Monday, 12 June 2017

palo Alto - Configuring IKEv2 IPsec VPN for Microsoft Azure Environment

Microsoft Azure requires IKEv2 for dynamic routing, also known as route-based VPN. IKEv1 is restricted to static routing only.  For more information on Microsoft Azure VPN requirements and supported crypto parameters for both IKEv1 and IKEv2, reference:

Microsoft’s Dynamic Routing only requires you to have IP address ranges for each of the local network sites that you’ll be connecting to Azure.  It is a route-based VPN connection that uses IP address ranges defined on both gateways and IKEv2 to automatically negotiate the supported routing prefixes.  This is known as “traffic selector negotiation” under the IKEv2 RFC and PAN-OS uses Proxy IDs to configure the IP address ranges.

For an example of how to create a multi-site topology, reference:

image004.pngimage005.png

IKEv2 is supported in PAN-OS 7.1.4 and newer versions, and fully supports the necessary route-based VPN and crypto profiles to connect to MS Azure’s dynamic VPN architecture. This document discusses the basic configuration on a Palo Alto Networks firewall for the same. Configuration of the Microsoft Azure Environment is not discussed in this document and you should refer Microsoft’s documentation to set up VPN gateway in the Azure environment.
Note: Palo Alto Networks recommends to upgrade PAN-OS to 7.1.4 or above FIRST before proceeding.

Configuring the Microsoft Azure Portal

For instructions on configuring the Azure VPN through the Azure portal, please visit Microsoft's site here:

If you need instructions using PowerShell, see here:

If you need instructions using the Classic portal, see here:

Configuring the Palo Alto Networks Firewall

Here’ is a step by step guide on how to set up the VPN for a Palo Alto Networks firewall.
For this example, the following topology was used to connect a PA-200 running PAN-OS 7.1.4 to a MS Azure VPN Gateway.

For the PAN-OS IKEv2 Crypto Profile, you must select a combination of Microsoft Azure supported crypto parameters as stated in Microsoft’s IPSec Parameters (see first reference link above).  Our example used the following IKE, IPSec, and crypto profile parameters.  Note: Public IP addresses were changed for the purpose of this example.

Tunnel Interface

  1. Inside the WebGUI in Network > Interfaces > Tunnel, Add a new tunnel interface.  Select a virtual router and appropriate security zone.
  2. Optional: Assign an IP on same subnet as the Azure Gateway for dynamic routing and/or tunnel monitoring inside the IPv4 tab.
    Tunnel Interface windowTunnel Interface window

IKE Gateway

  1. Add an IKE Gateway (Network > Network Profiles >IKE Gateway). The following values are to be configured:
    1. Version: Set to ‘IKEv2 Only mode’ OR ‘IKEv2 preferred mode
      IKE Gateway windowIKE Gateway window
    2. Interface: Set to the public(internet) facing interface of the firewall used to connect to Azure.
    3. Local IP Address: IP address of the external interface of the firewall. If not behind a NAT device, this will be the VPN Gateway Address as configured in Azure.
    4. Peer IP Address: IP address of the Azure VPN Gateway. This can be obtained from the Azure Virtual Network dashboard. Note: Make sure you use the NAT-ed IP on Azure to define the peer IP.
    5. Pre-shared Key: Azure uses a Pre-shared key(PSK or Pre-Shared Secret) for authentication. The Key should be configured as the same value on Azure VPN settings and Palo Alto Networks’ firewall. 
      (Note: See links above for Azure configuration information)
    6. On the Advanced Options tab, leave the Enable Passive Mode (Set as responder) unchecked, and in the IKEv2 section leave Liveness Check enabled. Note: Enable NAT traversal if the firewall is behind a NAT device.
      IKE Gateway window - advanced optionsIKE Gateway window - advanced options
    7. IKE Crypto Profile’ is set to default. A new crypto profile can be defined to match the IKE crypto settings of Azure VPN.
      DH Group: group2
      Encryption: aes-256-cbc, 3des
      Authentication: sha1, sha256
      Note: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set phase 1 lifetime to 28800 seconds.
      PAN-OS IKEv2 Crypto Profile window.PAN-OS IKEv2 Crypto Profile window.

IPSec Tunnel

Add a new IPSec tunnel (Network->IPSec Tunnels). The following values are to be configured:
  1. Tunnel Interface: Select the configured Tunnel Interface in Step 1. above.
    (Optional: Use the ‘Show Advanced Options’ to configure tunnel monitoring, if desired.)
    IPSec Tunnel windowIPSec Tunnel window
  2. IKE Gateway: Select the IKE Gateway configured in Step 2. above.
  3. IPSec Crypto Profile:(Network > Network Profiles > IPSec Crypto) Select an ‘IPSec Crypto Profile’. This can be default if it matches the Azure settings, otherwise create a new one with Add at the bottom of the IPSec Crypto window.
    Encryption: aes256-cbc
    Authentication: sha1
    DH Group: no-pfs
    Note: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set IPSec (phase 2) lifetime to 8400 seconds
    IPSec Crypto Profile windowIPSec Crypto Profile window
  
Network Reachability
In ‘route based VPNs’, the routing engine of the device(s) is used to determine reachability even for any VPN networks.
  1. Use the ‘Virtual Router’ settings (Network->Virtual Router-><VR Name>) to add a Static Route for the remote network with the Interface set to being the Tunnel Interface configured in Step 1. This should match the local network settings on Azure.
    Virtual Router window - Static Route - IPv4Virtual Router window - Static Route - IPv4

IPSec Tunnel Configuration
You can optionally configure “Tunnel Monitor” to ping an IP address on the Microsoft Azure side.  You will also need to configure the necessary Proxy IDs (IP address ranges) for the local and remote networks using the Proxy ID tab.  This is how route-based VPNs are configured for “dynamic routing” in the Microsoft Azure environment.
image003.png

Checking the Connection
On the PAN-OS firewall under the IPSec Tunnels menu option, check the UI to ensure that the tunnel you created is up and running. The status columns for the IKE Gateway and the Tunnel Interface should be green if IKEv2 negotiated correctly and the IPSec Phase 2 tunnel was brought up.

You can also filter on the system log for the “vpn” type to see the IKE negotiation messages.  For Microsoft Azure’s VPN connection status, please refer to the Microsoft references stated above.

A general check you can use is:
> show vpn tunnel

TnID Name(Gateway) Local Proxy IP Ptl:Port Remote Proxy IP Ptl:Port Proposals
---- ------------- -------------- -------- ------------ --- -------- ---------

1 comment:

sellakumar said...

I have been following your post for a long time. I always found it very interesting and valuable. keep posting it is really helpful.
Cloud Migration services

Aws Cloud Migration services

Azure Cloud Migration services

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...