Step 2: Creating a Palo Alto IPSec Site-to-Site VPN Configuration

Jamf Connect Documentation

Solution

Application

Jamf Connect

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

Log in to the Palo Alto device.
Open the Network tab in the device management interface.
Select "Tunnel".
1. Click Add at the bottom to create a new Tunnel interface.
2. In the Config tab select the appropriate Virtual Router and Security Zone to be used.
  
  Note:
  Jamf recommends that you create a new Security Zone to be able to control traffic permitted to your network from end user devices at a granular level. If you opt to do this, you may need to configure a new Security Policy.
3. In the IPv4 tab assign the tunnel an internal IP in CIDR notation.
4. Click OK to create the tunnel interface.
Click the Network tab.
Select IKE Crypto in the Network Profile area.
1. Click Add to create a new IKE Crypto Profile.
2. Enter a name for the profile, such as Jamf IKE Profile.
3. Fill in the fields, using the Phase 1 values defined when you configured the Jamf Security Cloud side of the interconnect. If you used the suggested values, they are as follows:
  - DH Group —group14
  - Encryption —aes-256-cbc
  - Authentication —sha256
  - Key Lifetime —Seconds, 28800
  - IKE Authentication Multiple —0
4. Click OK to save the new IKE Crypto configuration.
Click the Network tab.
Select IPSec Crypto in the Network Profile area.
1. Click Add to create a new IPSec Crypto Profile.
2. Enter a name for the profile, such as Jamf IPSec Profile.
3. Fill in the fields, using the Phase 1 values defined when you configured the Jamf side of the interconnect. If you used the suggested values, they are:
  - IPSec Protocol —ESP
  - Encryption —aes-256-cbc
  - Authentication —sha256
  - DH Group —group14
  - Lifetime —Seconds, 28800
4. Click OK to save the new IPSec Crypto configuration.
Click the Network tab.
Select IKE Gateway in the Network Profile area.
1. Click Add to create a new IKE Gateway Profile.
2. Enter a name for the gateway, such as Jamf IKE Gateway.
3. For Version, select the Key Exchange protocol defined in Jamf Security Cloud (usually IKEv2 only mode).
4. As Local IP Address, select the address assigned to the public interface of the firewall.
  
  This IP may be a private or public IP address, depending on your network topology.
5. For Peer IP Type select "Dynamic".
6. For Authentication select "Pre-Shared Key".
7. In Pre-Shared Key paste the pre-shared/secret key that was created in Jamf Security Cloud and copied in a previous step.
8. In Local Identification select "FQDN (hostname)" and insert the IKE Domain ID provided in Jamf Security Cloud (for example, jamf.customer.com).
9. For Peer Identification select "FQDN (hostname)" and insert wpa.wandera.com.
10. Under the Advanced Options tab, select the following:
  - Enable Passive Mode
  - Enable NAT Traversal if your Firewall is behind a NAT
  - The IKE Crypto Profile name you created previously (for example, Jamf IPSec Crypto)
11. Click OK to create the IKE Gateway configuration.
Click the Network tab.
Select IPSec Tunnels and configure an IPSec tunnel as follows:
1. Click Add to create a new IPSec Tunnel profile.
2. In the Tunnel selection field, specify the tunnel interface created above.
3. For Type, select "Auto Key".
4. For Address Type, select "IPv4".
5. For IKE Gateway, select the IKE Gateway created previously (for example, Jamf IKE Gateway).
6. For IPSec Crypto Profile, select the IPSec Crypto Profile created previously (for example, Jamf IPSec Profile).
7. Click OK to create the new IPSec tunnel configuration.
Review the configuration then select Commit to publish and activate it.