Skip to main content
Skip table of contents

Palo Alto PANOS >=7.0 ikev2

Configuring Palo Alto Next Generation Firewall

Version tested: Palo Alto Next Generation Firewall versione 10.2.2

In this section we will refer to the configuration file you obtained from our UCCS Onbording team as “template conf” and will explain how to use its contents for configuring PaloAlto NGFW.

As a reference for this guide, here is the full AWS file: Palo Alto PANOS 7.0+ ikev2.txt

Configure the Network to be used by LAN devices to connect through VPN:

image-20250311-074259.png
image-20250311-074310.png
image-20250311-074322.png
image-20250311-074335.png

In the Advanced configuration you can can select a Management Profile “Ping only” you create before as follow:

image-20250311-074355.png

There is also a Mangement-Profile, assigned to MNGT network, that allows you to administer the firewall.

Configure the network Tunnels to be used to connect through VPN:

image-20250311-074416.png

Since AWS will create 2 different tunnels for high availability reasons, we create a tunnel.1 and tunnel.2 interface to be used.

Looking at the template conf #3: Tunnel Interface Configuration (for both IPSec Tunnel #1 and IPSec Tunnel #2) you can see the ips used inside the tunnels to be configured:

 edit network interface tunnel units tunnel.1
  set ip 169.254.55.246/30
  set mtu 1427
 top

So we configure the tunnel interface accordingly in Network | Interfaces | Tunnel:

image-20250311-074441.png
image-20250311-074451.png
image-20250311-074502.png

and the same for IPSec Tunnel #2:

 edit network interface tunnel units tunnel.2
  set ip 169.254.233.58/30
  set mtu 1427
 top

image-20250311-074534.png
image-20250311-074544.png
image-20250311-074554.png

Configure the IKE Crypto profile

Looking at the template conf #1: Internet Key Exchange (IKE) Configuration

 configure
 edit network ike crypto-profiles ike-crypto-profiles vpn-0c96c3507c5e9b89d-0
  set dh-group group2
  set hash sha1
  set lifetime seconds  28800
  set encryption aes-128-cbc
 top

so let’s create it in Network | Ike Crypto | Add:

image-20250311-074625.png

Configure the IKE gateways

Looking at the template conf #1: Internet Key Exchange (IKE) Configuration, in “IKEv2 only mode“ section we can find all the needed values:

edit network ike gateway ike-vpn-0c96c3507c5e9b89d-0
set protocol version ikev2
set protocol ikev2 ike-crypto-profile vpn-0c96c3507c5e9b89d-0
set protocol ikev2 dpd enable yes interval 10
set authentication pre-shared-key key <PRESHAREDKEY>
set protocol-common nat-traversal enable yes/no
set protocol ikev2 require-cookie yes/no
set local-address ip 3.125.234.186
set local-address interface ethernet1/1
set peer-address ip 3.74.203.82
top

so let’s create them in Network | Network Profiles | Ike Gateways | Add:

image-20250311-074649.png
image-20250311-074659.png

Pay attention to use the correct Local IP Address.

We use our LAN address, while in the AWS file it’s reported the public IP address.

image-20250311-074719.png

and for the second IKE gateway:

image-20250311-074739.png
image-20250311-074748.png

We use the same IKE Crypto Profile since they are the same for both gateways.

Configure the IPSec Crypto

Looking at the template conf #2: IPSec Configuration:

edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-0c96c3507c5e9b89d-1
 set esp authentication sha1
 set esp encryption aes-128-cbc
 set dh-group group2
 set lifetime seconds 3600
top

so let’s create it in Network | Network Profiles | IPSec Crypto | Add:

image-20250311-074830.png
image-20250311-074841.png

We use the same IPSec Crypto Profile since they are the same for both IPSec tunnels.

Configure the IPSec Tunnels:

Looking at the template conf #3: Tunnel Interface Configuration

 edit network tunnel ipsec ipsec-tunnel-1
  set auto-key ipsec-crypto-profile ipsec-vpn-0c96c3507c5e9b89d-0
  set auto-key ike-gateway ike-vpn-0c96c3507c5e9b89d-0
  set tunnel-interface tunnel.1
  set anti-replay yes
 top

so let’s create them in Network | IPSec Tunnels | Add:

image-20250311-074907.png
image-20250311-074918.png

and

image-20250311-074936.png

Configure the Virtual router - default

Tunnel interface needs to be associated to a virtual router, we are using default as an example, please adjust accordingly:

image-20250311-074952.png

Create a monitoring profile “tunnelmonitor”:

Create a monitor to failover traffic between tunnels. 

In Network | Network Profiles | Monitor | Add:

image-20250311-075025.png
image-20250311-075035.png

Create a policy based routing

After creating the monitoring profile “tunnelmonitor”, to allow traffic during failover between tunnels, we use policy based routing:

image-20250311-075053.png

Create PBFs as described in the template conf #4 Static Route Configuration:

edit rulebase pbf rules pbf-vpn-vpn-0c96c3507c5e9b89d-0
  set action forward nexthop ip-address 169.254.55.245
  set action forward egress-interface tunnel.1
  set action forward monitor profile tunnelmonitor disable-if-unreachable yes ip-address 169.254.55.245
  set source LAN-CIDR source-user any destination VPC-CIDR application any service any
  set from zone trust
  set disabled no
top

image-20250311-075128.png
image-20250311-075137.png
image-20250311-075152.png
image-20250311-075204.png

And do the same for the configuration in IPSec Tunnel #2 | #4 Static Route Configuration:

 edit rulebase pbf rules pbf-vpn-vpn-0c96c3507c5e9b89d-1
  set action forward nexthop ip-address 169.254.233.57
  set action forward egress-interface tunnel.2
  set action forward monitor profile tunnelmonitor disable-if-unreachable yes ip-address 169.254.233.57
  set source LAN-CIDR source-user any destination VPC-CIDR application any service any
  set from zone trust
  set disabled no
top

image-20250311-075235.png
image-20250311-075245.png
image-20250311-075300.png
image-20250311-075313.png

Configure Security settings:

To  allow LAN traffic to reach the VPC in AWS and vice versa, we need to create two Security rules as follows (Policies | Security | Add):

image-20250311-075340.png
image-20250311-075349.png
image-20250311-075402.png
image-20250311-075417.png
image-20250311-075430.png

and

image-20250311-075455.png
image-20250311-075505.png
image-20250311-075518.png
image-20250311-075530.png

Testing

Going back to Network | IPSec Tunnels we should be able to see both up and running:

image-20250311-075549.png

Increase the security in the VPN connection

Now, since AWS side VPN tunnels support better security, we can adjust Palo Alto configuration accordingly. We can use:

  • AES256 instead of AES128

  • SHA2-256 instead of SHA1

  • Diffie-Hellman group >21 (up to 24) instead of DH 2, Palo Alto supports DH21

  • IKEv2 whenever possible

Let’s adjust Palo Alto configuration:

IKE Crypto profile

image-20250311-075618.png
image-20250311-075629.png

IPSec Crypto profile

image-20250311-075649.png
image-20250311-075659.png

Change IKE gateways with the new IKE Crypto profile:

image-20250311-075718.png

And the IPSec tunnel profiles:

image-20250311-075737.png

Now the IPSec Tunnels should be up and running with maximum security:

image-20250311-075752.png

We have done!

For more information and support please contact our UCCS Onboarding Team.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.