiles ike-crypto-profiles vyos-pa-ike lifetime hours 24
set network ike crypto-profiles ipsec-crypto-profiles vyos-pa-ipsec esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles vyos-pa-ipsec esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles vyos-pa-ipsec dh-group group14
set network ike crypto-profiles ipsec-crypto-profiles vyos-pa-ipsec lifetime hours 1

set network ike gateway vyos-pa protocol ikev1 dpd enable yes
set network ike gateway vyos-pa protocol ikev1 ike-crypto-profile vyos-pa-ike
set network ike gateway vyos-pa protocol ikev1 exchange-mode auto
set network ike gateway vyos-pa local-address ip
set network ike gateway vyos-pa local-address interface
set network ike gateway vyos-pa authentication pre-shared-key key
set network ike gateway vyos-pa protocol-common passive-mode yes
set network ike gateway vyos-pa peer-address ip
set network ike gateway vyos-pa peer-id id
set network ike gateway vyos-pa peer-id type ipaddr
set network ike gateway vyos-pa local-id id
set network ike gateway vyos-pa local-id type ipaddr

set network tunnel ipsec vyos-pa auto-key ike-gateway vyos-pa-ike
set network tunnel ipsec vyos-pa auto-key ipsec-crypto-profile vyos-pa-ipsec
set network tunnel ipsec vyos-pa tunnel-interface tunnel.
set network tunnel ipsec vyos-pa anti-replay yes

set network virtual-router routing-table ip static-route vyos-pa-vpn nexthop ip-address
set network virtual-router routing-table ip static-route vyos-pa-vpn interface tunnel.
set network virtual-router routing-table ip static-route vyos-pa-vpn destination

set vsys vsys1 rulebase security rules vyos-pa-vpn from
set vsys vsys1 rulebase security rules vyos-pa-vpn to
set vsys vsys1 rulebase security rules vyos-pa-vpn source [ ]
set vsys vsys1 rulebase security rules vyos-pa-vpn destination [ ]
set vsys vsys1 rulebase security rules vyos-pa-vpn application [ ciscovpn dtls ipsec ssl ]
set vsys vsys1 rulebase security rules vyos-pa-vpn service application-default
set vsys vsys1 rulebase security rules vyos-pa-vpn action allow
set vsys vsys1 rulebase security rules vyos-pa-vpn log-start yes

VyOS side

set vpn ipsec esp-group vyos-pa-esp lifetime 3600
set vpn ipsec esp-group vyos-pa-esp mode tunnel
set vpn ipsec esp-group vyos-pa-esp pfs dh-group 14
set vpn ipsec esp-group vyos-pa-esp proposal 1 encryption aes256
set vpn ipsec esp-group vyos-pa-esp proposal 1 hash sha1
set vpn ipsec ike-group vyos-pa-ike key-exchange ikev1
set vpn ipsec ike-group vyos-pa-ike lifetime 86400
set vpn ipsec ike-group vyos-pa-ike proposal 1 dh-group 14
set vpn ipsec ike-group vyos-pa-ike proposal 1 encryption aes256
set vpn ipsec ike-group vyos-pa-ike proposal 1 hash sha256
set vpn ipsec ipsec-interfaces interface
set vpn ipsec logging log-modes all
set vpn ipsec site-to-site peer authentication id
set vpn ipsec site-to-site peer authentication mode pre-shared-secret
set vpn ipsec site-to-site peer authentication pre-shared-secret
set vpn ipsec site-to-site peer authentication remote-id
set vpn ipsec site-to-site peer connection-type initiate
set vpn ipsec site-to-site peer default-esp-group vyos-pa
set vpn ipsec site-to-site peer ike-group vyos-pa
set vpn ipsec site-to-site peer local-address
set vpn ipsec site-to-site peer vti bind vti0
set vpn ipsec site-to-site peer vti esp-group vyos-pa

set interfaces vti vti0 address

set protocols static route next-hop

set firewall name rule 20 action accept
set firewall name rule 20 destination group address-group ADDRv4_
set firewall name rule 20 log enable
set firewall name rule 20 protocol esp
set firewall name rule 20 source address

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article