VPN Configuration

VPN Types Overview

VPN Type	Protocol	Use Case	PAN-OS Feature
Site-to-Site	IPSec (IKEv1/v2)	Branch office to HQ connectivity	IPSec tunnel with IKE
Remote Access (SSL VPN)	SSL/TLS	Remote users connecting to corporate network	GlobalProtect
LSVPN	IPSec	Large-scale hub-and-spoke (100s of branches)	GlobalProtect LSVPN
SD-WAN VPN	IPSec	Multi-path WAN with dynamic path selection	PAN-OS SD-WAN

IPSec VPN — IKE Phase 1

IKE (Internet Key Exchange) Phase 1 establishes a secure, authenticated channel between two VPN peers before any data tunneling begins. Think of it as the peers authenticating each other and agreeing on encryption parameters.

IKE Phase 1 — Mode

Mode	Exchanges	Security	Use Case
Main Mode	6 messages	Hides identities — more secure	Standard site-to-site VPN with static IPs
Aggressive Mode	3 messages	Identities exposed — faster	Dynamic IP peers (legacy use)

Phase 1 Parameters (IKE Crypto Profile)

DH Group — Diffie-Hellman key exchange group; higher group = stronger key. Recommended: Group 19 (256-bit ECDH) or Group 20
Encryption algorithm — AES-256-CBC or AES-256-GCM recommended; avoid DES and 3DES
Authentication (hash) — SHA-384 or SHA-512 recommended; avoid MD5
Lifetime — how long the Phase 1 SA is valid before rekeying (default: 28800 seconds / 8 hours)
Authentication method — Pre-Shared Key (PSK) for simplicity, or RSA/ECDSA certificates for enterprise deployments

IPSec VPN — IKE Phase 2

IKE Phase 2 (Quick Mode) negotiates the actual IPSec Security Association (SA) that protects the data traffic. It runs inside the secure channel established by Phase 1.

Phase 2 Parameters (IPSec Crypto Profile)

Protocol — ESP (Encapsulating Security Payload) for encryption + authentication; AH for authentication only (rarely used today)
Encryption — AES-256-GCM recommended (provides both encryption and authentication in one pass)
Authentication — SHA-256 or higher when using ESP without GCM mode
DH Group — optional PFS (Perfect Forward Secrecy); if enabled, use Group 19 or 20
Lifetime — Phase 2 SA duration (default: 3600 seconds / 1 hour)

PFS — Perfect Forward Secrecy

PFS ensures that if the long-term IKE key is compromised, historical VPN sessions cannot be decrypted. Each Phase 2 negotiation generates a new independent key using Diffie-Hellman. Enable PFS on all sensitive site-to-site tunnels.

Site-to-Site VPN Configuration Steps

Configuring a site-to-site IPSec VPN on PAN-OS requires several objects to be created in the correct order:

→

1. IKE Crypto Profile — define Phase 1 encryption, authentication, DH group, and lifetime under Network → IKE Crypto.

→

2. IPSec Crypto Profile — define Phase 2 protocol, encryption, and lifetime under Network → IPSec Crypto.

→

3. IKE Gateway — define peer IP, local interface, authentication (PSK or certificate), and reference the IKE Crypto Profile under Network → IKE Gateways.

→

4. IPSec Tunnel — define the tunnel, reference the IKE Gateway and IPSec Crypto Profile under Network → IPSec Tunnels.

→

5. Tunnel Interface — create a virtual tunnel interface (tunnel.1, tunnel.2) and assign it to a security zone (usually a dedicated VPN zone).

→

6. Routing — add a static route (or configure BGP/OSPF over the tunnel) pointing the remote subnet through the tunnel interface.

→

7. Security Policy — create rules allowing traffic between the local zone and the VPN zone in both directions.

GlobalProtect — SSL VPN

GlobalProtect is Palo Alto Networks' remote access VPN solution. It provides a secure SSL VPN tunnel for remote employees connecting from outside the corporate network. Unlike traditional SSL VPN portals, GlobalProtect uses a persistent agent that automatically connects when the user is off-network.

GlobalProtect Components

Component	Role	Where It Runs
GlobalProtect Portal	Initial connection point; distributes configuration to agents	PAN-OS firewall (any L3 interface)
GlobalProtect Gateway	Terminates the VPN tunnel; enforces security policy	PAN-OS firewall (can be same or different from Portal)
GlobalProtect App	Client software installed on endpoints	Windows, macOS, iOS, Android, Linux, ChromeOS

Authentication Options

LDAP / Active Directory — username + password against corporate directory
RADIUS — flexible authentication with NPS, Cisco ISE, or other RADIUS servers
SAML 2.0 — federated authentication with IdP (Okta, Azure AD, Ping)
MFA — second factor via RADIUS challenge, SAML MFA, or Duo integration
Client certificates — machine or user certificates for pre-logon authentication

Split Tunneling vs Full Tunneling

Mode	What Goes Through VPN	Pros	Cons
Full Tunnel	All traffic including internet	Full visibility and control; internet traffic inspected by corporate NGFW	Higher latency for internet; increased gateway load
Split Tunnel	Only corporate network traffic	Better performance; lower gateway load	Internet traffic bypasses corporate controls; blind spot for threats
Inverse Split Tunnel	Everything except specified exclusions	Balance of control with performance optimization	Complex configuration; requires regular exclusion list maintenance

Security Recommendation

Full tunneling provides the most security but can degrade user experience for bandwidth-intensive applications. A practical compromise: use split tunneling with DNS forced through the VPN. All DNS queries go through corporate DNS, preserving DNS Security filtering while reducing bandwidth through the VPN gateway.

VPN Troubleshooting Commands

pan-os-cli

# Show IKE Phase 1 status
show vpn ike-sa

# Show IPSec Phase 2 status
show vpn ipsec-sa

# Initiate IKE Phase 1 negotiation (trigger tunnel)
test vpn ike-sa gateway <gateway-name>

# Show detailed IKE SA information
show vpn ike-sa gateway <gateway-name> detail

# Show flow information for tunnel traffic
show vpn flow name <tunnel-name>

# Show IKE Phase 2 summary
show vpn ipsec-sa tunnel <tunnel-name>

# Debug IKE (generates detailed logs — use carefully)
debug ike global on debug

# View IKE debug logs
less mp-log ikemgr.log

# Restart IKE daemon (clears all tunnels — use in maintenance window)
debug software restart process ike-daemon

LSVPN — Large Scale VPN

LSVPN (Large Scale VPN) is a GlobalProtect feature designed for hub-and- spoke deployments with hundreds or thousands of branch firewall devices. Instead of manually configuring individual IKE gateways for each branch, LSVPN uses a satellite and hub model where branch devices (satellites) automatically register to the hub and receive their VPN configuration.

Satellites register to the GlobalProtect Portal using certificates
Hub firewalls terminate all satellite tunnels
Routing updates are distributed automatically via BGP or OSPF over the tunnels
New branches can be added without manual hub configuration — zero-touch provisioning
Suitable for retail chains, government branch offices, and large distributed enterprises

Previous Module Next Module