{"id":215,"date":"2022-04-25T07:32:46","date_gmt":"2022-04-25T11:32:46","guid":{"rendered":"https:\/\/opentextbc.ca\/paloalto\/chapter\/remote-access-vpn\/"},"modified":"2023-11-28T19:05:21","modified_gmt":"2023-11-29T00:05:21","slug":"remote-access-vpn","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/paloalto\/chapter\/remote-access-vpn\/","title":{"raw":"3.2 Remote Access VPN","rendered":"3.2 Remote Access VPN"},"content":{"raw":"
\n

Learning Objectives<\/p>\n\n<\/header>\n

\n
    \n \t
  • Configure a tunnel interface<\/li>\n \t
  • Configure a remote access VPN<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    \n\nPrerequisites<\/strong>:\n
      \n \t
    • Setup Zones<\/li>\n \t
    • Some interface configuration<\/li>\n \t
    • Create a new user<\/li>\n \t
    • Create an auth policy<\/li>\n \t
    • Policy that allows VPN to Inside<\/li>\n \t
    • Policy that allows Outside to VPN<\/li>\n \t
    • Knowledge of previous labs<\/li>\n<\/ul>\n<\/div>\n
      \n\nScenario<\/strong>: VPNs aren't just about changing your location like many advertisements say they're for. What it's really used for is to securely access a remote location's resources like your workplace, or even your own home. That is what this lab will focus on. We are going to install GlobalProtect Agent on Kali and then we'll try to reach the Internal through VPN connection.\n\n<\/div>\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"990\"]\"main Figure 3.27: Main scenario[\/caption]\n\n\n\n\n\n\n
      Table 3.5: Addressing Table<\/caption>\n
      Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
      PaloAlto-1<\/td>\nmanagement: 192.168.0.1\/24\nEthernet1\/1: 10.0.0.1\/24\nEthernet1\/2: DHCP<\/td>\n<\/tr>\n
      Internal (WordPress)<\/td>\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\n<\/tr>\n
      KaliLinux2019.3-1<\/td>\neth0: DHCP<\/td>\n<\/tr>\n
      Management<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
      Table 3.6: Zone Configuration<\/caption>\n
      Zone<\/th>\nInterface<\/th>\n<\/tr>\n
      Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
      Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n
      VPN<\/td>\nTunnel.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Create a Tunnel Interface<\/h2>\nUnder Network > Interfaces<\/strong> in the Tunnel tab, click Add<\/b>.\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Creating Figure 3.28: Creating a Tunnel[\/caption]\n

      In the new window, change the virtual router to default, and the security zone to the VPN zone.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Tunnel Figure 3.29: Tunnel Interface[\/caption]\n\nThen click OK<\/b>.\n

      Enable User ACL for a Zone<\/h2>\nUnder Network > Zone<\/strong>, click the VPN zone.\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Create Figure 3.30: Create a VPN Zone[\/caption]\n

      Tick the Enable user identification<\/strong> box.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Enable Figure 3.31: Enable User Identification under VPN Zone[\/caption]\n\nThen press OK<\/strong>.\n

      Generate Certs<\/h2>\nUnder Device > Certificate Management > Certificates<\/strong>, click\u00a0on Generate.<\/b>\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Generate Figure 3.32: Generate a certificate[\/caption]\n\nConfigure these settings in the new window:\n\n\n\n\n\n
      Table 3.7: Certificate Generation<\/caption>\n
      Parameters<\/th>\nValue<\/th>\n<\/tr>\n
      Certificate Name<\/td>\nCert Name Here<\/em><\/td>\n<\/tr>\n
      Common Name<\/td>\nThe DHCP IP of Ethernet1\/2<\/em><\/td>\n<\/tr>\n
      Certificate Authority<\/td>\nTick this box<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Generate Figure 3.33: Generate a certificate[\/caption]\n\nThen click Generate<\/strong>.\n

      Create an SSL\/TLS Service Profile<\/h2>\nUnder Device > Certificate Management > SSL\/TLS<\/strong> Service Profile, click Add<\/b>.\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.34: Add SSL\/TLS Service Profile[\/caption]\n

      In the new window, add the certificate you generated.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Configure Figure 3.35: Configure SSL\/TLS Service Profile[\/caption]\n\nThen click OK<\/b>.\n

