Palo Alto Cloud Services, Azure, AWS and GCP Secure VPN Tunnel

Trusted by Global Brands

Create a Palo Alto and Azure Site-to-Site IPsec VPN

AZURE CONFIGURATION

1
Create virtual network according to Microsoft article guideline.
2
Create Front End and Gateway subnets.
3
Create Virtual Network Gateway.
4
Create a local network gateway according to Azure configuration guidelines.
5
The next step is to create an IPSec policy including parameters and also a local network gateway connection that is to represent your IPSec connection from your Azure network to your on-premise network and Palo Alto firewall.
6
Install and configure Azure PowerShell modules on my local desktop device.
7
Launch Microsoft PowerShell and execute the following command to connect to Azure.
8
Using the Azure Cloud Shell interface, accessible in the Azure portal you could review your IPSec parameters.
9
Create virtual network gateway connection.

PALO ALTO CONFIGURATION

1
Configure tunnel interface, create, and assign new security zone.
2
Create an IKE Crypto profile with the following settings.
3
Create a new IKE Gateway with the following settings. Peer IP equals the IP address of the Azure connection public IP address (when received after configuration). Edit configuration later, if necessary, when received.
4
Configure an IKE Gateway and assign the IKE Crypto profile.
5
Create a new IPSec Crypto Profile with the following settings.
6
Create IPSec tunnel with the following settings.
7
No proxy ID was required for this configuration example.
8
Added static routes to my virtual router for both Azure Frontend and Gateway subnets.
9
After completing Azure and Palo Alto configuration, there is a green status for the IPsec tunnel indicating a successful connection. Additional negotiation information may be viewed from the Palo Alto System Log.

CONNECTING TO AZURE RESOURCES

After establishing a site-to-site connection to Azure network, you will be able to connect to resources that are created on Azure Frontend network.

Configuring IPsec VPN between Palo Alto Firewall and AWS

Configuration:

Create AWS Customer Gateway:

Sign in to the AWS Portal site with an administrative account.

Click Services and select VPC.

Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN.

Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.

Create Customer Gateways with the following parameters:

1
Name: Palo Alto Firewall.
2
Routing: Static.
3
IP Address: Enter Palo Alto's WAN IP as 113.161.x.x.
4
Click Create Customer Gateway.

Create Virtual Private Gateway:

Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.

Create a Virtual Private Gateway with the following parameters:

1
Name tag: VPG-PaloAlto Community.
2
ASN: Amazon default ASN.
3
Click Create Virtual Private Gateway.
Next, we will add the newly created Virtual Private Gateways to the VPC.

To Add select the newly created Virtual Private Gateways > click Action > Attach to VPC.

Select the VPC that we filtered at the Customer Gateways creation step and click Yes, Attach to complete.

Virtual Private Network has been successfully added to VPC.

Create Site-to-site VPN Connection:

To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.

Create with the following information:

1
Name tag: S2S-AWS-to-PaloAlto.
2
Target Gateway Type: select Virtual Private Gateway.
3
Virtual Private Gateway *: select the Virtual Private Gateway just created in the above step.
4
Customer Gateway: select Existing.
5
Customer Gateway ID *: select the Customer Gateway just created in the previous step.
6
Routing Option: Static.
7
Static IP Prefixes: type Palo Alto's LAN subnet as 10.146.41.0/24.
8
Local IPv4 Network Cidr: type 10.146.41.0/24.
9
Remote IPv4 Network Cidr: enter AWS local network subnet as 172.31.32.0/20.
10
Click Create VPN Connection.

Create Route:

We need to create a static route to route the Palo Alto Firewall's subnet through the Virtual Gateway.

To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route.

Add:

1
Destination: 10.146.41.0/24.
2
Target: select the newly created Virtual Gateway.
3
Click Save changes.

Download the VPN configuration file and collect the necessary information:

After creating the VPN Connection, we will select the newly created VPN Connection and click Download Configuration.

Select the following information to download the configuration file:

1
Vendor: Palo Alto Networks.
2
Platform: PA Series.
3
Software: PANOS 7.0+.
4
Ike Version: ikev2.
Turn on the configuration file just got downloaded, we will have the following information.

