Create a Palo Alto and Azure Site-to-Site IPsec VPN

AZURE CONFIGURATION

1
Create virtual network according to Microsoft article guideline.
2
Create Front End and Gateway subnets.
3
Create Virtual Network Gateway.
4
Create a local network gateway according to Azure configuration guidelines.
5
The next step is to create an IPSec policy including parameters and also a local network gateway connection that is to represent your IPSec connection from your Azure network to your on-premise network and Palo Alto firewall.
6
Install and configure Azure PowerShell modules on my local desktop device.
7
Launch Microsoft PowerShell and execute the following command to connect to Azure.
8
Using the Azure Cloud Shell interface, accessible in the Azure portal you could review your IPSec parameters.
9
Create virtual network gateway connection.

PALO ALTO CONFIGURATION

1
Configure tunnel interface, create, and assign new security zone.
2
Create an IKE Crypto profile with the following settings.
3
Create a new IKE Gateway with the following settings. Peer IP equals the IP address of the Azure connection public IP address (when received after configuration). Edit configuration later, if necessary, when received.
4
Configure an IKE Gateway and assign the IKE Crypto profile.
5
Create a new IPSec Crypto Profile with the following settings.
6
Create IPSec tunnel with the following settings.
7
No proxy ID was required for this configuration example.
8
Added static routes to my virtual router for both Azure Frontend and Gateway subnets.
9
After completing Azure and Palo Alto configuration, there is a green status for the IPsec tunnel indicating a successful connection. Additional negotiation information may be viewed from the Palo Alto System Log.

CONNECTING TO AZURE RESOURCES

After establishing a site-to-site connection to Azure network, you will be able to connect to resources that are created on Azure Frontend network.

Configuring IPsec VPN between Palo Alto Firewall and AWS

Configuration:

Create AWS Customer Gateway:

Sign in to the AWS Portal site with an administrative account.

Click Services and select VPC.

Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN.

Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.

Create Customer Gateways with the following parameters:

Your Vision, Our Expertise

Elevating Your Software Product Engineering Journey with Vast Edge

1
Name: Palo Alto Firewall.
2
Routing: Static.
3
IP Address: Enter Palo Alto's WAN IP as 113.161.x.x.
4
Click Create Customer Gateway.

Create Virtual Private Gateway:

Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.

Create a Virtual Private Gateway with the following parameters:

1
Name tag: VPG-PaloAlto Community.
2
ASN: Amazon default ASN.
3
Click Create Virtual Private Gateway.
Next, we will add the newly created Virtual Private Gateways to the VPC.

To Add select the newly created Virtual Private Gateways > click Action > Attach to VPC.

Select the VPC that we filtered at the Customer Gateways creation step and click Yes, Attach to complete.

Virtual Private Network has been successfully added to VPC.

Create Site-to-site VPN Connection:

To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.

Create with the following information:

1
Name tag: S2S-AWS-to-PaloAlto.
2
Target Gateway Type: select Virtual Private Gateway.
3
Virtual Private Gateway *: select the Virtual Private Gateway just created in the above step.
4
Customer Gateway: select Existing.
5
Customer Gateway ID *: select the Customer Gateway just created in the previous step.
6
Routing Option: Static.
7
Static IP Prefixes: type Palo Alto's LAN subnet as 10.146.41.0/24.
8
Local IPv4 Network Cidr: type 10.146.41.0/24.
9
Remote IPv4 Network Cidr: enter AWS local network subnet as 172.31.32.0/20.
10
Click Create VPN Connection.

Create Route:

We need to create a static route to route the Palo Alto Firewall's subnet through the Virtual Gateway.

To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route.

Add:

1
Destination: 10.146.41.0/24.
2
Target: select the newly created Virtual Gateway.
3
Click Save changes.

Download the VPN configuration file and collect the necessary information:

After creating the VPN Connection, we will select the newly created VPN Connection and click Download Configuration.

Select the following information to download the configuration file:

1
Vendor: Palo Alto Networks.
2
Platform: PA Series.
3
Software: PANOS 7.0+.
4
Ike Version: ikev2.
Turn on the configuration file just got downloaded, we will have the following information.

IKE Crypto and IPsec Crypto of IPsec connection.
5
IKE Crypto.
6
IPsec Crypto.

Information about IPsec tunnel gateway IPsec VPN connection on Palo Alto.
7
IP tunnel on Palo Alto: 169.254.60.150/30.
8
MTU: 1427.
9
IP tunnel on AWS: 169.254.60.148/30.

Configure IKE Gateways.

Palo Alto Firewall:

Create Zone:

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

1
Name: VPN
2
Type: Layer3
3
Click OK.

Click Commit and OK to save the configuration changes.

Create Address Object:

We will create the Address Object for the 2 LAN layers of the Palo Alto Firewall and AWS devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall LAN:

1
Name: PA_LAN.
2
Type: IP Netmask - 10.146.41.0/24.
3
Click OK.

AWS LAN:
4
Name: AWS_LAN.
5
Type: IP Netmask - 172.31.32.0/20.
6
Click OK.

Click Commit and OK to save the configuration changes.

