Category Archives: Security

Deploy VPN site-to-site between Palo Alto on-prem and AWS. Setup OpenVPN and additional Domain Controller on AWS

This is the diagram is used to deploy this lab.

In this lab.

  • Configure VPN site to site IKEv2 between Palo Alto and Virtual Private Gateway on AWS.
  • Implementing multi-master domain controllers on-prem and AWS.
  • Authenticating OpenVPN tunnel via LDAP to support people working from home to access corporate servers on AWS.
  • Disconnect the domain controller on-prem to simulate migrating corporate servers to AWS in the near future.

Core Switch configuration.

conf t
hostname CoreSW
ip routing
ip dhcp excluded-address
ip dhcp pool VLAN10

interface GigabitEthernet0/0
 no switchport
 ip address
interface GigabitEthernet0/1
 switchport trunk allowed vlan 10,20,99
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport mode trunk
 negotiation auto
interface GigabitEthernet0/2
 switchport trunk allowed vlan 10,20,99
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport mode trunk

interface Vlan10
 ip address
interface Vlan20
 ip address
router ospf 1
 network area 0
ip route

SWCore#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/3, Gi1/0, Gi1/1, Gi1/2
                                                Gi1/3, Gi2/0, Gi2/1, Gi2/2
                                                Gi2/3, Gi3/0, Gi3/1, Gi3/2
10   End users                        active
20   Servers                          active
99   Native VLAN                      active

Check Kali VM., start SSH and Apache service on this machine.

On Palo Alto.

LAN interface.

e1/1 belongs to the VPN zone, and e1/2 belongs to the LAN zone, respectively.

Create a new network object for the PA LAN subnet.

Configure SNAT to allow traffic from the PA LAN subnet to access the Internet.

Configure a default route.

Configure OSPF on PA.

Allow ICMP on the Mgmt interface to troubleshoot.

Ping from PA.

Ping from a VM on the PA LAN subnet.

+ Create a new VPC.

Create a private subnet.

Create and attach Internet gateway to your VPC.

Route table.

Add a new route to your Internet Gateway.

Go to VPN, create a customer gateway.

Create a new VPN gateway.

Attach it to your VPC.

Create a VPN site to site.

Go to the Route table and add a new route to PA LAN subnet.

Click Download Configuration and select information as the following screenshot.

Open the file to use for configuring PA.

Configure IKECrypto.

Configure IPSECCrypto.

Configure IKE Gateway.

Create a new interface tunnel 1 for VPN IPSEC site to site between FG on AWS and PA.

Configure IPSEC Tunnel.

On Virtual Routers, add an interface tunnel 1 on the router settings.

Create a new static route to the AWS LAN subnet.

New address object.

Create both Security policies to allow traffic from LAN to VPN.

+ Back to AWS, create a new Linux and Windows instance on AWS.

Create a new key pair on AWS.

Allow HTTP, SSH, and ICMP on Security Group.

Back to GNS3, configure a new Windows 2016 server VM.

Takes notes of IP address of Linux instance on AWS.

Ping the Linux instance on AWS LAN subnet from PA LAN subnet.

The tunnel is up on PA

On AWS, the tunnel is up as well.

Configure Windows 2016 on GNS3.

Install Windows 2016.

On Kali, access SSH to Linux VM instance on AWS>

Website on-prem.

Website on AWS.

Change computer name to DC1 and promote it to a domain controller.

Create a new Windows VM on AWS.

Create a new OpenVPN server instance on AWS.

Access the OpenVPN server via SSH. Use openvpnas as a user to log in.

Check the private subnet on OpenVPN is matching with the private subnet on AWS.

Change the password of openvpn.

From Windows 2016 VM on GNS3, access RDP to Windows instance on AWS. Change DNS setting to DC1 on-prem.

Join the machine to domain on-prem and promote it to become additional domain controller.

Create a couple of users to test: tung, kevin, test on domain controllers.

On OpenVPN.

Change the setting to authenticate the OpenVPN tunnel via LDAP. We use both LDAP servers on AWS and on-prem.