IKE Crypto and IPsec Crypto of IPsec connection.
5
IKE Crypto.
6
IPsec Crypto.

Information about IPsec tunnel gateway IPsec VPN connection on Palo Alto.
7
IP tunnel on Palo Alto: 169.254.60.150/30.
8
MTU: 1427.
9
IP tunnel on AWS: 169.254.60.148/30.

Configure IKE Gateways.

Palo Alto Firewall:

Create Zone:

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

1
Name: VPN
2
Type: Layer3
3
Click OK.

Click Commit and OK to save the configuration changes.

Create Address Object:

We will create the Address Object for the 2 LAN layers of the Palo Alto Firewall and AWS devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall LAN:

1
Name: PA_LAN.
2
Type: IP Netmask - 10.146.41.0/24.
3
Click OK.

AWS LAN:
4
Name: AWS_LAN.
5
Type: IP Netmask - 172.31.32.0/20.
6
Click OK.

Click Commit and OK to save the configuration changes.

Create Interface Tunnel:

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

Config tab:

1
Interface Name: tunnel.2
2
Virtual Router: None
3
Security Zone: VPN
4
Click OK.

IPv4 tab:
5
Click Add and enter the tunnel IP 169.254.60.150/30 that we got from the previous config file.

Advanced tab:
6
We enter MTU as 1427, this parameter is taken from the config file downloaded from AWS.

Click Commit to save the configuration changes

Create Virtual Routers:

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

Name: VR1 Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect VPN).
Tab Static Routes > IPv4

Click Add to add static routes and fill in the following information:

1
Name: Route_AWS_Subnet.
2
Destination: enter AWS LAN subnet as 172.31.32.0/20.
3
Interface: tunnel.2.
4
Next Hop: IP Address and enter the AWS tunnel IP is 169.254.60.148
5
Click OK twice to save.

Click Commit and OK to save the configuration changes.

Create IKE Crypto:

We will create IKE Crypto ie Phase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

1
Name: vpn-0009b589f526268e7-0
2
DH Group: group2
3
Encryption: aes-128-cbc
4
Authentication: sha1
5
Key Lifetime: Seconds - 28800
6
Click OK.

Click Commit and OK to save the configuration changes.

Create IPsec Crypto:

To create IPsec Crypto go to Network > IPsec Crypto and click Add.

Configure according to the following parameters:

1
Name: IPsec-crypto-profiles IPsec-vpn-0009b589f526268e7-0
2
IPsec Protocol: ESP
3
Encryption: aes-128-cbc
4
Authentication: sha1
5
DH Group: group2
6
Lifetime: Seconds - 3600
7
Click OK.

Click Commit and OK to save the configuration changes.

Create IKE Gateways:

To create go to Network > IKE Gateways and click Add.

Based on the IKE Gateway parameters that we have from the config file downloaded from AWS.

If we use IKEv2 only mode, enter the parameters of IKEv2 only mode, if we use IKEv2 preferred mode, enter the parameters of IKEv2 preferred mode.

In this article we will use IKEv2 only mode.

Configure according to the following parameters

General:

1
Name: ike-vpn-0009b589f526268e7-0
2
Version: IKEv2 only mode
3
Address Type: IPv4
4
Interface: ethernet1/1 (Palo Alto Firewall's WAN port)
5
Local IP Address: None
6
Peer Address: Enter AWS WAN IP as 13.59.106.76
7
Authentication: Pre-shared Key
8
Pre-shared key: enter the connection password from the config file.
9
Confirm Pre-shared key: re-enter the connection password.
10
Local Identification: select IP address and enter Palo Alto Firewall's WAN IP as 113.161.x.x.
11
Peer Identification: select the IP address and enter the AWS WAN IP as 13.59.106.76.

Advanced Options:
12
IKE Crypto Profile: select vpn-0009b589f526268e7-0.
13
Click OK.

Click Commit and OK to save the configuration changes.

Create IPsec Tunnels:

Now we will start creating a VPN connection with AWS.

