After establishing a site-to-site connection to Azure network, you will be able to connect to resources that are created on Azure Frontend network.
After establishing a site-to-site connection to Azure network, you will be able to connect to resources that are created on Azure Frontend network.
Configuration:
Create AWS Customer Gateway:
Sign in to the AWS Portal site with an administrative account.
Click Services and select VPC.
Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN.
Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.
Create Customer Gateways with the following parameters:
Elevating Your Software Product Engineering Journey with Vast Edge
Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.
Create a Virtual Private Gateway with the following parameters:
To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.
Create with the following information:
We need to create a static route to route the Palo Alto Firewall's subnet through the Virtual Gateway.
To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route.
Add:
After creating the VPN Connection, we will select the newly created VPN Connection and click Download Configuration.
Select the following information to download the configuration file:
Create Zone:
We need to create zones for VPN connections.
To create go to Network > Zones.
Click Add and create the following information:
We will create the Address Object for the 2 LAN layers of the Palo Alto Firewall and AWS devices.
To create go to Object > Addresses.
Click Add and create according to the following parameters.
Palo Alto Firewall LAN:
To create go to Network > Interface > Tunnel.
Click Add and create according to the following information:
Config tab:
To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.
Tab Router Settings:
Name: VR1 Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect VPN).
Tab Static Routes > IPv4
Click Add to add static routes and fill in the following information:
We will create IKE Crypto ie Phase 1 for VPN connection.
To create, go to Network > IKE Crypto click Add and create according to the following information:
To create IPsec Crypto go to Network > IPsec Crypto and click Add.
Configure according to the following parameters:
To create go to Network > IKE Gateways and click Add.
Based on the IKE Gateway parameters that we have from the config file downloaded from AWS.
If we use IKEv2 only mode, enter the parameters of IKEv2 only mode, if we use IKEv2 preferred mode, enter the parameters of IKEv2 preferred mode.
In this article we will use IKEv2 only mode.
Configure according to the following parameters
General:
Now we will start creating a VPN connection with AWS.
To create go to Network > IPsec Tunnels and click Add.
Create with the following information:
We need to create a policy that allows traffic from Palo Alto Firewall's LAN subnet to pass through AWS's LAN subnet and vice versa.
To create a policy go to Policies > Security and click Add.
Create a policy that allows traffic from the Palo Alto Firewall's LAN subnet to pass through the AWS LAN subnet with the following information:
Tab General:
Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections.
At VPN Connection > Tunnel Details > make sure the tunnel's status is UP.
Test the connection.
Ping result from linux server to Palo Alto Firewall's LAN IP machine.
Successful ping result.
Check the log by going to Monitor > Logs > Traffic, we will see the traffic going from source ip 172.31.42.255 to destination source 10,146.41.1.
Conversely, ping from the Palo Alto Firewall's LAN to the Linux server at AWS.
Successful ping result.
Configure site-to-site VPN with local SonicWall to Azure VM
Configure the local SonicWall:
To configure the interfaces:
1 In SonicOS on the local SonicWall, go to Network > Interfaces.
2 Edit port5. Set the role to WAN and set an IP/Network Mask of 192.168.5.1/255.255.255.0. This is for the interface connected to the Internet.
3 Edit port4. Set the role to LAN and set an IP/Network Mask of 172.16.200.1/255.255.255.0. This is for the interface connected to the local subnet.
To configure a static route to connect to the Internet:
1 Go to Network > Static Routes.
2 Click Create New.
3 Set the Destination to 0.0.0.0/0.0.0.0.
4 For the Interface, select port5.
5 Set the Gateway Address to 192.168.9.254.
To configure IPsec VPN:
- Go to VPN > IPsec Wizard.
- Click Create New.
1 Enter the desired VPN name. In the example, this is "to_cloud".
2 For Template Type, select Site to Site.
3 For the Remote Device Type, select SonicWall.
4 For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local SonicWall has a public external IP address, you must choose No NAT between sites.
