How to Configure IPSec VPN between Paloalto Firewall and AWS

This atile shows how to configure a site-to-site VPN between PA-850 firewall and AWS. Assuming the AWS has configured their site-to-site VPN and sent the configuration file to you. Here are the steps:

Step 1: Configure Tunnel

Step 2: Create IKE Crypto Profile

Step 3: Configure IKE Gateway

Step 4: Configure IPSec Crypto

Step 5: Configure IPSec Tunnel

Step 6: Configure Virtual Router

Step 7: configure Security and Policy Rules

Step 8: Commit the configuration and test

Step 1: Configure Tunnel

AWS configuration

 edit network interface tunnel units tunnel.1

  set ip 169.x.x.26/30

  set mtu 1427

 On PA-850

1. With Paloalto web utility open, Go to Network >Interface > Tunnel tab.

2. Click Add to create a new tunnel interface.

3. Enter the following parameters:

* Name: tunnel.1

•Virtual router: (select the virtual router you would like your tunnel interface to reside) Click OK to save the settings.

* Re-open Tunnel.1

* Create a new Security Zone. Or you can create the zone in Network>Zones

•Enter Zone name, for example AWS

•Click on Add under Interface

•Select the Tunnel.1 which you just created.

Click OK to save the settings.

•We need to configure ip-address since we intend to run dynamic routing protocols over the tunnel interface. However, if the Tunnel interface is in the zone where the traffic run Static Routing, configuring ip-address on the tunnel interface is optional

•To configure IP Address, click on IPv4 tab.

•Click Add

•Entre the public IP address for connecting to AWS.

* You may want to create a Management Profile, PING-Only in our example

* The Tunnel.1 setting looks like this

Step 2: Create IKE Crypto Profile

AWS configuration

 configure

 edit network ike crypto-profiles ike-crypto-profiles vpn-xxxx-0

  set dh-group group2

  set hash sha1

  set lifetime seconds  28800

  set encryption aes-128-cbc

On PA-850

•Go to Network>Network Profiles>IKE Crypto.

•Click Add

* Enter the IKE Crypto profile (IKEv1 Phase-1) parameters, which should match on the remote firewall for the IKE Phase-1 negotiation to be successful.

Step 3: Configure IKE Gateway

AWS Configuration

edit network ike gateway ike-vpn-xxxx-0

  set protocol ikev1 ike-crypto-profile vpn-xxxx-0 exchange-mode main

  set protocol ikev1 dpd interval 10 retry 3 enable yes

  set authentication pre-shared-key key xxxx

  set local-address ip 12.x.x.130

  set local-address interface ethernet1/1

  set peer-address ip 52.x.x.251

 top

On PA-850

•Go to Network>Network Profiles>IKE Gateway.

•Click on Add to configure the IKE Phase-1 Gateway.

  • Enter these local and peer IP addresses and info to match AWS configuration.

•Click on Advanced Options, select default as IKE Crypto Profile and 5 as Interval.

* The IKE Gateway configuration looks like this

Step 4: Configure IPSec Crypto

AWS Configuration

 edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-xxxx-0

  set esp authentication sha1

  set esp encryption aes-128-cbc

  set dh-group group2 lifetime seconds 3600

 On PA-850

* Go to Network>Network Profiles>IPSec Crypto

* Click Add to create a new Profile

•Configure the IPSec Crypto profile to specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2), which should match AWS configuration

* IPSec Crypto Profile looks like this

Step 5: Configure IPSec Tunnel

AWS Configuration

set zone untrust network layer3 tunnel.1

On PA-850

•Go to Network>IPSec Tunnels.

•Click Add to create a new IPSec Tunnel.

* In the General window select the Tunnel Interface, the IKE Gateway and IPSec Crypto Profile you just created above to set up the parameters to establish IPSec VPN tunnels between firewalls.

* IPSec Tunnel configuration looks like this

Step 6: Configure Virtual Router

AWS Configuration

set network virtual-router default interface tunnel.1

 edit network tunnel ipsec ipsec-tunnel-1

  set auto-key ipsec-crypto-profile ipsec-vpn-xxxx-0

  set auto-key ike-gateway ike-vpn-xxxx-0

  set tunnel-interface tunnel.1

  set anti-replay yes

On PA-850

* Go to Network>Virtual Routers.

* Click on your Virtual router profile, default in our example.

* Click Static Routes and then Add to add a new route for the network that is behind the other VPN endpoint 

•Be sure to use the proper Tunnel Interface.

•Virtual Router configuration looks like this

Step 7: configure Security and Policy Rules

AWS Configuration

 edit rulebase pbf rules pbf-vpn-vpn-xxxx-0

  set action forward nexthop ip-address 169.x.x.25

  set action forward egress-interface tunnel.1

  set action forward monitor profile tunnelmonitor disable-if-unreachable yes ip-address 169.x.x.25

  set source LAN-CIDR source-user any destination VPC-CIDR application any service any

  set from zone trust

  set disabled no

On PA-850

* By default the ike negotiation and ipsec/esp packets would be allowed via the intrazone default allow.

If you wish to have more granular control, you could specifically allow the required traffic and deny the rest.

Step 8: Commit the configuration and test

To check the IPSec Status, go to Network>IPSec Tunnels

Or ping other side IP address for example ping 10.60.3.12

And check the Monitor

Please view this step by step video:

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com