Configure LDAP settings to query the corresponding information on domain controllers.

Access to OpenVPN mgmt interface.

Using a kevin user to log in.

Access a web server on a private subnet on AWS.

RDP to a private IP address on Windows DC2 on AWS.

Monitor Security traffic on PA.

Join Windows 10 to the domain.

Disconnect interface from DC1 to SW2 to simulate migrating servers to AWS cloud.

Windows 10 is still accessible to the domain on DC2 on AWS.

Access RDP to DC2 and a web server on AWS.

Domain users are able to access a domain controller on AWS and a web server on AWS when the domain controller on-prem was down.

Deploy VPN IPSEC site-to-site between FortiGate on-prem and AWS

This is a topology that is used to deploy this lab.

+ Configure FortiGate on AWS.

Create a new VPC with a CIDR network is Then, create both Lab Public subnet and :ab Private subnet on AWS.

Create a new Internet gateway and attach to your VPC.

Create route tables.

Add a new route to the public Route table.

Associate the public subnet to the Public Route table.

Go to EC2 and create a new FortiGate instance.

Create a new private interface for FortiGate.

Attach the interface to FortiGate.

Disable “Source and destination check” on both Public and Private FortiGate interfaces.

Create a new Elastic IP address and assign it to your FortiGate instance.

Assign the Elastic IP address to public FortiGate interface.

Access FortiGate management interface.

Add a new route on a Private Route table to the Private FortiGate interface.

Create a new Windows instance on AWS.

Security Group.

Modify Windows Security Group to allow ICMP traffic.

Configure VPN site to site.

There are two routes that have been automatically created on FortiGate on the static routes setting.

+ Configure FortiGate on-prem.

Configure a default route on FortiGate.

Configure VPN site to site between both FortiGate.

+ Pings a Windows instance on AWS from a machine on FortiGate on-prem. Remember to access RDP to the machine and disable Windows Firewall to allow ICMP traffic from on-prem to that machine.

The IPSEC tunnel is up.

Pings from Windows instance on AWS to a computer on FortiGate LAN subnet on-prem.

The IPSEC tunnel on-prem is up.

+ Configure SSLVPN portal on FortiGate on AWS.

Deploying FortiGate on Amazon AWS


Below are a couple of steps to deploy Fortinet on AWS.

Create a new VPC.

Create a public subnet.

Create a private subnet.

Create an Internet gateway.

Attach the gateway to your VPC.

Edit Route table, change default Route table to Private Route Table.

Create a Public Route Table.

Edit the route and route all traffic to Internet Gateway.

Link Lab Public Subnet to Public Route Table.

Create a new key pair.

Go to EC2, and deploy Fortinet on AWS.

Select your VPC, the subnet belongs to Lab Public Subnet. Also Auto-assign Public IP is Enable.

Security Group.

Go to Network interfaces. Change the interface to Fortinet Public Subnet.

Create a new Fortinet Private subnet.

Attach this network interface to Fortinet EC2.

Create a new Elastic IP address.

Change to Fortinet EIP.

Associate this Elastic IP address to Fortinet EC2.

Now, Fortinet has two interfaces. One is Private, and another one is Public.

Access Fortinet via the Internet.

Login to Fortinet.

Change password to login to Fortinet.

Edit interfaces.

WAN interface.

LAN interface.

Edit Security Group to allow to ping Fortinet.

Disable Source and Destination Check on “Fortinet Private subnet”.

Now, change the route to route private subnet traffic via Fortinet Private subnet interface.

Create a new Windows 2016 VM EC2. The machine is belonged to “Lab private Subnet”.

Create a new Windows Security Group to allow HTTP and RDP traffic.

Back to Fortinet to configure FIrewall Policy to allow traffic from Fortinet Private subnet to access the Internet.

Configure port forwarding to allow traffic.

Allow inbound traffic from WAN to this machine.

Try to access the machine.

Sniffer traffic on Fortinet.

Modify the Security group to allow RDP.

