# VPN Setup with Palo-Alto Networks Interface 1\. Login to the Monogoto portal and go to ***Network.*** 2\. Edit your **“vpneu.mono”** network (EU zone) or **"vpnus.mono"** network (US zone). ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2FLgrbGFyLjVQadflVhZ9j%2F1.png?alt=media\&token=c358ad80-35be-415b-be4e-02186d17c40e) 3\. Go to **Address Pools** and copy IP Address/Mask. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2FG9T6NYNPuR9HKyNu4Jgx%2F2.PNG?alt=media\&token=b753c2d9-e593-46e3-bb73-9fddd80a23e9) 4\. Go to **Routes** and copy Gateway IP. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2FaWR4bW300Zl2QngaSyjw%2FVpn_Routes.png?alt=media\&token=1eb125fc-72df-496d-9900-1a48fabc753b) 5\. Now we need to add a Route to the VPN in Monogoto portal -> ***Network*** -> ***Routes*** section and ***Add new*** * Destination = VPN IP address and mask * Gateway = select Monogoto gateway * Save and Close -> Apply Settings ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2F8VQCFh6RgOPAobt1MSjq%2F4.PNG?alt=media\&token=c1e97a07-e7a8-4245-b111-9d4f0256ab52) 6\. Lets add a VPN on Monogoto portal. Please go to ***Network*** -> ***VPN*** section and ***Add new VPN.*** * Destination IP Address = Palo Alto Networks Tunnel Outside IP Address * Destination Network = Palo Alto Networks VPC IPv4 CIDR * Pool Name = Select your pool * Save and Close -> Apply Settings ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2F6G40chlMTtcp4ABlbnzu%2F5.PNG?alt=media\&token=234f4478-8dea-42ea-a044-9d02108c28fb) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2FUrCVmcZIUFMbVV7ynVok%2F6.PNG?alt=media\&token=21778a3d-8e3e-4f43-8114-359f0438b1fc) 7\. Now that we have created VPN on Monogoto end, download a VPN config file that will have all of the needed information for VPN configuration on Palo Alto Networks end. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2FkVTKUaMf1YRqgizH5QTW%2F7.PNG?alt=media\&token=85c147fc-4157-4ea9-a37e-6808561abb9f) 8\. Go to Palo Alto Networks user interface. 9\. Switch to **Network** tab, then under **Network Profiles** go to **IKE Crypto** and press on button **Add.** Please see configuration example below ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMuh2nYIOQB3beS3QtC%2F-MMujWNNIAMX9Y0WdtNe%2F1.0%20Go%20to%20IKE%20crypto.PNG?alt=media\&token=e1054632-6348-46bb-ba30-3623887706c7) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMuCt5GyraF5Nau9XwQ%2FIKE%20Crypto%20Profile.JPG?alt=media\&token=520d8580-b3c0-4dbc-b2d1-5746441ddeb7) 10\. The next step is to create IKE Gateway. In **Network** tab, under **Network Profiles** go to **IKE Gateways** and press on button **Add.** ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMuh2nYIOQB3beS3QtC%2F-MMujA5k7ZVwJH9QdNHs%2F2.%20Go%20to%20IKE%20Gateways.PNG?alt=media\&token=7fb70788-9399-402f-8289-d624a8371e91) 11\. Configure IKE Gateway, you may see example settings below. * Local IP Address = select your local IP address * Peer Address = is taken from **Step 4**, it is a Route Gateway from Monogoto portal * IKE Crypto Profile = select a profile we have created in **step 6** ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MT6lNddrKXqxQc_Qiz1%2F-MT6pf4RTJphUQ-2L7JM%2F4.0%20IKE%20Gateway%20\(1\).png?alt=media\&token=05074310-7fc5-4c5e-b6e8-bab1017fc823) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMuI91UnP_wMz6n5nTH%2F4.1%20IKE%20Gateway%20\(2\).JPG?alt=media\&token=f3de2a4e-0085-4a8e-85e3-a9d1a8060649) 12\. Next what we want to do is to create a security zone. In **Network** tab go to **Zones** and press on **Add** button. You may see configuration example below. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMuX-ide3eYSecOv89D%2F5.%20Add%20zones.PNG?alt=media\&token=80f0cb1b-d118-482c-a3d5-3aaa8980305d) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMuXvxethKnd4V8-8sd%2FMonogoto%20Security%20Zone.JPG?alt=media\&token=ce6c5829-fc6b-4f6c-a447-51b9ddaf6896) 13\. In order for Palo Alto Network to respond to ping we need to create a management profile. In **Network** tab, under **Network Profiles** go to **Interface Mgmt** and press on button **Add.** You may see configuration example below. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMubNRrGweRydAzXjbC%2F7.PING.PNG?alt=media\&token=b0ecea0f-b310-41b7-82e4-528212d7c741) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMucrTJrJpcRp-5c9hi%2F7.1%20PING.PNG?alt=media\&token=73b5327d-058f-424a-a51e-f96726ddaca0) 14\. Now we need to add a Tunnel. In **Network** tab go to **Interfaces**, select a sub tab **Tunnel** and press on **Add** button. You may see configuration example below. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMuZQmktQyyh-PXqOko%2F6.%20create%20Tunnel.PNG?alt=media\&token=90e2fedc-3c6a-4c89-9791-6f18857a615d) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMu_48HLJmdHh5H5_gx%2FNetwork%20Tunnel%20\(1\).JPG?alt=media\&token=aae9a32e-eb6c-448a-b7ee-482dbfdec881) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMu_6Rj8pKiHIMqQbho%2FNetwork%20Tunnel%20\(2\).JPG?alt=media\&token=088c2e54-fc42-491c-8aa9-8f95a06224f6) 15\. Now we want to create IPSec Crypto profile. In **Network** tab go to **Network Profiles**, select **IPSec Crypto** and press on **Add** button. You may see configuration example below. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMuh2nYIOQB3beS3QtC%2F-MMuk799CGsUr0D0_0Lk%2F8.0%20IPSec%20Crypto%20profile.PNG?alt=media\&token=c367ee79-b34b-41a7-91a2-64f5eac73cc5) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMtnYUpLa5AnXMmyyWd%2F-MMueJBj6sk-BhwcYRYY%2F8.1%20IPSec%20Crypto%20Profile.JPG?alt=media\&token=48bc2375-a2d3-45d0-b5f5-224b780c3b05) 16\. Lets now add a IPSec tunnel. In **Network** tab go to **IPSec Tunnels** and press on **Add** button. You may see configuration example below. * Local = local IP/netmask * Remote = Monogoto pool IP address/mask, is taken from **step 3** ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMuf0ktaR0T87gup1d0%2F-MMueuk_l9w7NVeNBjzJ%2F9.0%20IPSec%20tunnel.PNG?alt=media\&token=c31479d8-d84d-466d-a155-948707cb8b4a) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMuf0ktaR0T87gup1d0%2F-MMufcc0ImTPP0swFcV3%2F9.1%20IPSec%20Tunnel.JPG?alt=media\&token=e103137d-e46d-417b-a501-6ddafdc67c1d) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMuky2TMWh8TfkdgG3M%2F-MMuqMmir5EgZTcc_NQN%2F9.2%20IPSec%20Tunnel%20\(2\).JPG?alt=media\&token=7785812d-76a5-4df9-9ba4-42610df19491) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MT6lNddrKXqxQc_Qiz1%2F-MT6qDIo_xhs1W_7Kw_D%2F9.3%20IPSec%20Tunnel%20\(3\).png?alt=media\&token=25eb4eb4-3bd7-4187-8302-cc169d8463a6) 17\. To make NAT settings, please go to **Policies** tab and then select **NAT**. Below you can find example configurations. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMv91vEP89arD92WJel%2F-MMvAEQbwFzbHM96fZeF%2F13.0%20NAT.JPG?alt=media\&token=43c2b956-b83a-499d-8cfe-b2af7bbbb08a) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MT6lNddrKXqxQc_Qiz1%2F-MT6qY0foemul8J65_FY%2F13.1%20NAT.png?alt=media\&token=42fb3bf1-fa8e-48fb-94c3-1da882474da2) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMv91vEP89arD92WJel%2F-MMvAJPKemWBj9qZJvYd%2F13.2%20NAT.JPG?alt=media\&token=36d8aab1-4d33-457f-a6fa-8954e89b0b02) 18\. To make Security settings, please go to **Policies** tab and then select **Security**. Below you can find example configuration. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MT6lNddrKXqxQc_Qiz1%2F-MT6r2IwiNnuyHiv8qWk%2F14.%20Security%20Policy.png?alt=media\&token=4518129d-e3de-46ef-9da9-2e6b513e496a) 19\. Make Virtual Router settings. To access them please go to **Network** tab and select **Virtual Routers**. You may see a few examples below ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMv91vEP89arD92WJel%2F-MMvNb3OxGl1_-t8dZmK%2FVirtual%20Router%20-Router%20Settings.png?alt=media\&token=0d4eaba6-db12-4c52-bf35-5359c6f95e2e) ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMv91vEP89arD92WJel%2F-MMvQU_E4BUz3gt7SSkg%2FVirtual%20Router%20-Static%20Router.png?alt=media\&token=7e64a21f-2e6c-44de-b5de-25936dec75de) 20\. Please press on **Commit** button at the Right top corner to apply our configured settings in Palo Alto Network interface. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M0mPxGpottOEfcucXOR%2F-MMuyOrC1T4Bad_9BtYg%2F-MMuzjL5sbnQpNX3BadI%2F12.PNG?alt=media\&token=45a5a818-c26b-419f-9797-13ac010fc878) 21\. Go back to Monogoto portal ***Network*** -> ***VPN.*** Check if our created VPN status is shown as Connected, if it is not, please press on **Refresh** button. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2FjuhuEfXTPHoTjWIuqXCe%2F8.png?alt=media\&token=850e5a7e-0691-4f6f-9c84-c0acf9e56efd) 22\. When the status of the VPN is Connected, you may check connection by doing a ping. You can do this by pressing on **Ping** button. ![](https://3922449203-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M0mPxGpottOEfcucXOR%2Fuploads%2F8MpsfYtldIJGFJFjF5kr%2F9.png?alt=media\&token=ccad38c1-feb1-467c-b484-f2fa629a4e0a) That's all, now the VPN tunnel is now connected.