AWS Site-to-Site VPN with Palo Alto

by arun danielin VPNon Posted on

Need to quickly and cheaply connect your on-prem environment to AWS rather than wait weeks for a Direct Connect? AWS site-to-site VPN is an excelent choice to make that happen.

A site-to-site virtual private network (VPN) is a connection between two or more networks, such as a corporate network and a branch office network. Many organizations use site-to-site VPNs to leverage an internet connection for private traffic as an alternative to using private MPLS circuits.

Site-to-site VPNs are frequently used by companies with multiple offices in different geographic locations that need to access and use the corporate network on an ongoing basis. With a site-to-site VPN, a company can securely connect its corporate network with its remote offices to communicate and share resources with them as a single network.

A site-to-site VPN is a permanent connection designed to function as an encrypted link between offices (i.e., “sites”). This is typically set up as an IPsec network connection between networking equipment.

AWS offers the Site-to-Site VPN service as a fully-managed service that creates a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels. When using Site-to-Site VPN, you can connect to both your Amazon Virtual Private Clouds (VPC) as well as AWS Transit Gateway. In typical AWS n+1 form, two tunnels per connection are used for increased redundancy.

In this tutorial, I will go through how to deploy a site-to-site VPN between your on-premise Palo Alto firewall and your AWS environment.

Prerequisites

  • AWS Account
  • IAM account with correct privileges to create a site-to-site VPN
  • Correct privileges to access and create site-to-site VPN objects on your Palo Alto Firewall

Logical

Palo Alto Firewall

  • The internet connection is connected at ethernet1/1 of Palo Alto Firewall device with IP 52.45.6.240
  • The LAN of the Palo Alto Firewall device is configured at ethernet1/2 with CIDR 192.168.0.0/16

AWS

  • AWS has a WAN IP of 52.52.81.150
  • AWS LAN subnet is 10.1.0.0/16

Steps

AWS

  • Create AWS Customer Gateway
  • Create Virtual Private Gateway (or use TGW)
  • Create Site-to-site VPN connection
  • Create route
  • Download the VPN configuration file and collect the necessary information

Palo Alto Firewall

  • Create VPN zone
  • Create Address Object
  • Create tunnel interface
  • Create Virtual Routers
  • Create IKE Crypto
  • Create IPsec Crypto
  • Create IKE Gateways
  • Create IPsec Tunnel
  • Create Policy

Configuration

AWS

Create AWS Customer Gateway

  • Sign in to the AWS Portal site with an administrative account
  • Click Services and select VPC
  • Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN
  • Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway
  • Create Customer Gateways with the following parameters:
    • Name: Palo Alto Firewall
    • Routing: Static
    • IP Address: Enter Palo Alto’s WAN IP as 52.45.6.240
    • Click Create Customer Gateway

Create Virtual Private Gateway

  • Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway
  • Create a Virtual Private Gateway with the following parameters:
    • Name tag: VPG01
    • ASN: Amazon default ASN
    • Click Create Virtual Private Gateway
  • To Add select the newly created Virtual Private Gateways > click Action > Attach to VPC

Create Site-to-site VPN Connection.

  • To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection
  • Create with the following information:
    • Name tag: S2S-AWS-to-PaloAlto
    • Target Gateway Type: select Virtual Private Gateway
    • Virtual Private Gateway : select the Virtual Private Gateway just created in the above step
    • Customer Gateway: select Existing
    • Customer Gateway ID: select the Customer Gateway just created in the previous step
    • Routing Option: Static
    • Static IP Prefixes: type Palo Alto’s LAN subnet as 192.168.0.0/16
    • Click Create VPN Connection

Create route (or propagate at the end)

  • To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route
    • Destination: 10.1.0.0/16
    • Target: select the newly created Virtual Gateway.
    • Click Save changes.

Download the VPN configuration file

  • After creating the VPN Connection, we will select the newly created VPN Connection and click Download Configuration
  • Select the following information to download the configuration file:
    • Vendor: Palo Alto Networks
    • Platform: PA Series
    • Software: PANOS 7.0+
    • Ike Version: ikev2
  • Necessary information from file
    • IKE Crypto:
  • IPsec Crypto:
    • IPsec tunnel gateway IPsec VPN connection on Palo Alto
      • IP tunnel on AWS: 169.254.206.204/30
        • Aws side will be .205
        • Customer side will be .206
    • Pre-shared Key
  • Information about configuring IKE Gateways:

Palo Alto Firewall

Create Zone

  • To create go to Network > Zones
  • Click Add and create the following information:
    • Name: VPN
    • Type: Layer3
    • Click OK.