5 Click Next.
Configure Authentication:
1 For Remote Device, select IP Address.
2 Enter an IP address of 40.115.111.31, which is the Azure SonicWall's port1 public IP address.
3 For Outgoing Interface, select port5.
4 Set the Authentication Method to Pre-shared Key.
5 Enter a pre-shared key of 123456.
6 Click Next.
Configure Policy & Routing:
1 For Local Interface, select port4.
2 SonicOS automatically populates Local Subnets with 172.16.200.0/24.
3 Set the Remote Subnets to 10.58.1.0/24, which is the Azure SonicWall's port2 subnet.
4 For Internet Access, select None.
5 Click Create.
Configuring the Azure SonicWall:
To configure the interface:
1 In SonicOS on the Azure SonicWall, go to Network > Interfaces.
2 Edit port2. Set the role to LAN and set an IP/Network Mask of 10.58.1.4/255.255.255.0. This is for the interface connected to the Azure local subnet.
To configure IPsec VPN:
- Go to VPN > IPsec Wizard.
- Configure VPN Setup:
1 Enter the desired VPN name. In the example, this is "to_local".
2 For Template Type, select Site to Site.
3 For the Remote Device Type, select SonicWall.
4 For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local SonicWall has a public external IP address, you must choose No NAT between sites.
5 Click Next.
Configure Authentication:
1 For Incoming Interface, select port1.
2 Set the Authentication Method to Pre-shared Key.
3 Enter a pre-shared key of 123456.
4 Click Next.
Configure Policy & Routing:
1 For Local Interface, select port2.
2 SonicOS automatically populates Local Subnets with 10.58.1.0/24.
3 Set the Remote Subnets to 172.16.200.0/24, which is the local SonicWall's port4 subnet.
4 For Internet Access, select None.
5 Click Create.
To bring up the VPN tunnel on the local SonicWall:
The tunnel is down until you initiate connection from the local SonicWall.
1 In SonicOS on the local SonicWall, go to Monitor > IPsec Monitor.
2 Click the to_cloud tunnel.
3 Click Bring Up to bring up the VPN tunnel.
To create a VPG:
1 A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.
2 In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
3 In the Name tag field, enter the desired gateway name.
4 For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
5 After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
6 On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.
To create a customer gateway:
1 Go to Customer Gateways, then click Create Customer Gateway.
2 In the Name field, enter the desired gateway name.
3 For Routing, select Static.
4 In the IP Address field, enter the on-premise SonicWall's external address.
To create a site-to-site VPN connection on AWS:
1 Internet Key Exchange version 2 (IKEv2)
2 NAT traversal
3 Four-byte ASN (in addition to two-byte ASN)
4 Reusable IP addresses for customer gateways
5 Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
6 Configurable tunnel options
7 Custom private ASN for the Amazon side of a BGP session
8 This example describes creating an IPsec site-to-site VPN.
9 Go to VPN Connections, then click Create VPN Connection.
10 In the Name tag field, enter the desired VPN connection name.
11 From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
12 For Routing Options, select Static.
13 In the IP Prefixes field, enter the CIDR of the networks behind your on-premise SonicWall.
14 Leave the tunnel options blank. You will obtain this information from a configuration file download.
To configure the on-premise SonicWall:
1 After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the SonicWall correctly.
2 You can configure the SonicWall using this downloaded configuration file. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
3 Check in the SonicOS GUI in VPN > IPsec Tunnels that the tunnel is up.
4 In the AWS management console, check that the tunnel is up.
5 After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the SonicWall to a resource on the AWS cloud.
6 On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in SonicOS as well. The second tunnel is for redundancy. If one tunnel goes down, the SonicWall can reach AWS resources using the other tunnel.
Configuring site-to-site VPN between GCP and SonicWall
- On the remote site 1 SonicWall, go to VPN > IPsec Tunnels, then click Create New.
- On the VPN Setup tab, configure the following:
1 For Template type, select Site to Site.
2 For NAT configuration, select No NAT between sites.
3 Click Next.
On the Authentication tab, configure the following:
1 In the Remote IP address field, enter the destination SonicWall public IP address. This is the spoke1 public IP address.
2 Configure a signature ore pre-shared key to secure the tunnel.
3 Click Next.
- On the Policy & Routing tab, configure the local and remote subnets. Note that here, the local subnet refers to the remote site subnet, and the remote subnet refers to the NCC external and internal VPC subnets. Click Next.
- Review the configuration, then click Create.
- Create a similar connection from the Region 1 spoke SonicWall to the remote site 1 SonicWall. When creating this connection, on the Policy & Routing tab, ensure that you add port1 and port2 as local interfaces when creating the tunnel interface.