Palo Alto PANOS >=7.0 ikev2

Configuring Palo Alto Next Generation Firewall

Version tested: Palo Alto Next Generation Firewall versione 10.2.2

In this section we will refer to the configuration file you obtained from our UCCS Onbording team as “template conf” and will explain how to use its contents for configuring PaloAlto NGFW.

As a reference for this guide, here is the full AWS file: Palo Alto PANOS 7.0+ ikev2.txt

Configure the Network to be used by LAN devices to connect through VPN:

In the Advanced configuration you can can select a Management Profile “Ping only” you create before as follow:

There is also a Mangement-Profile, assigned to MNGT network, that allows you to administer the firewall.

Configure the network Tunnels to be used to connect through VPN:

Since AWS will create 2 different tunnels for high availability reasons, we create a tunnel.1 and tunnel.2 interface to be used.

Looking at the template conf #3: Tunnel Interface Configuration (for both IPSec Tunnel #1 and IPSec Tunnel #2) you can see the ips used inside the tunnels to be configured:

 edit network interface tunnel units tunnel.1
  set ip 169.254.55.246/30
  set mtu 1427
 top

So we configure the tunnel interface accordingly in Network | Interfaces | Tunnel:

and the same for IPSec Tunnel #2:

 edit network interface tunnel units tunnel.2
  set ip 169.254.233.58/30
  set mtu 1427
 top

Configure the IKE Crypto profile

Looking at the template conf #1: Internet Key Exchange (IKE) Configuration

 configure
 edit network ike crypto-profiles ike-crypto-profiles vpn-0c96c3507c5e9b89d-0
  set dh-group group2
  set hash sha1
  set lifetime seconds  28800
  set encryption aes-128-cbc
 top

so let’s create it in Network | Ike Crypto | Add:

Configure the IKE gateways

Looking at the template conf #1: Internet Key Exchange (IKE) Configuration, in “IKEv2 only mode“ section we can find all the needed values:

edit network ike gateway ike-vpn-0c96c3507c5e9b89d-0
set protocol version ikev2
set protocol ikev2 ike-crypto-profile vpn-0c96c3507c5e9b89d-0
set protocol ikev2 dpd enable yes interval 10
set authentication pre-shared-key key <PRESHAREDKEY>
set protocol-common nat-traversal enable yes/no
set protocol ikev2 require-cookie yes/no
set local-address ip 3.125.234.186
set local-address interface ethernet1/1
set peer-address ip 3.74.203.82
top

so let’s create them in Network | Network Profiles | Ike Gateways | Add:

Pay attention to use the correct Local IP Address.

We use our LAN address, while in the AWS file it’s reported the public IP address.

and for the second IKE gateway:

We use the same IKE Crypto Profile since they are the same for both gateways.

Configure the IPSec Crypto

Looking at the template conf #2: IPSec Configuration:

edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-0c96c3507c5e9b89d-1
 set esp authentication sha1
 set esp encryption aes-128-cbc
 set dh-group group2
 set lifetime seconds 3600
top

so let’s create it in Network | Network Profiles | IPSec Crypto | Add:

We use the same IPSec Crypto Profile since they are the same for both IPSec tunnels.

Configure the IPSec Tunnels:

Looking at the template conf #3: Tunnel Interface Configuration

 edit network tunnel ipsec ipsec-tunnel-1
  set auto-key ipsec-crypto-profile ipsec-vpn-0c96c3507c5e9b89d-0
  set auto-key ike-gateway ike-vpn-0c96c3507c5e9b89d-0
  set tunnel-interface tunnel.1
  set anti-replay yes
 top

so let’s create them in Network | IPSec Tunnels | Add:

and

Configure the Virtual router - default

Tunnel interface needs to be associated to a virtual router, we are using default as an example, please adjust accordingly:

Create a monitoring profile “tunnelmonitor”:

Create a monitor to failover traffic between tunnels. 

In Network | Network Profiles | Monitor | Add:

Create a policy based routing

After creating the monitoring profile “tunnelmonitor”, to allow traffic during failover between tunnels, we use policy based routing:

Create PBFs as described in the template conf #4 Static Route Configuration:

edit rulebase pbf rules pbf-vpn-vpn-0c96c3507c5e9b89d-0
  set action forward nexthop ip-address 169.254.55.245
  set action forward egress-interface tunnel.1
  set action forward monitor profile tunnelmonitor disable-if-unreachable yes ip-address 169.254.55.245
  set source LAN-CIDR source-user any destination VPC-CIDR application any service any
  set from zone trust
  set disabled no
top

And do the same for the configuration in IPSec Tunnel #2 | #4 Static Route Configuration:

 edit rulebase pbf rules pbf-vpn-vpn-0c96c3507c5e9b89d-1
  set action forward nexthop ip-address 169.254.233.57
  set action forward egress-interface tunnel.2
  set action forward monitor profile tunnelmonitor disable-if-unreachable yes ip-address 169.254.233.57
  set source LAN-CIDR source-user any destination VPC-CIDR application any service any
  set from zone trust
  set disabled no
top

Configure Security settings:

To  allow LAN traffic to reach the VPC in AWS and vice versa, we need to create two Security rules as follows (Policies | Security | Add):

and

Testing

Going back to Network | IPSec Tunnels we should be able to see both up and running:

Increase the security in the VPN connection

Now, since AWS side VPN tunnels support better security, we can adjust Palo Alto configuration accordingly. We can use:

• AES256 instead of AES128

• SHA2-256 instead of SHA1

• Diffie-Hellman group >21 (up to 24) instead of DH 2, Palo Alto supports DH21

• IKEv2 whenever possible

Let’s adjust Palo Alto configuration:

IKE Crypto profile

IPSec Crypto profile

Change IKE gateways with the new IKE Crypto profile:

And the IPSec tunnel profiles:

Now the IPSec Tunnels should be up and running with maximum security:

We have done!

For more information and support please contact our UCCS Onboarding Team.