Create Address Object

  • We will create the Address Object for the 2 LAN layers of the Palo Alto Firewall and AWS devices
  • To create go to Object > Addresses
  • Click Add and create according to the following parameters
  • Palo Alto Firewall LAN:
    • Name: PA_LAN
    • Type: IP Netmask – 192.168.0.0/16
    • Click OK
  • AWS LAN:
    • Name: AWS_LAN
    • Type: IP Netmask – 10.1.0.0/16
    • Click OK

Create Interface Tunnel

  • To create go to Network > Interface > Tunnel
  • Click Add and create according to the following information:
  • Config tab:
    • Interface Name: tunnel.2
    • Virtual Router: Default
    • Security Zone: VPN
    • Click OK.
  • IPv4 tab:
    • Click Add and enter the tunnel IP 169.254.206.206/30 (Palo/customer side)
  • Advanced tab:
  • Enter MTU as 1427
  • Click OK.

Modify Virtual Router

  • Go to Network > Virtual Routers > click default (or router you are using) and configure according to the following information
  • Tab Router Settings:
    • Name: Default
    • General tab: Click Add and select the tunnel.2 (the tunnel used to connect VPN)
  • Tab Static Routes > IPv4:
    • Click Add to add static routes and fill in the following information:
      • Name: Route_AWS_Subnet
      • Destination: enter AWS VPC 10.1.0.0/16
      • Interface: tunnel.2
      • Next Hop: IP Address and enter the AWS tunnel IP is 169.254.254.205 (AWS side)
      • Click OK twice to save

Create IKE Crypto

  • Create IKE Crypto ie Phase 1 for VPN connection
  • To create, go to Network > IKE Crypto click Add and create according to the following information:
    • Name: awsikecrypto
    • DH Group: group2
    • Encryption: aes-128-cbc
    • Authentication: sha1
    • Key Lifetime: Seconds – 28800
    • Click OK.

Create IPsec Crypto

  • To create IPsec Crypto go to Network > IPsec Crypto and click Add
  • Configure according to the following parameters:
    • Name: awsipseccrypto
    • IPsec Protocol: ESP
    • Encryption: aes-128-cbc
    • Authentication: sha1
    • DH Group: group2
    • Lifetime: Seconds – 3600
    • Click OK.

Create IKE Gateways

  • To create go to Network > IKE Gateways and click Add
  • General:
    • Name: awsikevpn
    • Version: IKEv2 only mode
    • Address Type: IPv4
    • Interface: ethernet1/1 (Palo Alto Firewall’s WAN port)
    • Local IP Address: None
    • Peer Address: Enter AWS WAN IP as 52.52.81.150
    • Authentication: Pre-shared Key
    • Pre-shared key: enter the connection password from the config file.
    • Confirm Pre-shared key: re-enter the connection password.
    • Local Identification: select IP address and enter Palo Alto Firewall’s WAN IP 52.45.6.240
    • Peer Identification: select the IP address and enter the AWS WAN IP 52.52.81.150
  • Advanced Options:
    • IKE Crypto Profile: select awsikecrypto (from earlier)
    • Click OK.

Create IPsec Tunnels

  • To create go to Network > IPsec Tunnels and click Add
  • Tab General:
    • Name: ipsectunnel-1
    • Tunnel Interface: tunnel.2
    • Type: Auto Key
    • Address Type: IPv4
    • IKE Gateways: awsikevpn (from earlier)
    • IPsec Crypto Profile: awsipseccrypto (from earlier)

Create Policy

  • To create a policy go to Policies > Security and click Add
  • Create a policy that allows traffic from the Palo Alto Firewall’s LAN subnet to pass through the AWS LAN subnet with the following information:
    • Tab General:
      • Name: LAN_TO_VPN
      • Rule Type: universal (default)
    • Tab Source:
      • Source Zone: click Add and select Trust-Layer3 zone
      • Source Address: click Add and select PA_LAN
    • Tab Destination:
      • Destination Zone: VPN
      • Destination Address: AWS_LAN
    • Tab Action:
      • Action: select Allow
      • Click OK.
  • Next we will click Add and create a policy that allows traffic to go from the AWS LAN subnet to the Palo Alto Firewall’s LAN subnet with the following information (or you can use the same policy and add the objects in reverse):
    • Tab General:
      • Name: VPN_TO_LAN
      • Rule Type: universal (default)
    • Tab Source:
      • Source Zone: click Add and select VPN zone
      • Source Address: click Add and select AWS_LAN
    • Tab Destination:
      • Destination Zone: Trust_Layer3
      • Destination Address: PA_LAN
    • Tab Action:
      • Action: select Allow.
      • Click OK.
    • Click Commit and OK to save the configuration changes.

CLI

  • Display all your interfaces:
    • show interface all
  • Ping from Palo tunnel interface to AWS tunnel interface:
    • ping source 169.254.206.206 host 169.254.206.205
  • Replies should be successful

Result

AWS

  • Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections
  • At VPN Connection > Tunnel Details > make sure the tunnel’s status is UP

Palo Alto Firewall

  • On Palo Alto Firewall we go to Network > IPsec Tunnels and the tunnel shows UP

Leave a Comment

Your email address will not be published. Required fields are marked *