How to Configure IPSec VPN between Paloalto Firewall and AWS

This atile shows how to configure a site-to-site VPN between PA-850 firewall and AWS. Assuming the AWS has configured their site-to-site VPN and sent the configuration file to you. Here are the steps:

Step 1: Configure Tunnel

Step 2: Create IKE Crypto Profile

Step 3: Configure IKE Gateway

Step 4: Configure IPSec Crypto

Step 5: Configure IPSec Tunnel

Step 6: Configure Virtual Router

Step 7: configure Security and Policy Rules

Step 8: Commit the configuration and test

Step 1: Configure Tunnel

AWS configuration

edit network interface tunnel units tunnel.1

set ip 169.x.x.26/30

set mtu 1427

On PA-850

1. With Paloalto web utility open, Go to Network >Interface > Tunnel tab.

2. Click Add to create a new tunnel interface.

3. Enter the following parameters:

* Name: tunnel.1

•Virtual router: (select the virtual router you would like your tunnel interface to reside) Click OK to save the settings.

* Re-open Tunnel.1

* Create a new Security Zone. Or you can create the zone in Network>Zones

•Enter Zone name, for example AWS

•Click on Add under Interface

•Select the Tunnel.1 which you just created.

Click OK to save the settings.

•We need to configure ip-address since we intend to run dynamic routing protocols over the tunnel interface. However, if the Tunnel interface is in the zone where the traffic run Static Routing, configuring ip-address on the tunnel interface is optional

•To configure IP Address, click on IPv4 tab.

•Click Add

•Entre the public IP address for connecting to AWS.

* You may want to create a Management Profile, PING-Only in our example

* The Tunnel.1 setting looks like this

Step 2: Create IKE Crypto Profile

AWS configuration

configure

edit network ike crypto-profiles ike-crypto-profiles vpn-xxxx-0

set dh-group group2

set hash sha1

set lifetime seconds 28800

set encryption aes-128-cbc

On PA-850

•Go to Network>Network Profiles>IKE Crypto.

•Click Add

* Enter the IKE Crypto profile (IKEv1 Phase-1) parameters, which should match on the remote firewall for the IKE Phase-1 negotiation to be successful.

Step 3: Configure IKE Gateway

AWS Configuration

edit network ike gateway ike-vpn-xxxx-0

set protocol ikev1 ike-crypto-profile vpn-xxxx-0 exchange-mode main

set protocol ikev1 dpd interval 10 retry 3 enable yes

set authentication pre-shared-key key xxxx

set local-address ip 12.x.x.130

set local-address interface ethernet1/1

set peer-address ip 52.x.x.251

top

On PA-850

•Go to Network>Network Profiles>IKE Gateway.

•Click on Add to configure the IKE Phase-1 Gateway.

Enter these local and peer IP addresses and info to match AWS configuration.

•Click on Advanced Options, select default as IKE Crypto Profile and 5 as Interval.

* The IKE Gateway configuration looks like this

Step 4: Configure IPSec Crypto

AWS Configuration

edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-xxxx-0

set esp authentication sha1

set esp encryption aes-128-cbc

set dh-group group2 lifetime seconds 3600

On PA-850

* Go to Network>Network Profiles>IPSec Crypto

* Click Add to create a new Profile

•Configure the IPSec Crypto profile to specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2), which should match AWS configuration

* IPSec Crypto Profile looks like this

Step 5: Configure IPSec Tunnel

AWS Configuration

set zone untrust network layer3 tunnel.1

On PA-850

•Go to Network>IPSec Tunnels.

•Click Add to create a new IPSec Tunnel.

* In the General window select the Tunnel Interface, the IKE Gateway and IPSec Crypto Profile you just created above to set up the parameters to establish IPSec VPN tunnels between firewalls.