A
Arun's Blog
← Back to all posts

AWS Site-to-Site VPN with Palo Alto

VPNNetworkingSecurity
TL;DR

Connect your on-premises Palo Alto firewall to AWS using Site-to-Site VPN. Create a Customer Gateway and Virtual Private Gateway in AWS, download the configuration file, then configure IKE/IPsec on your Palo Alto using the provided settings. Total setup time: 30-60 minutes.

Introduction

Need to quickly and cheaply connect your on-prem environment to AWS rather than wait weeks for a Direct Connect? AWS site-to-site VPN is an excellent choice to make that happen.

A site-to-site virtual private network (VPN) is a connection between two or more networks, such as a corporate network and a branch office network. Many organizations use site-to-site VPNs to leverage an internet connection for private traffic as an alternative to using private MPLS circuits.

Site-to-site VPNs are frequently used by companies with multiple offices in different geographic locations that need to access and use the corporate network on an ongoing basis. With a site-to-site VPN, a company can securely connect its corporate network with its remote offices to communicate and share resources with them as a single network.

AWS offers the Site-to-Site VPN service as a fully-managed service that creates a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels. When using Site-to-Site VPN, you can connect to both your Amazon Virtual Private Clouds (VPC) as well as AWS Transit Gateway. In typical AWS n+1 form, two tunnels per connection are used for increased redundancy.

Prerequisites

  • AWS Account
  • IAM account with correct privileges to create a site-to-site VPN
  • Correct privileges to access and create site-to-site VPN objects on your Palo Alto Firewall
Important

Ensure your Palo Alto firewall has a static public IP address. Dynamic IPs will cause the VPN to fail after IP changes. Also verify your firewall's NAT-T (NAT Traversal) settings if the firewall is behind another NAT device.

Logical Diagram

Palo Alto Firewall

  • The internet connection is connected at ethernet1/1 of Palo Alto Firewall device with IP 52.45.6.240
  • The LAN of the Palo Alto Firewall device is configured at ethernet1/2 with CIDR 192.168.0.0/16

AWS

  • AWS has a WAN IP of 52.52.81.150
  • AWS LAN subnet is 10.1.0.0/16

Steps Overview

AWS

  1. Create AWS Customer Gateway
  2. Create Virtual Private Gateway (or use TGW)
  3. Create Site-to-site VPN connection
  4. Create route
  5. Download the VPN configuration file and collect the necessary information

Palo Alto Firewall

  1. Create VPN zone
  2. Create Address Object
  3. Create tunnel interface
  4. Create Virtual Routers
  5. Create IKE Crypto
  6. Create IPsec Crypto
  7. Create IKE Gateways
  8. Create IPsec Tunnel
  9. Create Policy

Configuration

AWS

Create AWS Customer Gateway

  1. Sign in to the AWS Portal site with an administrative account
  2. Click Services and select VPC
  3. Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN
  4. Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway
  5. Create Customer Gateways with the following parameters:
    • Name: Palo Alto Firewall
    • Routing: Static
    • IP Address: Enter Palo Alto's WAN IP as 52.45.6.240
    • Click Create Customer Gateway

Create Virtual Private Gateway

  1. Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway
  2. Create a Virtual Private Gateway with the following parameters:
    • Name tag: VPG01
    • ASN: Amazon default ASN
    • Click Create Virtual Private Gateway
  3. Select the newly created Virtual Private Gateway > click Action > Attach to VPC

Create Site-to-site VPN Connection

  1. Go to VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection
  2. Create with the following information:
    • Name tag: S2S-AWS-to-PaloAlto
    • Target Gateway Type: select Virtual Private Gateway
    • Virtual Private Gateway: select the Virtual Private Gateway just created
    • Customer Gateway: select Existing
    • Customer Gateway ID: select the Customer Gateway just created
    • Routing Option: Static
    • Static IP Prefixes: type Palo Alto's LAN subnet as 192.168.0.0/16
    • Click Create VPN Connection
Pro Tip

Save the pre-shared key from the downloaded configuration file in a secure location like a password manager. You'll need it if you ever need to rebuild the Palo Alto side of the tunnel.

Create Route

  1. Go to VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route
    • Destination: 192.168.0.0/16
    • Target: select the newly created Virtual Gateway
    • Click Save changes

Download the VPN Configuration File

  1. After creating the VPN Connection, select the newly created VPN Connection and click Download Configuration
  2. Select the following information to download the configuration file:
    • Vendor: Palo Alto Networks
    • Platform: PA Series
    • Software: PANOS 7.0+
    • Ike Version: ikev2
Note

The downloaded configuration file contains critical information including IKE Crypto settings, IPsec Crypto settings, tunnel IP addresses (169.254.x.x/30), and the pre-shared key. Keep this file secure.