      Create a GlobalProtect Portal<\/h2>\nUnder Network > GlobalProtect > Portals<\/strong>, then click Add<\/b>.\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.36: Add a Portal[\/caption]\n

      In the general tab, set the interface to Ethernet1\/2.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"GlobalProtect Figure 3.37: GlobalProtect Portal Configuration[\/caption]\n

      In the authentication tab, select SSL\/TLS profile you created in the previous step, then click Add<\/strong>.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Adding Figure 3.38: Adding SSL\/TLS Profile[\/caption]\n

      In the new window, change the authentication profile, then press OK<\/strong>.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Adding Figure 3.39: Adding Authentication Profile[\/caption]\n

      In the agent tab, in the agent section, click Add<\/b>.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Adding Figure 3.40: Adding the agent[\/caption]\n

      In the internal tab in the Internal gateway, click Add.<\/b><\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Configure Figure 3.41: Configure Internal Gateway[\/caption]\n

      In this window, change the Address to select IP, and in the IPv4 box, type in the IP of Ethernet1\/2.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 3.42: Set the IP address for Internal Gateway[\/caption]\n

      Press OK<\/b> twice to get back to the agent tab. Then in the trusted root ca section, add your generated cert, and tick the box to install in local root certificate store.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.43: Add the Root CA certificate[\/caption]\n\nThen press OK<\/b>.\n

      Create a GlobalProtect Gateway<\/h2>\nUnder Network > GlobalProtect > Gateways<\/strong>, click Add<\/b>.\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.44: Add a Gateway[\/caption]\n

      In the general tab, set the interface to Ethernet1\/2.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"GlobalProtect Figure 3.45: GlobalProtect Gateway Configuration[\/caption]\n

      In the Authentication tab, add your SSL\/TLS<\/strong> profile, then click Add<\/b>.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"SSL\/TLS Figure 3.46: SSL\/TLS Service Profile[\/caption]\n

      In the new window, select your authentication profile, then click OK.<\/b><\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Authentication Figure 3.47: Authentication Profile[\/caption]\n

      Under the agent tab, in tunnel settings, tick the tunnel mode checkbox and select the tunnel you made.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Tunnel Figure 3.48: Tunnel Mode and Interface[\/caption]\n

      In client settings, click Add<\/b>.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Client Figure 3.49: Client Settings[\/caption]\n

      Make sure the Any<\/strong> checkbox is ticked on top of the OS category, then press OK<\/b>.<\/p>\n\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Select Figure 3.50: Select Client as Any[\/caption]\n

      In client IP pool settings, add an IP pool range of this:<\/p>\n172.16.10.1-172.16.10.10<\/code><\/span>\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"IP Figure 3.51: IP Pool Configuration[\/caption]\n\nThen press OK<\/b>. Don't forget to commit the configuration!\n

      Install the GlobalProtect Client on Kali<\/h2>\nOpen up a terminal window and run the following commands:\n
      #curl -L https:\/\/bit.ly\/32Ljx1y --output GP.deb<\/code>\n#sudo dpkg -i GP.deb<\/code>\n#globalprotect connect -p [IP of Palo Alto Ethernet1\/2 Here]<\/code><\/div>\nWhen connecting, it will show an error about validation. Type in y then press enter.\n\nIt will also ask for your username and password. Enter the one you created prior.\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Installing Figure 3.52: Installing GlobalProtect on Kali Linux[\/caption]\n

      Test Remote Access VPN<\/h2>\nOn Kali, after connecting to GlobalProtect, navigate to the IP of the WordPress Server (Internal).\n\n[caption id=\"attachment_214\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 3.53: Verify your configuration[\/caption]\n\nIf everything was correct, it should display the WordPress site!","rendered":"
      \n
      \n

      Learning Objectives<\/p>\n<\/header>\n

      \n
        \n
      • Configure a tunnel interface<\/li>\n
      • Configure a remote access VPN<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
        \n

        Prerequisites<\/strong>:<\/p>\n

          \n
        • Setup Zones<\/li>\n
        • Some interface configuration<\/li>\n
        • Create a new user<\/li>\n
        • Create an auth policy<\/li>\n
        • Policy that allows VPN to Inside<\/li>\n
        • Policy that allows Outside to VPN<\/li>\n
        • Knowledge of previous labs<\/li>\n<\/ul>\n<\/div>\n
          \n