Load private key to decrypt Windows password.

Access RDP to Windows 2016 instance on AWS.

Now we can see the RDP traffic via Fortinet.

diagnose sniffer packet port1 "port 3389"

The Windows machine is able to access the Internet.

Send Palo Alto, FortiGate, Cisco Router, and Linux Server logs to Splunk

This is a diagram that I have used to deploy this lab.

Log in to Splunk, and download Cisco Suite for Splunk, Fortigate, and Palo Alto app for Splunk.

Click Install app from file.

On Splunk.

+ Palo Alto

Go to Settings – Data inputs – New Local UDP.

Enter the port 5514 on the Port setting

Source type: pan_log

App Control: Palo Alto Networks

Method: IP

Index: Default

On Palo Alto, configure to send logs to Splunk server with destination port is 5514.

Commit, log off and log on to generate logs.

Back to Splunk.

Click Palo Alto App – Operations – Real-time Event Feed.

+ Cisco Router R1.

conf t
logging trap informational
logging host transport udp port 5515 

On Splunk.

Port 5515

Source type: cisco:asa

App Context: Cisco Suite for Splunk

Method: IP

Index: default.

Back to Router, send sample logs to Splunk.

send log "Tung Le"
send log "Tung Le"

+ On Kali Linux.

sudo su
nano /etc/rsyslog.conf
##Add the following line to the end of the file. The listening port is 5516.
*.*                @

Restart rsyslog service.

systemctl restart rsyslog
systemctl status rsyslog

Back to Splunk, configure the listening port for the Linux server is 5516

source type: Syslog

app context: Apps Browser

Back to Kali, type the command below to generate logs to Splunk.

logger "Tung Le"

+ FortiGate:

Configure FortiGate to send logs to Splunk via the UDP port 5517.

config log syslogd setting
set status enable
set server
set port 5517

Log into FortiGate, and enable the setting below to send logs to Splunk.

On Splunk, configure port is 5517.

Source type: fgt_log

App Context: FortiGate

Method: IP

Index: Default

Log off FortiGate, type w wrong password to generate logs.

Implementing a customized Palo Alto lab

This is a topology that I have used in this lab.

+ Set up IPSEC site to site between both PAs.

+ Configure Switch support multiple VLANs.

+ Configure DHCP service to multiple VLANs.

+ Configure DNAT on PA2 ( to NAT to Webserver on Kali (, then change to configure DNAT on PA2 ( to NAT to Webserver on Kali (

+ Configure DNAT on PA2 to SSH server on, and change ( to NAT to SSH server on Kali (

+ Configure DNAT to allow traffic from the Internet to the local Web server (DNAT).

+ Configure SNAT to allow Trust on PA1 to access the Internet.

+ Ban on accessing pdf files, and block on accessing to domain (URF filtering).

+ Set up Global Protect on Windows and Kali machines. Then, we are able to access the local network on the Global Protect VPN connection.

+ Enable Zone Protection on e1/3 to prevent DoS on this zone.

+ Set up Captive Portal on Trust interface on PA1.

Configure the basic switch for support of multiple VLANs.

Configure PA1.

Configure DHCP.

Check client on the local network has received IP address from DHCP Pool for VLAN30, VLAN40, and VLAN50.

Webterm2 on PA2.

Configure tunnel 1 for IPSEC site to site from PA1 to PA2.

Configure tunnel 12 for Remote VPN via GlobalProtect.

Setup IPSEC tunnel on PA1.

Configure default route to route traffic to the Internet.

Configure another route to allow traffic from the local network on PA1 to access the local network on PA2.

Configure access rules to allow traffic from the local network on PA1 to access the local network on PA2 and the Internet.

Configure SNAT to allow traffic from the Trust zone to the Internet.

Setup IKETunnel on PA2.

Set up IPSEC tunnel on PA2.

Configure default route from Local network on PA1 to the local network on PA1 via IPSEC tunnel 1.

Create access rules to allow traffic from the local network on PA2 to the local network on PA1

Test IPSEC site to site.

Access Apache website on VLAN 30 (service apache2 start).

The IPSEC tunnel is up.

Configure DNAT on PA2 to allow port 8888 to be translated to port 80 on the Apache Web server.

SSH 2222 to 22.

Create a Security Policy.

Access Apache2.

And SSH via 2222.

+ Set up GlobalProtect on PA1.

Enable User Authentication on Internet interface for GP.

Create a new user/password.

Set IP Pool for Global Protect VPN.

Create a new Security Rule to allow traffic from Global Protect to local networks.

Access Global Protec VPN on Windows machine.

Set up GlobalProtect on Kali. Search to download Global Protect VPN on Google.

Creating a VPN tunnel via GlobalProtect.

+ Block TungBlog on PA1.

+ Setup Captive Portal on PA1.

+ Ban PDF on PA1.

+ Configure DNAT on PA1.

+ Configure Zone Protection on PA1.

Scan ports by using Nmap tool.

Scanned port traffic has been blocked by PA1.

+ NAT port 9999 to port 7777 on (PA1), then NAT again from port 7777 to on Web Server.


Implementing OpenVPN server on Debian 10

Below is a lab topology to use to implement the OpenVPN solution on Debian 10.

In this lab, we need to make sure clients on the Internet are able to create secure OpenVPN connections to the OpenVPN server. Also, the OpenVPN client is able to access inside the network beside the VPN tunnel (LAMP subnet:, and still access the Internet. Moreover, the Split tunneling feature should be used to make sure only traffic is related to accessing the LAMP subnet will be routed via the OpenVPN tunnel. All other traffic will use a public network adapter (Internet).

IP addresses of Debian OpenVPN server.

Access SSH from LinuxMint to easy to copy and paste commands.

Upgrade Debian’s machine.

apt-get update -y
apt-get upgrade -y

+ Enable IP Forwarding

Edit the file /etc/sysctl.conf and add the line below at the end of the file.

net.ipv4.ip_forward = 1

+ Enable proxy_arp for arp entry to appear on the OpenVPN server.

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

+ Add a line below into /etc/sysctl.conf to make it permanent.


Run the following command to make the changes work.

sysctl -p

+ Install OpenVPN server.

apt-get install openvpn -y

Copy the easy-rsa directory from /usr/share directory to /etc/openvpn directory.for managing SSL certificates.

cp -r /usr/share/easy-rsa /etc/openvpn/

+ Set up Certificate Authority (CA)

cd /etc/openvpn/easy-rsa
nano vars
#Add information below to the file.
set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_CITY        "Vancouver"
set_var EASYRSA_REQ_ORG         "BCIT Student"
set_var EASYRSA_REQ_OU          "BCIT Student"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE	7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

 Run the following command to initiate your own PKI.

./easyrsa init-pki

Build the CA certificates.

./easyrsa build-ca

+ Generate Server Certificate Files.

./easyrsa gen-req tung-server nopass

+ Sign the public key of the Server Using Root CA.

./easyrsa sign-req server tung-server

Verify cert.

openssl verify -CAfile pki/ca.crt pki/issued/tung-server.crt 

+ Create a strong Diffie-Hellman key to use for the key exchange

./easyrsa gen-dh

After creating all certificate files, copy them to the /etc/openvpn/server/ directory.

cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/tung-server.key /etc/openvpn/server/
cp pki/issued/tung-server.crt /etc/openvpn/server/

+ Generate Client Certificate and Key File

./easyrsa gen-req client nopass

Next, sign the client key using your CA certificate.

./easyrsa sign-req client client

Next, copy all client certificate and key file to the /etc/openvpn/client/ directory

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

+ Configure OpenVPN Server

nano /etc/openvpn/server.conf
root@debian10new:~# cat /etc/openvpn/server.conf 
port 1194
proto udp
#port 4443
#proto tcp-server
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/tung-server.crt
key /etc/openvpn/server/tung-server.key
dh /etc/openvpn/server/dh.pem
# OpenVPN tunnel IP address range
# server
# route all traffic via OpenVPN
push "redirect-gateway def1"
push "dhcp-option DNS"
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
keepalive 20 60
#disable compress lz4 because of error on OpenVPN client
#compress lz4
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3

+ Start OpenVPN service.

systemctl start openvpn@server
systemctl enable openvpn@server
systemctl status openvpn@server

Show OpenVPN tunnel.

ip a show tun0

+ Generate client configuration.

nano /etc/openvpn/client/client.ovpn
dev tun
proto udp
remote 1194

#proto tcp-server
# Public IP address on OpenVPN is
#remote 4443
ca ca.crt
cert client.crt
key client.key
#remote-cert-tls server
cipher AES-256-CBC
# Below lines is important to allow OpenVPN is still accessing the Internet when making OpenVPN session.
# Split tunneling on OpenVPN
# the LAN subnet that you need to access via VPN tunnel
route vpn_gateway
auth SHA512
tls-version-min 1.2
resolv-retry infinite
#compress lz4
verb 3

+ Configure routing using UFW.

By default, the UFW firewall is not installed in Debian 10.

apt-get install ufw -y

Configure UFW to accept the forwarded packets.

nano /etc/default/ufw
# Change the following line:

nano /etc/ufw/before.rules

Note: Replace ens3 with the name of your public network interface in Debian OpenVPN server is ens35.

Allow the default OpenVPN port 1194 and OpenSSH. Then, reload the UFW firewall.

ufw allow 1194/udp
ufw allow OpenSSH
ufw disable
ufw enable

+ Connect OpenVPN from a client.

Install OpenVPN from the Kali machine.

apt-get install openvpn -y

On the client machine, run the command below to download all the client configuration files.

# public-vpn-server-ip: is
scp -r root@public-vpn-server-ip:/etc/openvpn/client .

Check OpenVPN tunnel.

On OpenVPN client.

ping (Internet)

ping (OpenVPN gw tunnel)

ping (LAMP server behind OpenVPN server)

We can see split tunneling is working well on OpenVPN.

Access LAMP server.

On Debian OpenVPN server.

Check routing table on OpenVPN server.

Check OpenVPN logs on the OpenVPN server.

Monitor traffic on the OpenVPN server. OpenVPN traffic is using port 1194 UDP. OpenVPN traffic is encrypted using this tunnel.

Implementing open-source Wazuh SIEM

Wazuh is a free, open-source, and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance.

Below is a topology to implement Wazuh solution.

Below are a couple of steps in this lab.

  • Install Wazuh on LinuxMint
  • Configure Agentless on LAMP server
  • Install Agent on WordPress

+ Install Wazuh on LinuxMint 20.

Following Wazuh link below to install it into LinuxMint 20

Login to Wazuh management interface.

+ Using a link below to Configure Agentless monitoring on Wazuh.

To set up that method of access, firstly you need to create ssh keys for the user ossec which is the account the agentless scripts run.

sudo -u ossec ssh-keygen

Copy SSH public key to Debian server that you want to monitor via agentless.

Using the add the option will specify a new device to be added to the manager. “NOPASS” may be entered as the password to use public-key authentication rather than using a password.

Back to Wazuh management interface and add the code below into ossec.conf file to monitor Linux servers with any changes on /bin / etc and /sbin directory.

  <arguments>/bin /etc/ /sbin</arguments>

Create a new file under /etc/tung and tung1 user. Security events have been generated on Wazuh from Debian server.

/var/ossec/bin/wazuh-control restart

Wazuh Security Dashboard.

+ Install Wazuh agent on Debian server.

Follow the link below to install Wazuh agent.

# Add the Wazuh repository
curl -s | apt-key add -
# Add the repository:
echo "deb stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
# Update the package information:
apt-get update
# Deploy a Wazuh agent
WAZUH_MANAGER="" apt-get install wazuh-agent
# Enable and start Wazuh
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Wazuh agent on Windows machine.

Using Ansible to install Wazuh agent

This is a topology to use Ansible to automatically install Wazuh agent.

This image has an empty alt attribute; its file name is image-460.png

On Debian server, edit sshd_configle file to allow root login and restart Opensshd daemon.

vi /etc/ssh/sshd_config Add the line “PermitRootLogin yes”

On LinutMint Ansible Controller.

Configure to access SSH daemon on Debian server via public key authentication.

Next, we need to set up Public key authentication on LinuxMint.

ssh-keygen -b 4096

Copy the key to the Debian server that you want to access.

Modify hosts on Ansible.

Create Wazuh file under /etc/ansible/group_vars.

ansible_ssh user:root
cd /etc/ansible/roles/
sudo git clone --branch v4.2.5
Create Wazuh.yml file under /etc/ansible
- hosts: Wazuh
    - /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent 

      - address:
        port: 1514
        protocol: udp
        api_port: 55000
        api_proto: 'http'
        api_user: ansible
      enable: true
      port: 1515
      ssl_agent_ca: null
      ssl_auto_negotiate: 'no'

Run ansible to test on Debian host.

 ansible -m ping Wazuh -i /etc/ansible/hosts

Run ansible-playbook to install wazuh agent on Linux Debian server.

ansible-playbook -i /etc/ansible/hosts Wazuh.yml -u root

Create an IPSEC site-to-site tunnel between Palo Alto And FortiGate.

This is the lab to use to set up the IPSEC site-to-site tunnel between both devices.

On Palo Alto.

IKE Crypto.

IPSEC Crypto.

IKE Gateway.

IPSec tunnel.

Create a virtual route from PA to Fortinet.

Create two Security Policies to allow traffic from the “Trusted Zone” of PA to the “Trusted Zone” of Fortinet.

Configure Fortinet.

config system interface
edit port1
set mode dhcp
set allowaccess ping httpd http fgfm
show system interface 
# show system interface to get IP Address from DHCP

Go to Webterm to configure Fortinet.

Configure a custom VPN Tunnel with the following information.

Configure a static route to allow traffic from Trusted Zone ( on Fortinet to the Trusted Zone ( on PA.

Create two Security policies to allow traffic from VPN to Trusted Zone and vice versa.

Ping and traceroute from a VM on Fortinet to another VM on Palo Alto.

Monitor IPSEC tunnel on Fortinet.

Monitor IPSEC tunnel on PA.

Create a VPN IPSEC site to site between Palo Alto and Cisco Router

This is a lab to set up a VPN site-to-site tunnel between both devices.

Configure interfaces and enable IPSEC VPN site to site on Cisco Router.

R1(config)#int g0/0
R1(config-if)#ip add
R1(config-if)#no shut

R1(config)#int g1/0
R1(config-if)#des "Connect to PA""
R1(config-if)#ip add
R1(config-if)#no shut

Create an ACL for VPN.
R1(config)#ip access-list extended ACL
R1(config-ext-nacl)#permit ip

Create ISAKMP phase 1 of the tunnel.

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 86400
# Assign authentication-key for remote peer.
R1(config)#crypto isakmp key cisco123 address

# Create IPSEC transfrom set for phase 2
R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac

# Create cryoto map to apply the phase 2 settings to the interface
crypto map PA1 10 ipsec-isakmp
set peer
set transform-set TSET
match address ACL

# Applly crypto map to an interface.

R1(config-crypto-map)#int g1/0
R1(config-if)#crypto map PA1

# Create a static route to route traffic between both sites.
R1(config)#ip route

Access Palo Alto Web management.

Assign an IP address for interface e1/1 and e1/2.

Create a new tunnel 1 on PA.

Configure a static route between PA and Cisco Router and set next hop is “None”.

Configure IKECrypto as on Cisco Router.

Configure IKE Gateway.

Configure IPSEC Tunnel.

Configure Proxy ID.

Create both Security policies to allow traffic from the Trusted zone to the VPN zone and vice versa.

From Webterm2 ( pings Webterm 3 (

Check PA, the IPSEC tunnel is up.