! Amazon Web Services
! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID                   : vpn-0c96c3507c5e9b89d
! Your Virtual Private Gateway ID         : vgw-06a2cb28979bd6fec
! Your Customer Gateway ID                  : cgw-07c5b37a554012b60
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
!
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500.
! If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.

!

 configure
 edit network ike crypto-profiles ike-crypto-profiles vpn-0c96c3507c5e9b89d-0
  set dh-group group2
  set hash sha1
  set lifetime seconds  28800
  set encryption aes-128-cbc
  top

! With local-address IP please append the configured subnet mask (i.e, /30) on the VPN initiating interface (i.e., ethernet 1/1)
! For example if you have /30 as subnet mask the local-address ip should be 3.125.234.186/30

! PAN-OS has IKEv2 only mode and IKEv2 preferred mode.

! If using IKEv2 only mode:
edit network ike gateway ike-vpn-0c96c3507c5e9b89d-0
set protocol version ikev2
set protocol ikev2 ike-crypto-profile vpn-0c96c3507c5e9b89d-0
set protocol ikev2 dpd enable yes interval 10
set authentication pre-shared-key key MOpNMLhxqOJ6xl.3m0D2qnS6VKsuEtFp
set protocol-common nat-traversal enable yes/no
set protocol ikev2 require-cookie yes/no
set local-address ip 3.125.234.186
 set local-address interface ethernet1/1
 set peer-address ip 3.74.203.82
 top

! If using IKEv2 preferred mode:
edit network ike gateway ike-vpn-0c96c3507c5e9b89d-0
set network ike gateway openswan protocol version ikev2-preferred
set protocol ikev1 ike-crypto-profile vpn-0c96c3507c5e9b89d-0 exchange-mode main
set protocol ikev1 dpd enable yes interval 10 retry 3
set authentication pre-shared-key key MOpNMLhxqOJ6xl.3m0D2qnS6VKsuEtFp
set protocol-common fragmentation enable yes/no
set protocol ikev2 ike-crypto-profile vpn-0c96c3507c5e9b89d-0
set protocol ikev2 dpd enable yes interval 10
set protocol ikev2 require-cookie yes/no
set protocol-common nat-traversal enable yes/no
set local-address ip 3.125.234.186
 set local-address interface ethernet1/1
 set peer-address ip 3.74.203.82
 top


! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
!
 edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-0c96c3507c5e9b89d-0
  set esp authentication sha1
  set esp encryption aes-128-cbc
  set dh-group group2
  set lifetime seconds 3600
 top



! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!


 edit network interface tunnel units tunnel.1
  set ip 169.254.55.246/30
  set mtu 1427
 top

!
! Tunnel interface needs to be associated to Zone, we are using untrust zone as an example, please adjust according
!

set zone untrust network layer3 tunnel.1

!
! Tunnel interface needs to be associated to a virtual router, we are using default as an example, please adjust accordingly
!

set network virtual-router default interface tunnel.1

 edit network tunnel ipsec ipsec-tunnel-1
  set auto-key ipsec-crypto-profile ipsec-vpn-0c96c3507c5e9b89d-0
  set auto-key ike-gateway ike-vpn-0c96c3507c5e9b89d-0
  set tunnel-interface tunnel.1
  set anti-replay yes
 top

! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
!
! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by creating a tunnel monitor
! profile in Palo Alto networks device. This profile pings the other end of the tunnel, and check if the tunnel is up.
! If ping fails, it will remove the policy-based static route from the routing table, and the second route in the table will
! become active.

! You need to set the interval and Threshold as a part of the profile.  Interval is number of seconds
! between pings. Threshold is the number of lost consecutive pings. Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.
! The following command shows how to set up a profile named 'tunnelmonitor'.


edit network profiles monitor-profile tunnelmonitor
  set interval 2 threshold 5 action fail-over
 top

! LAN-CIDR is an object which contains your Local LAN IP addresses.
! VPC-CIDR is an object which contains your VPC CIDR addresses.
! If your VPC-CIDR is 10.0.0.0/16, you can configure an object using the following:
!
! set address VPC-CIDR ip-netmask 10.0.0.0/16
! set address LAN-CIDR ip-netmask 192.168.0.0/16
!

! To allow for failover between tunnels, we use policy based routing. We bind the tunnelmonitor profile
! to this policy. When the tunnelmonitor reaches its threshold, the policy is removed , and the backup
! policy becomes active, please adjust from zone/interface accordingly.

 edit rulebase pbf rules pbf-vpn-vpn-0c96c3507c5e9b89d-0
  set action forward nexthop ip-address 169.254.55.245
  set action forward egress-interface tunnel.1
  set action forward monitor profile tunnelmonitor disable-if-unreachable yes ip-address 169.254.55.245
  set source LAN-CIDR source-user any destination VPC-CIDR application any service any
  set from zone trust
  set disabled no
 top

! Please note that using above PBF based static route configuration, you can't ping
! (by specifying source) from the CGW via VPN tunnel and you would need a LAN side
! resource to test VPN connectivity.

! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
!
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500.
! If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.

!

 configure
 edit network ike crypto-profiles ike-crypto-profiles vpn-0c96c3507c5e9b89d-1
  set dh-group group2
  set hash sha1
  set lifetime seconds  28800
  set encryption aes-128-cbc
  top

! With local-address IP please append the configured subnet mask (i.e, /30) on the VPN initiating interface (i.e., ethernet 1/1)
! For example if you have /30 as subnet mask the local-address ip should be 3.125.234.186/30

! PAN-OS has IKEv2 only mode and IKEv2 preferred mode.