          Scenario<\/strong>: VPNs aren’t just about changing your location like many advertisements say they’re for. What it’s really used for is to securely access a remote location’s resources like your workplace, or even your own home. That is what this lab will focus on. We are going to install GlobalProtect Agent on Kali and then we’ll try to reach the Internal through VPN connection.<\/p>\n<\/div>\n

          \"main
          Figure 3.27: Main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n\n
          Table 3.5: Addressing Table<\/caption>\n
          Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
          PaloAlto-1<\/td>\nmanagement: 192.168.0.1\/24
          \nEthernet1\/1: 10.0.0.1\/24
          \nEthernet1\/2: DHCP<\/td>\n<\/tr>\n
          Internal (WordPress)<\/td>\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\n<\/tr>\n
          KaliLinux2019.3-1<\/td>\neth0: DHCP<\/td>\n<\/tr>\n
          Management<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n\n
          Table 3.6: Zone Configuration<\/caption>\n
          Zone<\/th>\nInterface<\/th>\n<\/tr>\n
          Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
          Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n
          VPN<\/td>\nTunnel.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

          Create a Tunnel Interface<\/h2>\n

          Under Network > Interfaces<\/strong> in the Tunnel tab, click Add<\/b>.<\/p>\n

          \"Creating
          Figure 3.28: Creating a Tunnel<\/figcaption><\/figure>\n

          In the new window, change the virtual router to default, and the security zone to the VPN zone.<\/p>\n

          \"Tunnel
          Figure 3.29: Tunnel Interface<\/figcaption><\/figure>\n

          Then click OK<\/b>.<\/p>\n

          Enable User ACL for a Zone<\/h2>\n

          Under Network > Zone<\/strong>, click the VPN zone.<\/p>\n

          \"Create
          Figure 3.30: Create a VPN Zone<\/figcaption><\/figure>\n

          Tick the Enable user identification<\/strong> box.<\/p>\n

          \"Enable
          Figure 3.31: Enable User Identification under VPN Zone<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Generate Certs<\/h2>\n

          Under Device > Certificate Management > Certificates<\/strong>, click\u00a0on Generate.<\/b><\/p>\n

          \"Generate
          Figure 3.32: Generate a certificate<\/figcaption><\/figure>\n

          Configure these settings in the new window:<\/p>\n\n\n\n\n\n\n
          Table 3.7: Certificate Generation<\/caption>\n
          Parameters<\/th>\nValue<\/th>\n<\/tr>\n
          Certificate Name<\/td>\nCert Name Here<\/em><\/td>\n<\/tr>\n
          Common Name<\/td>\nThe DHCP IP of Ethernet1\/2<\/em><\/td>\n<\/tr>\n
          Certificate Authority<\/td>\nTick this box<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Generate
          Figure 3.33: Generate a certificate<\/figcaption><\/figure>\n

          Then click Generate<\/strong>.<\/p>\n

          Create an SSL\/TLS Service Profile<\/h2>\n

          Under Device > Certificate Management > SSL\/TLS<\/strong> Service Profile, click Add<\/b>.<\/p>\n

          \"Add
          Figure 3.34: Add SSL\/TLS Service Profile<\/figcaption><\/figure>\n

          In the new window, add the certificate you generated.<\/p>\n

          \"Configure
          Figure 3.35: Configure SSL\/TLS Service Profile<\/figcaption><\/figure>\n

          Then click OK<\/b>.<\/p>\n

          Create a GlobalProtect Portal<\/h2>\n

          Under Network > GlobalProtect > Portals<\/strong>, then click Add<\/b>.<\/p>\n

          \"Add
          Figure 3.36: Add a Portal<\/figcaption><\/figure>\n

          In the general tab, set the interface to Ethernet1\/2.<\/p>\n

          \"GlobalProtect
          Figure 3.37: GlobalProtect Portal Configuration<\/figcaption><\/figure>\n

          In the authentication tab, select SSL\/TLS profile you created in the previous step, then click Add<\/strong>.<\/p>\n

          \"Adding
          Figure 3.38: Adding SSL\/TLS Profile<\/figcaption><\/figure>\n