Palo Alto Firewall

Create Zone

  1. Go to Network > Zones
  2. Click Add and create:
    • Name: VPN
    • Type: Layer3
    • Click OK

Create Address Objects

Create Address Objects for both LAN networks:

  1. Go to Object > Addresses
  2. Click Add for Palo Alto Firewall LAN:
    • Name: PA_LAN
    • Type: IP Netmask - 192.168.0.0/16
    • Click OK
  3. Click Add for AWS LAN:
    • Name: AWS_LAN
    • Type: IP Netmask - 10.1.0.0/16
    • Click OK

Create Interface Tunnel

  1. Go to Network > Interface > Tunnel
  2. Click Add:
    • Config tab: Interface Name: tunnel.2, Virtual Router: Default, Security Zone: VPN
    • IPv4 tab: Click Add and enter the tunnel IP 169.254.206.206/30 (Palo/customer side)
    • Advanced tab: Enter MTU as 1427
    • Click OK

Modify Virtual Router

  1. Go to Network > Virtual Routers > click default
  2. Router Settings tab: Click Add and select tunnel.2
  3. Static Routes > IPv4 tab: Click Add:
    • Name: Route_AWS_Subnet
    • Destination: 10.1.0.0/16
    • Interface: tunnel.2
    • Next Hop: IP Address - 169.254.206.205 (AWS side)
    • Click OK twice

Create IKE Crypto (Phase 1)

  1. Go to Network > IKE Crypto, click Add:
    • Name: awsikecrypto
    • DH Group: group2
    • Encryption: aes-128-cbc
    • Authentication: sha1
    • Key Lifetime: Seconds - 28800
    • Click OK

Create IPsec Crypto (Phase 2)

  1. Go to Network > IPsec Crypto, click Add:
    • Name: awsipseccrypto
    • IPsec Protocol: ESP
    • Encryption: aes-128-cbc
    • Authentication: sha1
    • DH Group: group2
    • Lifetime: Seconds - 3600
    • Click OK

Create IKE Gateways

  1. Go to Network > IKE Gateways, click Add
  2. General tab:
    • Name: awsikevpn
    • Version: IKEv2 only mode
    • Address Type: IPv4
    • Interface: ethernet1/1 (Palo Alto Firewall's WAN port)
    • Peer Address: 52.52.81.150 (AWS WAN IP)
    • Pre-shared key: enter the key from the config file
    • Local Identification: IP address - 52.45.6.240
    • Peer Identification: IP address - 52.52.81.150
  3. Advanced Options: IKE Crypto Profile: awsikecrypto
  4. Click OK

Create IPsec Tunnels

  1. Go to Network > IPsec Tunnels, click Add
  2. General tab:
    • Name: ipsectunnel-1
    • Tunnel Interface: tunnel.2
    • Type: Auto Key
    • IKE Gateways: awsikevpn
    • IPsec Crypto Profile: awsipseccrypto

Create Security Policies

  1. Go to Policies > Security, click Add
  2. LAN to VPN policy:
    • Name: LAN_TO_VPN
    • Source Zone: Trust-Layer3, Source Address: PA_LAN
    • Destination Zone: VPN, Destination Address: AWS_LAN
    • Action: Allow
  3. VPN to LAN policy:
    • Name: VPN_TO_LAN
    • Source Zone: VPN, Source Address: AWS_LAN
    • Destination Zone: Trust_Layer3, Destination Address: PA_LAN
    • Action: Allow
  4. Click Commit to save the configuration changes

CLI Verification

# Display all your interfaces
show interface all

# Ping from Palo tunnel interface to AWS tunnel interface
ping source 169.254.206.206 host 169.254.206.205

Result Verification

AWS

Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections > Tunnel Details. The tunnel status should show UP.

Palo Alto Firewall

Go to Network > IPsec Tunnels. The tunnel should show UP.

Troubleshooting

  • Tunnel shows DOWN in AWS - Verify the pre-shared key matches exactly on both sides. Check that the Palo Alto WAN IP in the Customer Gateway is correct.
  • Phase 1 (IKE) fails - Ensure IKE crypto settings match (DH group, encryption, authentication). Verify the peer IP addresses and pre-shared keys.
  • Phase 2 (IPsec) fails - Check IPsec crypto settings match. Verify the tunnel interface IPs (169.254.x.x) are configured correctly.
  • Tunnel UP but no traffic flows - Check security policies on the Palo Alto. Verify routes exist on both sides. Ensure AWS security groups allow traffic from on-premises CIDR.
  • Intermittent connectivity - AWS tunnels go down after 10 seconds of idle time. Enable DPD (Dead Peer Detection) on the Palo Alto or implement keep-alives.
  • MTU issues causing packet drops - The tunnel interface MTU should be 1427. If you see large packets failing, verify MTU settings and consider enabling TCP MSS clamping.