To create go to Network > IPsec Tunnels and click Add.

Create with the following information:

1
Tab General:
2
Name: ipsec-tunnel-1
3
Tunnel Interface: tunnel.2
4
Type: Auto Key
5
Address Type: IPv4
6
IKE Gateways: ike-vpn-0009b589f526268e7-0
7
IPsec Crypto Profile: IPsec-vpn-0009b589f526268e7-0
Tab Proxy IDs:

Click Add and configure the following information:
8
Proxy ID: Proxy-1
9
Local: 10.146.41.0/24
10
Remote: 172.31.32.0/20
11
Protocol: Any
12
Click ok twice to save.

Click Commit and OK to save the configuration changes.

Create Policy:

We need to create a policy that allows traffic from Palo Alto Firewall's LAN subnet to pass through AWS's LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the Palo Alto Firewall's LAN subnet to pass through the AWS LAN subnet with the following information:

Tab General:

1
Name: LAN_TO_VPN
2
Rule Type: universal (default)

Tab Source:
3
Source Zone: click Add and select Trust-Layer3 zone
4
Source Address: click Add and select PA_LAN

Tab Destination:
5
Destination Zone: VPN
6
Destination Address: AWS_LAN

Tab Action:
7
Action: select Allow
8
Click OK

Next, we will click Add and create a policy that allows traffic to go from the AWS LAN subnet to the Palo Alto Firewall's LAN subnet with the following information:

Tab General:
9
Name: VPN_TO_LAN
10
Rule Type: universal (default)

Tab Source:
11
Source Zone: click Add and select VPN zone
12
Source Address: click Add and select AWS_LAN

Tab Destination:
13
Destination Zone: Trust_Layer3
14
Destination Address: PA_LAN

Tab Action:
15
Action: select Allow.
16
Click OK.

Click Commit and OK to save the configuration changes.

Result:

Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections.

At VPN Connection > Tunnel Details > make sure the tunnel's status is UP.

Test the connection.

Ping result from linux server to Palo Alto Firewall's LAN IP machine.

Successful ping result.

Check the log by going to Monitor > Logs > Traffic, we will see the traffic going from source ip 172.31.42.255 to destination source 10,146.41.1.

Conversely, ping from the Palo Alto Firewall's LAN to the Linux server at AWS.

Successful ping result.

SonicWall Cloud Service Provider: Azure, AWS, GCP: Secure Site VPN Gateway

Configure site-to-site VPN with local SonicWall to Azure VM

Configure the local SonicWall:

To configure the interfaces:
1 In SonicOS on the local SonicWall, go to Network > Interfaces.
2 Edit port5. Set the role to WAN and set an IP/Network Mask of 192.168.5.1/255.255.255.0. This is for the interface connected to the Internet.
3 Edit port4. Set the role to LAN and set an IP/Network Mask of 172.16.200.1/255.255.255.0. This is for the interface connected to the local subnet.

To configure a static route to connect to the Internet:
1 Go to Network > Static Routes.
2 Click Create New.
3 Set the Destination to 0.0.0.0/0.0.0.0.
4 For the Interface, select port5.
5 Set the Gateway Address to 192.168.9.254.

To configure IPsec VPN:
- Go to VPN > IPsec Wizard.
- Click Create New.

1 Enter the desired VPN name. In the example, this is "to_cloud".
2 For Template Type, select Site to Site.
3 For the Remote Device Type, select SonicWall.
4 For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local SonicWall has a public external IP address, you must choose No NAT between sites.
5 Click Next.

Configure Authentication:
1 For Remote Device, select IP Address.
2 Enter an IP address of 40.115.111.31, which is the Azure SonicWall's port1 public IP address.
3 For Outgoing Interface, select port5.
4 Set the Authentication Method to Pre-shared Key.
5 Enter a pre-shared key of 123456.
6 Click Next.

Configure Policy & Routing:
1 For Local Interface, select port4.
2 SonicOS automatically populates Local Subnets with 172.16.200.0/24.
3 Set the Remote Subnets to 10.58.1.0/24, which is the Azure SonicWall's port2 subnet.
4 For Internet Access, select None.
5 Click Create.