Create Interface Tunnel:

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

Config tab:

1
Interface Name: tunnel.2
2
Virtual Router: None
3
Security Zone: VPN
4
Click OK.

IPv4 tab:
5
Click Add and enter the tunnel IP 169.254.60.150/30 that we got from the previous config file.

Advanced tab:
6
We enter MTU as 1427, this parameter is taken from the config file downloaded from AWS.

Click Commit to save the configuration changes

Create Virtual Routers:

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

Name: VR1 Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect VPN).
Tab Static Routes > IPv4

Click Add to add static routes and fill in the following information:

1
Name: Route_AWS_Subnet.
2
Destination: enter AWS LAN subnet as 172.31.32.0/20.
3
Interface: tunnel.2.
4
Next Hop: IP Address and enter the AWS tunnel IP is 169.254.60.148
5
Click OK twice to save.

Click Commit and OK to save the configuration changes.

Create IKE Crypto:

We will create IKE Crypto ie Phase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

1
Name: vpn-0009b589f526268e7-0
2
DH Group: group2
3
Encryption: aes-128-cbc
4
Authentication: sha1
5
Key Lifetime: Seconds - 28800
6
Click OK.

Click Commit and OK to save the configuration changes.

Create IPsec Crypto:

To create IPsec Crypto go to Network > IPsec Crypto and click Add.

Configure according to the following parameters:

1
Name: IPsec-crypto-profiles IPsec-vpn-0009b589f526268e7-0
2
IPsec Protocol: ESP
3
Encryption: aes-128-cbc
4
Authentication: sha1
5
DH Group: group2
6
Lifetime: Seconds - 3600
7
Click OK.

Click Commit and OK to save the configuration changes.

Create IKE Gateways:

To create go to Network > IKE Gateways and click Add.

Based on the IKE Gateway parameters that we have from the config file downloaded from AWS.

If we use IKEv2 only mode, enter the parameters of IKEv2 only mode, if we use IKEv2 preferred mode, enter the parameters of IKEv2 preferred mode.

In this article we will use IKEv2 only mode.

Configure according to the following parameters

General:

1
Name: ike-vpn-0009b589f526268e7-0
2
Version: IKEv2 only mode
3
Address Type: IPv4
4
Interface: ethernet1/1 (Palo Alto Firewall's WAN port)
5
Local IP Address: None
6
Peer Address: Enter AWS WAN IP as 13.59.106.76
7
Authentication: Pre-shared Key
8
Pre-shared key: enter the connection password from the config file.
9
Confirm Pre-shared key: re-enter the connection password.
10
Local Identification: select IP address and enter Palo Alto Firewall's WAN IP as 113.161.x.x.
11
Peer Identification: select the IP address and enter the AWS WAN IP as 13.59.106.76.

Advanced Options:
12
IKE Crypto Profile: select vpn-0009b589f526268e7-0.
13
Click OK.

Click Commit and OK to save the configuration changes.

Create IPsec Tunnels:

Now we will start creating a VPN connection with AWS.

To create go to Network > IPsec Tunnels and click Add.

Create with the following information:

1
Tab General:
2
Name: ipsec-tunnel-1
3
Tunnel Interface: tunnel.2
4
Type: Auto Key
5
Address Type: IPv4
6
IKE Gateways: ike-vpn-0009b589f526268e7-0
7
IPsec Crypto Profile: IPsec-vpn-0009b589f526268e7-0
Tab Proxy IDs:

Click Add and configure the following information:
8
Proxy ID: Proxy-1
9
Local: 10.146.41.0/24
10
Remote: 172.31.32.0/20
11
Protocol: Any
12
Click ok twice to save.

Click Commit and OK to save the configuration changes.

Create Policy:

We need to create a policy that allows traffic from Palo Alto Firewall's LAN subnet to pass through AWS's LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the Palo Alto Firewall's LAN subnet to pass through the AWS LAN subnet with the following information:

Tab General:

1
Name: LAN_TO_VPN
2
Rule Type: universal (default)

Tab Source:
3
Source Zone: click Add and select Trust-Layer3 zone
4
Source Address: click Add and select PA_LAN

Tab Destination:
5
Destination Zone: VPN
6
Destination Address: AWS_LAN

Tab Action:
7
Action: select Allow
8
Click OK

Next, we will click Add and create a policy that allows traffic to go from the AWS LAN subnet to the Palo Alto Firewall's LAN subnet with the following information:

Tab General:
9
Name: VPN_TO_LAN
10
Rule Type: universal (default)

Tab Source:
11
Source Zone: click Add and select VPN zone
12
Source Address: click Add and select AWS_LAN

Tab Destination:
13
Destination Zone: Trust_Layer3
14
Destination Address: PA_LAN

Tab Action:
15
Action: select Allow.
16
Click OK.

Click Commit and OK to save the configuration changes.

Result:

Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections.

At VPN Connection > Tunnel Details > make sure the tunnel's status is UP.

Test the connection.

Ping result from linux server to Palo Alto Firewall's LAN IP machine.

Successful ping result.

Check the log by going to Monitor > Logs > Traffic, we will see the traffic going from source ip 172.31.42.255 to destination source 10,146.41.1.

Conversely, ping from the Palo Alto Firewall's LAN to the Linux server at AWS.

Successful ping result.

Palo Alto Cloud Services, Azure, AWS and GCP Secure VPN Tunnel