GRE Tunnel Configuration on Paloalto Firewall

 GRE Tunnel Configuration on Paloalto Firewall

 Network Topology:

 

Configuration:

   devices {
    localhost.localdomain {
      network {
        interface {
          ethernet {
            ethernet1/1 {
              layer3 {
                ipv6 {
                  neighbor-discovery {
                    router-advertisement {
                      enable no;
                    }
                  }
                }
                ndp-proxy {
                  enabled no;
                }
                interface-management-profile mgmt;
                lldp {
                  enable no;
                }
                ip {
                  192.168.0.111/24;
                }
              }
            }
          }
          loopback {
            adjust-tcp-mss {
              enable no;
            }
            ip {
              11.11.11.111/32;
            }
            interface-management-profile mgmt;
          }
          tunnel {
            units;
          }
        }
        profiles {
          monitor-profile {
            default {
              interval 3;
              threshold 5;
              action wait-recover;
            }
          }
          interface-management-profile {
            mgmt {
              http yes;
              https yes;
              ssh yes;
              snmp yes;
              ping yes;
              telnet yes;
            }
          }
        }

        virtual-router {
          default {
            protocol {
              bgp {
                enable no;
                dampening-profile {
                  default {
                    cutoff 1.25;
                    reuse 0.5;
                    max-hold-time 900;
                    decay-half-life-reachable 300;
                    decay-half-life-unreachable 900;
                    enable yes;
                  }
                }
                routing-options {
                  graceful-restart {
                    enable yes;
                  }
                }
              }
              rip {
                enable no;
              }
              ospf {
                enable no;
              }
              ospfv3 {
                enable no;
              }
            }
            interface [ ethernet1/1 loopback tunnel];
            ecmp {
              algorithm {
                ip-modulo;
              }
            }
            routing-table {
              ip {
                static-route {
                  GRE {
                    path-monitor {
                      enable no;
                      failure-condition any;
                      hold-time 2;
                    }
                    bfd {
                      profile None;
                    }
                    interface tunnel;
                    metric 10;
                    destination 11.11.11.108/32;
                    route-table {
                      unicast;
                    }
                  }
                }
              }
            }
          }
        }
        tunnel {
          gre {
            GRE-TUN {
              local-address {
                ip 192.168.0.111/24;
                interface ethernet1/1;
              }
              peer-address {
                ip 192.168.0.108;
              }
              keep-alive {
                enable no;
              }
              tunnel-interface tunnel;
            }
          }
        }
      }

 security {
              rules {
                GRE-untrust 513b6a5b-3d6b-42f6-8f71-6e41f7c07e02 {
                  to trust;
                  from untrust;
                  source any;
                  destination any;
                  source-user any;
                  category any;
                  application any;
                  service application-default;
                  hip-profiles any;
                  action allow;
                }
                GRE-Trust deb07aba-1e21-4c3d-bbf6-3ca808144208 {
                  to trust;
                  from trust;
                  source any;
                  destination any;
                  source-user any;
                  category any;
                  application any;
                  service application-default;
                  hip-profiles any;
                  action allow;
                }
              }
            }
            default-security-rules {
              rules {
                intrazone-default 73b32d6c-e60a-48b3-b5d1-8e6bcd3bfbbf {
                  action deny;
                  log-start no;
                  log-end no;
                }
              }
            }
          }
 security {
              rules {
                GRE-untrust 513b6a5b-3d6b-42f6-8f71-6e41f7c07e02 {
                  to trust;
                  from untrust;
                  source any;
                  destination any;
                  source-user any;
                  category any;
                  application any;
                  service application-default;
                  hip-profiles any;
                  action allow;
                }
                GRE-Trust deb07aba-1e21-4c3d-bbf6-3ca808144208 {
                  to trust;
                  from trust;
                  source any;
                  destination any;
                  source-user any;
                  category any;
                  application any;
                  service application-default;
                  hip-profiles any;
                  action allow;
                }
              }
            }
            default-security-rules {
              rules {
                intrazone-default 73b32d6c-e60a-48b3-b5d1-8e6bcd3bfbbf {
                  action deny;
                  log-start no;
                  log-end no;
                }
              }
            }
          }

Comments

Post a Comment

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

Image
 Configure IPsec site-to-site VPN in Linux Machine: Update the system and install the package  apt update && sudo apt upgrade -y  apt install strongswan -y Check if the following kernel parameter is set or not sysctl net.ipv4.ip_forward=1 To list all configured parameters: sysctl -a root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects = 0 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.send_redirects = 0 root@ubuntu-server-main:~# Network Diagram: IPsec Config: Configure the PSK and update the VPN endpoints ++++++++++++++ cat /etc/ipsec.secrets # source      destination 192.168.0.2   192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" ++++++++++++++ cat /etc/ipsec.conf: config setup         charondebug="all"         uniqueids=yes  
Read more

TACACS+ Installation on Linux [CentOS]

 TACACS+  Installation on CentOS: In the example below I will show you how to install tac_plus on a CentOS server. There’s a RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first: [root@server ~]# cd /etc/yum.repos.d/ [root@server yum.repos.d]# vim nux-misc.repo We will create a new repository file where we can grab tac_plus. This is what you should enter: [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro Save the file and install tac_plus with the following command: [root@server ~]# yum --enablerepo=nux-misc install tac_plus That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents: [root@server /]# vim /etc/tac_plus.conf You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key,
Read more

Free Radius setup/configuration in Linux [Ubuntu/CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]   1) Free RADIUS Client: CentOS:  yum install freeradius-utils Ubuntu: apt-get install freeradius-utils   2) Free RADIUS Server: Add the client device to free RADIUS server: i) vi /etc/freeradius/3.0/clients.conf  ii) Append below lines to the file above ############# client FortiGate-VM64-Xen {        ipaddr           = 192.168.0.108        secret           = testing123 } client sumit-linux-amp {        ipaddr           = 192.168.0.190        secret           = testing123 } #############   iii) Add users to the RADIUS server: Append below lines to the file "users" > vi /etc/freeradius/3.0/users #############  sumit1 Cleartext-Password := "password" sumit2 Cleartext-Password := "password"   #############   iv) restart the free RADIUS services: Ubuntu: > systemctl restart freeradius   CentOS: >  systemctl restart freeradius                   > sudo firewall-cmd --add-service={http,https,ra
Read more