          In the new window, change the authentication profile, then press OK<\/strong>.<\/p>\n

          \"Adding
          Figure 3.39: Adding Authentication Profile<\/figcaption><\/figure>\n

          In the agent tab, in the agent section, click Add<\/b>.<\/p>\n

          \"Adding
          Figure 3.40: Adding the agent<\/figcaption><\/figure>\n

          In the internal tab in the Internal gateway, click Add.<\/b><\/p>\n

          \"Configure
          Figure 3.41: Configure Internal Gateway<\/figcaption><\/figure>\n

          In this window, change the Address to select IP, and in the IPv4 box, type in the IP of Ethernet1\/2.<\/p>\n

          \"Set
          Figure 3.42: Set the IP address for Internal Gateway<\/figcaption><\/figure>\n

          Press OK<\/b> twice to get back to the agent tab. Then in the trusted root ca section, add your generated cert, and tick the box to install in local root certificate store.<\/p>\n

          \"Add
          Figure 3.43: Add the Root CA certificate<\/figcaption><\/figure>\n

          Then press OK<\/b>.<\/p>\n

          Create a GlobalProtect Gateway<\/h2>\n

          Under Network > GlobalProtect > Gateways<\/strong>, click Add<\/b>.<\/p>\n

          \"Add
          Figure 3.44: Add a Gateway<\/figcaption><\/figure>\n

          In the general tab, set the interface to Ethernet1\/2.<\/p>\n

          \"GlobalProtect
          Figure 3.45: GlobalProtect Gateway Configuration<\/figcaption><\/figure>\n

          In the Authentication tab, add your SSL\/TLS<\/strong> profile, then click Add<\/b>.<\/p>\n

          \"SSL\/TLS
          Figure 3.46: SSL\/TLS Service Profile<\/figcaption><\/figure>\n

          In the new window, select your authentication profile, then click OK.<\/b><\/p>\n

          \"Authentication
          Figure 3.47: Authentication Profile<\/figcaption><\/figure>\n

          Under the agent tab, in tunnel settings, tick the tunnel mode checkbox and select the tunnel you made.<\/p>\n

          \"Tunnel
          Figure 3.48: Tunnel Mode and Interface<\/figcaption><\/figure>\n

          In client settings, click Add<\/b>.<\/p>\n

          \"Client
          Figure 3.49: Client Settings<\/figcaption><\/figure>\n

          Make sure the Any<\/strong> checkbox is ticked on top of the OS category, then press OK<\/b>.<\/p>\n

          \"Select
          Figure 3.50: Select Client as Any<\/figcaption><\/figure>\n

          In client IP pool settings, add an IP pool range of this:<\/p>\n

          172.16.10.1-172.16.10.10<\/code><\/span><\/p>\n

          \"IP
          Figure 3.51: IP Pool Configuration<\/figcaption><\/figure>\n

          Then press OK<\/b>. Don’t forget to commit the configuration!<\/p>\n

          Install the GlobalProtect Client on Kali<\/h2>\n

          Open up a terminal window and run the following commands:<\/p>\n

          #curl -L https:\/\/bit.ly\/32Ljx1y --output GP.deb<\/code>
          \n#sudo dpkg -i GP.deb<\/code>
          \n#globalprotect connect -p [IP of Palo Alto Ethernet1\/2 Here]<\/code><\/div>\n

          When connecting, it will show an error about validation. Type in y then press enter.<\/p>\n

          It will also ask for your username and password. Enter the one you created prior.<\/p>\n

          \"Installing
          Figure 3.52: Installing GlobalProtect on Kali Linux<\/figcaption><\/figure>\n

          Test Remote Access VPN<\/h2>\n

          On Kali, after connecting to GlobalProtect, navigate to the IP of the WordPress Server (Internal).<\/p>\n

          \"Verify
          Figure 3.53: Verify your configuration<\/figcaption><\/figure>\n

          If everything was correct, it should display the WordPress site!<\/p>\n","protected":false},"author":124,"menu_order":2,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-215","chapter","type-chapter","status-publish","hentry"],"part":159,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":1,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/215\/revisions"}],"predecessor-version":[{"id":216,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/215\/revisions\/216"}],"part":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/159"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/215\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=215"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=215"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=215"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/license?post=215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}