Configuring the Azure SonicWall:

To configure the interface:
1 In SonicOS on the Azure SonicWall, go to Network > Interfaces.
2 Edit port2. Set the role to LAN and set an IP/Network Mask of 10.58.1.4/255.255.255.0. This is for the interface connected to the Azure local subnet.

To configure IPsec VPN:
- Go to VPN > IPsec Wizard.
- Configure VPN Setup:
1 Enter the desired VPN name. In the example, this is "to_local".
2 For Template Type, select Site to Site.
3 For the Remote Device Type, select SonicWall.
4 For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local SonicWall has a public external IP address, you must choose No NAT between sites.
5 Click Next.

Configure Authentication:
1 For Incoming Interface, select port1.
2 Set the Authentication Method to Pre-shared Key.
3 Enter a pre-shared key of 123456.
4 Click Next.

Configure Policy & Routing:
1 For Local Interface, select port2.
2 SonicOS automatically populates Local Subnets with 10.58.1.0/24.
3 Set the Remote Subnets to 172.16.200.0/24, which is the local SonicWall's port4 subnet.
4 For Internet Access, select None.
5 Click Create.

To bring up the VPN tunnel on the local SonicWall:
The tunnel is down until you initiate connection from the local SonicWall.

1 In SonicOS on the local SonicWall, go to Monitor > IPsec Monitor.
2 Click the to_cloud tunnel.
3 Click Bring Up to bring up the VPN tunnel.

To create a VPG:
1 A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.
2 In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
3 In the Name tag field, enter the desired gateway name.
4 For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
5 After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
6 On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.

To create a customer gateway:
1 Go to Customer Gateways, then click Create Customer Gateway.
2 In the Name field, enter the desired gateway name.
3 For Routing, select Static.
4 In the IP Address field, enter the on-premise SonicWall's external address.

To create a site-to-site VPN connection on AWS:
1 Internet Key Exchange version 2 (IKEv2)
2 NAT traversal
3 Four-byte ASN (in addition to two-byte ASN)
4 Reusable IP addresses for customer gateways
5 Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
6 Configurable tunnel options
7 Custom private ASN for the Amazon side of a BGP session
8 This example describes creating an IPsec site-to-site VPN.
9 Go to VPN Connections, then click Create VPN Connection.
10 In the Name tag field, enter the desired VPN connection name.
11 From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
12 For Routing Options, select Static.
13 In the IP Prefixes field, enter the CIDR of the networks behind your on-premise SonicWall.
14 Leave the tunnel options blank. You will obtain this information from a configuration file download.

To configure the on-premise SonicWall:
1 After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the SonicWall correctly.
2 You can configure the SonicWall using this downloaded configuration file. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
3 Check in the SonicOS GUI in VPN > IPsec Tunnels that the tunnel is up.
4 In the AWS management console, check that the tunnel is up.
5 After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the SonicWall to a resource on the AWS cloud.
6 On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in SonicOS as well. The second tunnel is for redundancy. If one tunnel goes down, the SonicWall can reach AWS resources using the other tunnel.

Configuring site-to-site VPN between GCP and SonicWall

- On the remote site 1 SonicWall, go to VPN > IPsec Tunnels, then click Create New.
- On the VPN Setup tab, configure the following:

1 For Template type, select Site to Site.
2 For NAT configuration, select No NAT between sites.
3 Click Next.

On the Authentication tab, configure the following:
1 In the Remote IP address field, enter the destination SonicWall public IP address. This is the spoke1 public IP address.
2 Configure a signature ore pre-shared key to secure the tunnel.
3 Click Next.

- On the Policy & Routing tab, configure the local and remote subnets. Note that here, the local subnet refers to the remote site subnet, and the remote subnet refers to the NCC external and internal VPC subnets. Click Next.
- Review the configuration, then click Create.
- Create a similar connection from the Region 1 spoke SonicWall to the remote site 1 SonicWall. When creating this connection, on the Policy & Routing tab, ensure that you add port1 and port2 as local interfaces when creating the tunnel interface.