Hey,
I am working here on an IPSEC s2s setup with Palo Alto and Mikrotik CHR.
It would help to understand both sides setup.
In the PA side you can use the default PH1 and PH2 IKEv2 and IPSEC profiles.
** EDIT ** For most use cases you will need to set on the PA side the IKE Gateway side "Peer IP Address Type" to Dynamic.
Take a peek at:
Palo Alto: Getting Started: VPN
Palo Alto: IPSec VPN Tunnel with Peer Having Dynamic IP Address
Before starting with the setup config you must know that to reach each end you must be inside the LAN segment of the NETWORK.
To ping from the Mikrotik towards the tunnel with the local ip address you can use something like:
/ping address=192.168.99.1 src-address=192.168.89.254
or
/ping address=192.168.99.1 interface=ether3
which ether3 is my LAN inteface and 192.168.89.254 is the Mikrotik IP on this interface
On PA Steps to create the IPSEC tunnel itself :
Network -> Interfaces -> Tunnel -> Add
* Interface name(numeric) ie 10
* Comment = S2S Name
* Virtual Router = Default (unless you have a more complex setup)
* Zone = VPN(Or Whatever is ok for this peer)
-> IPV4
* Add -> 192.168.99/32
(/32 since it's a "dummy" rules that will force traffic into the tunnel instead of into the defautl GW Route)
-> Advanced
* Management Profile -> (Choose if you have one)
Network -> IKE Gateways -> Add
* Name = MT-S2S-SomeSite-GW
* Version = IKEv2 only mode
* Interface = WAN Interface with the IP of the peer ie ethernet1/1.10 (which holds the 200.200.200.200/24)
* Local IP Address = 200.200.200.200/24
* Peer IP Address Type = Dynamic ( Choose IP only if the peer have a static IP which is tested to work with this mode)
* Peer Address = 201.201.201.201 ( Requied Only when the Peer IP Address Type = IP)
* Pre-shared Key = Test***
* Confirm Pre-shared Key = Test***
* Local Identification -> IP Address = 200.200.200.200
* Peer Identification -> IP Address = 201.201.201.201
-> Advanced
* Enable NAT Traversal -> Check
* (IKEv2) IKE Crypto Profile = Default
-> OK
Network -> IPSEC Tunnels -> Add
* Name = MT-S2S-SomeSite-IPSEC-Tunnel
* Tunnel Interface = tunnel.10
* Type = Auto Key
* Address Type = IPv4
* IKE Gateway = MT-S2S-SomeSite-GW
* IPSec Crypto Profile = Default
-> Proxy ID IPv4 -> Add
* Proxy ID = px1
* Local = 192.168.99.1/32
* Remote = 192.168.89.0/24
* Protocol = Any
-> Proxy ID IPv4 -> Add
* Proxy ID = px2
* Local = 10.200.0.0/24
* Remote = 192.168.89.0/24
* Protocol = Any
-> Proxy ID IPv4 -> Add
* Proxy ID = px2
* Local = 10.205.0.0/24
* Remote = 192.168.89.0/24
* Protocol = Any
-> OK
Network -> Virtual Router -> Default ( Or any other if you have a more complex Setup)
-> Static Routes -> IPv4 -> Add
* Name = S2S Tunnle Route
* Destination = 192.168.89.0/24
* Interface = tunnel.10
* Next-Hop = "IP Address" (literal String. the ip itself is in the next box below)
* Box below the string "Next-Hop" = 192.168.99.1
-> OK
-> OK
Commit
Go to the Mikrotik and setup the connection.. And it's up
In PA you must add:
* FW rules to allow ike(port 500/4500) from the remote site and back
* IP address (should be /32) on the tunnel interface
* Proxy ID policy from the LAN Towards the S2S LAN
* IP route(static or dynamic using BGP/OSPF/OTHER) that will direct traffic towards the other site via the tunnel /32 ip address
* FW rules and zones on the addresses and/or the tunnel interface that will allow traffic from side to side
My Local Mikrotik IPSEC and FW settings(200.200.200.200 is the PA ie peer and 201.201.201.201 is my Local address):
[admin@MT-CHR-R1] > /ip ipsec installed-sa print terse
0 HE spi=0xC6C726E src-address=200.200.200.200 dst-address=201.201.201.201 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=3b****cd enc-key=68****83 addtime=oct/28/2020 21:44:29 expires-in=8m38s add-lifetime=24m4s/30m5s current-bytes=30604 current-packets=502 replay=128
1 HE spi=0xCEEAB2B9 src-address=201.201.201.201 dst-address=200.200.200.200 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=b19****f9 enc-key=45****b2 addtime=oct/28/2020 21:44:29 expires-in=8m38s add-lifetime=24m4s/30m5s current-bytes=33044 current-packets=542 replay=128
2 HE spi=0x72A91A9 src-address=200.200.200.200 dst-address=201.201.201.201 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=ad****cb enc-key=93***a7 add-lifetime=24m8s/30m10s replay=128
3 HE spi=0xADE50688 src-address=201.201.201.201 dst-address=200.200.200.200 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=e1****a0 enc-key=5b****e8 add-lifetime=24m8s/30m10s replay=128
4 HE spi=0xF1CBCE0 src-address=200.200.200.200 dst-address=201.201.201.201 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=da****94 enc-key=5b****c9 add-lifetime=24m20s/30m26s replay=128
5 HE spi=0xDD03EDEB src-address=201.201.201.201 dst-address=200.200.200.200 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=06****76 enc-key=8b****c9 add-lifetime=24m20s/30m26s replay=128
[admin@MT-CHR-R1] /ip ipsec> export verbose terse
# oct/28/2020 22:02:45 by RouterOS 6.47.6
# software id =
#
#
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group set [ find default=yes ] name=default
/ip ipsec profile set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec profile add dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128 hash-algorithm=sha1 lifetime=1d name=Work_Profile nat-traversal=yes proposal-check=obey
/ip ipsec peer add address=200.200.200.200/32 disabled=no exchange-mode=ike2 local-address=201.201.201.201 name=Work-s2s port=500 profile=Work_Profile send-initial-contact=yes
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
/ip ipsec proposal add auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=Work-Proposal pfs-group=modp1024
/ip ipsec identity add auth-method=pre-shared-key disabled=no generate-policy=no my-id=address:201.201.201.201 peer=Work-s2s secret=Test****
/ip ipsec policy set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec policy add action=encrypt disabled=no dst-address=10.200.0.0/16 dst-port=any ipsec-protocols=esp level=unique peer=Work-s2s proposal=Work-Proposal protocol=all sa-dst-address=200.200.200.200 sa-src-address=201.201.201.201 src-address=192.168.89.0/24 src-port=any tunnel=yes
/ip ipsec policy add action=encrypt disabled=no dst-address=10.205.0.0/16 dst-port=any ipsec-protocols=esp level=unique peer=Work-s2s proposal=Work-Proposal protocol=all sa-dst-address=200.200.200.200 sa-src-address=201.201.201.201 src-address=192.168.89.0/24 src-port=any tunnel=yes
/ip ipsec policy add action=encrypt disabled=no dst-address=192.168.99.1/32 dst-port=any ipsec-protocols=esp level=unique peer=Work-s2s proposal=Work-Proposal protocol=all sa-dst-address=200.200.200.200 sa-src-address=201.201.201.201 src-address=192.168.89.0/24 src-port=any tunnel=yes
/ip ipsec settings set accounting=yes interim-update=0s xauth-use-radius=no
[admin@MT-CHR-R1] /ip ipsec> /ip ipsec active-peers print terse
0 id=200.200.200.200 local-address=201.201.201.201 remote-address=200.200.200.200 state=established side=initiator uptime=18m58s last-seen=3s ph2-total=3
[admin@MT-CHR-R1] /ip ipsec> /ip ipsec statistics print
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 4
in-state-protocol-errors: 0
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 0
in-template-mismatches: 0
in-no-policies: 0
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 213
out-state-protocol-errors: 1
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 1
out-policy-blocked: 0
out-policy-dead: 0
out-policy-errors: 0
admin@MT-CHR-R1] /ip firewall nat> /ip firewall nat export terse
# oct/28/2020 22:04:09 by RouterOS 6.47.6
# software id =
#
#
#
/ip firewall nat add action=accept chain=srcnat dst-address-list=WORK-OFFICE-VPN log=yes src-address=192.168.89.0/24
/ip firewall nat add action=accept chain=srcnat src-address-list=WORK-OFFICE-VPN
/ip firewall nat add action=accept chain=srcnat disabled=yes dst-address-list=WORK-OFFICE-OFFICE src-address=192.168.89.0/24
/ip firewall nat add action=accept chain=srcnat disabled=yes src-address-list=WORK-OFFICE-OFFICE
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
[admin@MT-CHR-R1] /ip firewall nat> /ip firewall filter print terse
0 chain=forward action=accept src-address-list=WORK-OFFICE-VPN log=no log-prefix=""
1 chain=forward action=accept src-address-list=WORK-OFFICE-OFFICE log=no log-prefix=""
2 chain=forward action=accept dst-address-list=WORK-OFFICE-VPN log=no log-prefix=""
3 chain=forward action=accept dst-address-list=WORK-OFFICE-OFFICE log=no log-prefix=""
4 comment=Accept ESTABLISH,RELATED chain=forward action=accept connection-state=established,related log=no log-prefix=""
5 comment=Drop INVALID chain=forward action=drop connection-state=invalid log=no log-prefix=""
6 comment=Accept NEW From LAN chain=forward action=accept connection-state=new in-interface-list=LAN log=no log-prefix=""
7 comment=ACCEPT DNAT FROM WAN chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN log=no log-prefix=""
8 comment=DROP New From WAN chain=forward action=drop connection-state=new in-interface-list=WAN log=no log-prefix=""
9 comment=Allow ESTABLISHED Related chain=input action=accept connection-state=established,related log=no log-prefix=""
10 comment=ipsec policy matcher chain=input action=accept in-interface-list=WAN log=no log-prefix="" ipsec-policy=in,ipsec
11 comment=Accept ICMP on WAN chain=input action=accept connection-state=new protocol=icmp in-interface-list=WAN log=no log-prefix=""
12 X chain=input action=accept connection-state=new src-address-list=WORK-OFFICE-VPN log=no log-prefix=""
13 X chain=input action=accept connection-state=new src-address-list=WORK-OFFICE-OFFICE log=no log-prefix=""
14 chain=input action=drop connection-state=new in-interface-list=WAN log=no log-prefix=""
15 chain=input action=accept log=no log-prefix=""