! If using IKEv2 only mode:
edit network ike gateway ike-vpn-0c96c3507c5e9b89d-1
set protocol version ikev2
set protocol ikev2 ike-crypto-profile vpn-0c96c3507c5e9b89d-1
set protocol ikev2 dpd enable yes interval 10
set authentication pre-shared-key key RHKO3R0AEevOo5k8pgx8W16TrAxEko9p
set protocol-common nat-traversal enable yes/no
set protocol ikev2 require-cookie yes/no
set local-address ip 3.125.234.186
 set local-address interface ethernet1/1
 set peer-address ip 3.123.217.71
 top

! If using IKEv2 preferred mode:
edit network ike gateway ike-vpn-0c96c3507c5e9b89d-1
set network ike gateway openswan protocol version ikev2-preferred
set protocol ikev1 ike-crypto-profile vpn-0c96c3507c5e9b89d-1 exchange-mode main
set protocol ikev1 dpd enable yes interval 10 retry 3
set authentication pre-shared-key key RHKO3R0AEevOo5k8pgx8W16TrAxEko9p
set protocol-common fragmentation enable yes/no
set protocol ikev2 ike-crypto-profile vpn-0c96c3507c5e9b89d-1
set protocol ikev2 dpd enable yes interval 10
set protocol ikev2 require-cookie yes/no
set protocol-common nat-traversal enable yes/no
set local-address ip 3.125.234.186
 set local-address interface ethernet1/1
 set peer-address ip 3.123.217.71
 top


! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
!
 edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-0c96c3507c5e9b89d-1
  set esp authentication sha1
  set esp encryption aes-128-cbc
  set dh-group group2
  set lifetime seconds 3600
 top



! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!


 edit network interface tunnel units tunnel.2
  set ip 169.254.233.58/30
  set mtu 1427
 top

!
! Tunnel interface needs to be associated to Zone, we are using untrust zone as an example, please adjust according
!

set zone untrust network layer3 tunnel.2

!
! Tunnel interface needs to be associated to a virtual router, we are using default as an example, please adjust accordingly
!

set network virtual-router default interface tunnel.2

 edit network tunnel ipsec ipsec-tunnel-2
  set auto-key ipsec-crypto-profile ipsec-vpn-0c96c3507c5e9b89d-1
  set auto-key ike-gateway ike-vpn-0c96c3507c5e9b89d-1
  set tunnel-interface tunnel.2
  set anti-replay yes
 top

! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
!
! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by creating a tunnel monitor
! profile in Palo Alto networks device. This profile pings the other end of the tunnel, and check if the tunnel is up.
! If ping fails, it will remove the policy-based static route from the routing table, and the second route in the table will
! become active.

! You need to set the interval and Threshold as a part of the profile.  Interval is number of seconds
! between pings. Threshold is the number of lost consecutive pings. Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.
! The following command shows how to set up a profile named 'tunnelmonitor'.


edit network profiles monitor-profile tunnelmonitor
  set interval 2 threshold 5 action fail-over
 top

! LAN-CIDR is an object which contains your Local LAN IP addresses.
! VPC-CIDR is an object which contains your VPC CIDR addresses.
! If your VPC-CIDR is 10.0.0.0/16, you can configure an object using the following:
!
! set address VPC-CIDR ip-netmask 10.0.0.0/16
! set address LAN-CIDR ip-netmask 192.168.0.0/16
!

! To allow for failover between tunnels, we use policy based routing. We bind the tunnelmonitor profile
! to this policy. When the tunnelmonitor reaches its threshold, the policy is removed , and the backup
! policy becomes active, please adjust from zone/interface accordingly.

 edit rulebase pbf rules pbf-vpn-vpn-0c96c3507c5e9b89d-1
  set action forward nexthop ip-address 169.254.233.57
  set action forward egress-interface tunnel.2
  set action forward monitor profile tunnelmonitor disable-if-unreachable yes ip-address 169.254.233.57
  set source LAN-CIDR source-user any destination VPC-CIDR application any service any
  set from zone trust
  set disabled no
 top

! Please note that using above PBF based static route configuration, you can't ping
! (by specifying source) from the CGW via VPN tunnel and you would need a LAN side
! resource to test VPN connectivity.




! If tunnel and LAN side network interfaces are in different security zones,
! we need to configure NAT examption and put at the top, so that actual IP sources
! show up on the VPC side for proper route back via tunnel as follows when
! LAN side zone is considered as "trust" and tunnel interface being part of "untrust" zone,
! please change accordingly:
!

edit rulebase nat
  set rules No_NAT_LAN_VPC to untrust
  set rules No_NAT_LAN_VPC from trust
  set rules No_NAT_LAN_VPC source LAN-CIDR
  set rules No_NAT_LAN_VPC destination VPC-CIDR
  set rules No_NAT_LAN_VPC service any
  set rules No_NAT_LAN_VPC disabled no
 top
 move rulebase nat rules No_NAT_LAN_VPC top

! *** NOTE *** :
! If tunnel and LAN side network interfaces are in the different security zones,
! we need to configure a firewall policy to allow inter-zone communication as well.
! You can use VPC-CIDR/LAN-CIDR object groups to create firewall policy as well.
!
! Please also note that you will need to commit the configuration using "commit" command.


! Additional Notes and Questions
!  - Amazon Virtual Private Cloud Getting Started Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
!  - Amazon Virtual Private Cloud Network Administrator Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide