Site-to-site VPN between AWS and Palo Alto (non-BGP)

In this blog post I will show you how to configure site-to-site VPN between AWS VPC and Palo Alto Firewall. AWS offers two VPN tunnels between a virtual private gateway or a transit gateway on the AWS side, and a customer gateway on the remote side (Palo Alto in our case)

Logical Diagram

As you can see in the above diagram, there are two logical tunnels between AWS and PA. Each tunnel terminates on different AZ on AWS for redundancy.

Assumptions

  • PA public IP - 3.3.3.3
  • AWS VPN end point public IPs - 1.1.1.1 & 2.2.2.2
  • Using the minimum requirement of AES128, SHA1, and DH Group 2.

AWS Configuration

To create a new VPN connection, go to VPC and choose Site-to-Site VPN connection in the navigation pane.


Palo Alto Configuration

IKE Crypto Profile

Create  supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, and key parameters. Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.

ike crypto profile

IPSec Crypto Profile

The IPSec profile  defines the encryption, authentication, and IPSec mode parameters.

ipsec profile

IKE Gateways

Two Security devices or Firewalls that initiate and terminate VPN connections across the two networks are called the IKE Gateways. Each peer must have an IP address assigned. PA and AWS use pre-shared keys to mutually authenticate each other. The peers must also negotiate the mode, in our case main mode. We also need to select the IKE profile created in the first step. Create 2 X Gateways for both Tunnels.

ike gateway 1
ike gateway 2

Tunnel Interface

Create 2 x Tunnel interfaces and set the MTU to 1427. You can also assign the interface to the appropriate Virtual Router and Zone.

tunnel interface

IPSec Tunnel

The IPSec tunnel configuration allows you to authenticate and encrypt the data as it traverses the tunnel. Create 2 x IPSec tunnels.

ipsec tunnel

Monitor profile

Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the tunnels, we would want to failover the traffic to the second tunnel. This is done by creating a tunnel monitor profile in Palo Alto networks device.

A monitor profile is used to monitor IPSec tunnels and to monitor a next-hop device for policy-based forwarding (PBF) rules. In both cases, the monitor profile is used to specify an action to take when a resource (IPSec tunnel or next-hop device) becomes unavailable.

monitor profile

Policy Based Forwarding (PBF)

To allow for failover between tunnels, we use PBF. We bind the tunnel monitor profile to this policy. When the tunnel monitor reaches its threshold, the policy is removed , and the backup policy becomes active.

Policy-Based Forwarding (PBF) allows you to override the routing table, and specify the outgoing or egress interface based on specific parameters such as source or destination IP address, or type of traffic.

Please create 2 x PBF policies and adjust zone/interface accordingly. Tunnel-2 configuration shown below

  • Source Zone- Inside
  • Source Address - 192.168.10.0/24
  • Destination Address - 10.200.0.0/24

Now one of the Tunnel should come up. In case the Availability Zone associated with the Tunnel goes down, PA will remove the policy from PBF and the traffic will be sent out via the second tunnel.

pbf

Reference

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/policy-based-forwarding

Getting started - AWS Site-to-Site VPN
Use the following procedures to manually set up the AWS Site-to-Site VPN connection. You can create a Site-to-Site VPN connection with either a virtual private gateway or a transit gateway as the target gateway.

Thanks for reading

As always, your feedback and comments are more than welcome.