Instructions for configuring IPsec VPN between Palo Alto Firewall and AWS

1. The purpose of the article

In this article techbast will show you how to configure IPsec VPN Site to site between Palo Alto Firewall device and AWS.

2. Diagram

Details:

Palo Alto Firewall:

  • The internet connection is connected at ethernet1/1 of Palo Alto Firewall device with IP 113.161.x.x.
  • The LAN of the Palo Alto Firewall device is configured at ethernet1/2 with IP 10.146.41.0/24 and has DHCP configured to allocate to devices connected to it..

AWS:

  • AWS has a WAN IP of 13.59.106.76.
  • AWS LAN subnet is 172.31.32.0/20.
  • In the LAN, there is a Linux server with IP 172.31.42.255/20.

3. Configuration

Based on the above diagram, we will configure the IPsec VPN Site to Site between Palo Alto Firewall and AWS so that both LANs of the two parties can communicate with each other.

4. What to do

AWS:

  • Create AWS Customer Gateway.
  • Create Virtual Private Gateway.
  • Create Site-to-site VPN connection.
  • Create route.
  • Download the VPN configuration file and collect the necessary information.

Palo Alto Firewall:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPsec Crypto.
  • Create IKE Gateways.
  • Create IPsec Tunnel.
  • Create Policy.

Result.

5. Configuration.

5.1. AWS

5.1.1. Create AWS Customer Gateway

Sign in to the AWS Portal site with an administrative account.

Click Services and select VPC.

Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN.

Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.

Create Customer Gateways with the following parameters:

  • Name: Palo Alto Firewall.
  • Routing: Static.
  • IP Address: Enter Palo Alto’s WAN IP as 113.161.x.x.
  • Click Create Customer Gateway.

5.1.2. Create Virtual Private Gateway

Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.

Create a Virtual Private Gateway with the following parameters:

  • Name tag: VPG-PaloAltoComunity.
  • ASN: Amazon default ASN.
  • Click Create Virtual Private Gateway.

Next, we will add the newly created Virtual Private Gateways to the VPC.

To Add select the newly created Virtual Private Gateways > click Action > Attach to VPC.

Select the VPC that we filtered at the Customer Gateways creation step and click Yes, Attach to complete.

Virtual Private Network has been successfully added to VPC.

5.1.3. Create Site-to-site VPN Connection.

To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.

Create with the following information:

  • Name tag: S2S-AWS-to-PaloAlto.
  • Target Gateway Type: select Virtual Private Gateway.
  • Virtual Private Gateway *: select the Virtual Private Gateway just created in the above step.
  • Customer Gateway: select Existing.
  • Customer Gateway ID *: select the Customer Gateway just created in the previous step.
  • Routing Option: Static.
  • Static IP Prefixes: type Palo Alto’s LAN subnet as 10.146.41.0/24.
  • Local IPv4 Network Cidr: type 10.146.41.0/24.
  • Remote IPv4 Network Cidr: enter AWS local network subnet as 172.31.32.0/20.
  • Click Create VPN Connection.

5.1.4. Create route

We need to create a static route to route the Palo Alto Firewall’s subnet through the Virtual Gateway.

To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route.

Add với các thông số sau:

  • Destination: 10.146.41.0/24.
  • Target: select the newly created Virtual Gateway.
  • Click Save changes.

5.1.5. Download the VPN configuration file and collect the necessary information.

After creating the VPN Connection, we will select the newly created VPN Connection and click Download Configuration.

Select the following information to download the configuration file:

  • Vendor: Palo Alto Networks.
  • Platform: PA Series.
  • Software: PANOS 7.0+.
  • Ike Version: ikev2.

We turn on the configuration file we just downloaded, we will have the following information.

IKE Crypto and IPsec Crypto of IPsec connection.

IKE Crypto:

IPsec Crypto:

Information about IPsec tunnel gateway IPsec VPN connection on Palo Alto.

  • IP tunnel on Palo Alto: 169.254.60.150/30.
  • MTU: 1427.
  • IP tunnel on AWS: 169.254.60.148/30.

Information about configuring IKE Gateways:

All of this information will be used to configure the Palo Alto Firewall device in the next section.

5.2. Palo Alto Firewall

5.2.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.2.Create Address Object

We will create the Address Object for the 2 LAN layers of the Palo Alto Firewall and AWS devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall LAN:

  • Name: PA_LAN.
  • Type: IP Netmask – 10.146.41.0/24.
  • Click OK.

AWS LAN:

  • Name: AWS_LAN.
  • Type: IP Netmask – 172.31.32.0/20.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.3.Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

Config tab:

  • Interface Name: tunnel.2
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

IPv4 tab:

  • Click Add and enter the tunnel IP 169.254.60.150/30 that we got from the previous config file.

Advanced tab:

  • We enter MTU as 1427, this parameter is taken from the config file downloaded from AWS.

Click Commit to save the configuration changes.

5.2.4. Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route_AWS_Subnet.
  • Destination: enter AWS LAN subnet as 172.31.32.0/20.
  • Interface: tunnel.2.
  • Next Hop: IP Address and enter the AWS tunnel IP is 169.254.60.148
  • Click OK twice to save.

Click Commit and OK to save the configuration changes.

5.2.5.Create IKE Crypto

We will create IKE Crypto ie Phase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: vpn-0009b589f526268e7-0
  • DH Group: group2
  • Encryption: aes-128-cbc
  • Authentication: sha1
  • Key Lifetime: Seconds – 28800
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.6.Create IPsec Crypto

To create IPsec Crypto go to Network > IPsec Crypto and click Add.

Configure according to the following parameters:

  • Name: IPsec-crypto-profiles IPsec-vpn-0009b589f526268e7-0
  • IPsec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha1
  • DH Group: group2
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.7.Create IKE Gateways

To create go to Network > IKE Gateways and click Add.

Based on the IKE Gateway parameters that we have from the config file downloaded from AWS.

If we use IKEv2 only mode, enter the parameters of IKEv2 only mode, if we use IKEv2 preferred mode, enter the parameters of IKEv2 preferred mode.

In this article we will use IKEv2 only mode

Configure according to the following parameters

General:

  • Name: ike-vpn-0009b589f526268e7-0
  • Version: IKEv2 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall’s WAN port)
  • Local IP Address: None
  • Peer Address: Enter AWS WAN IP as 13.59.106.76
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password from the config file.
  • Confirm Pre-shared key: re-enter the connection password.
  • Local Identification: select IP address and enter Palo Alto Firewall’s WAN IP as 113.161.x.x.
  • Peer Identification: select the IP address and enter the AWS WAN IP as 13.59.106.76.

Advanced Options:

  • IKE Crypto Profile: select vpn-0009b589f526268e7-0.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.8.Create IPsec Tunnels

Now we will start creating a VPN connection with AWS.

To create go to Network > IPsec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: ipsec-tunnel-1
  • Tunnel Interface: tunnel.2
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: ike-vpn-0009b589f526268e7-0
  • IPsec Crypto Profile: IPsec-vpn-0009b589f526268e7-0

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Proxy-1
  • Local: 10.146.41.0/24
  • Remote: 172.31.32.0/20
  • Protocol: Any
  • Click ok twice to save.

Click Commit and OK to save the configuration changes.

5.2.9.Create Policy

We need to create a policy that allows traffic from Palo Alto Firewall’s LAN subnet to pass through AWS’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the Palo Alto Firewall’s LAN subnet to pass through the AWS LAN subnet with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: click Add and select Trust-Layer3 zone
  • Source Address: click Add and select PA_LAN

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: AWS_LAN

Tab Action:

  • Action: select Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from the AWS LAN subnet to the Palo Alto Firewall’s LAN subnet with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: click Add and select VPN zone
  • Source Address: click Add and select AWS_LAN

Tab Destination:

  • Destination Zone: Trust_Layer3
  • Destination Address: PA_LAN

Tab Action:

  • Action: select Allow.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.3.Result

Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections.

At VPN Connection > Tunnel Details > make sure the tunnel’s status is UP.

On Palo Alto Firewall we go to Network > IPsec Tunnels and we also see that the tunnel is UP.

Techbast will use the Linux server at AWS to ping the LAN IP of Palo Alto Firewall to test the connection.

Ping result from linux server to Palo Alto Firewall’s LAN IP machine.

Successful ping result.

After successful ping we can check the log by going to Monitor > Logs > Traffic, we will see the traffic going from source ip 172.31.42.255 to destination source 10,146.41.1.

Conversely, ping from the Palo Alto Firewall’s LAN to the Linux server at AWS.

Successful ping result.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.