https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-palo-vm-ipsec-tunnel-to-another-azure-palo-vm/m-p/588192#M2183 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1261564789">@iamroott</a>&nbsp;,</P> <P>&nbsp;</P> <P>Could you share the system logs for the tunnel?&nbsp;</P> Wed, 29 May 2024 02:52:01 GMT JayGolf 2024-05-29T02:52:01Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-palo-vm-ipsec-tunnel-to-another-azure-palo-vm/m-p/582852#M2139 <P>Hello,</P> <P>I am running into an issue. I have 1 Azure subscription with multiple regions (US , Europe etc). I have a Palo Alto Virtual Appliance in front of each region. Which filters all traffic going to and from the regions. I have successfully built tunnels with no issues to my on premise Palo Altos, but can't seem to figure out why I can't build the tunnels from one VM in the US region to another VM in the Europe region.</P> <P>&nbsp;</P> <P>Anytime I try to initiate the tunnels, the SA fails due to timeout.&nbsp;</P> <P>&nbsp;</P> <P>Now I tried to use UDRs to make sure that it wasn't taking any Azure backend routing. Tried ikev2/ikev1, auto/manual/aggressive modes, security policies, anything I could think of trying.</P> <P>&nbsp;</P> <P>Has anyone successfully built IPSEC Tunnels from one PA VM to another PA VM within the same tenant?</P> <P>&nbsp;</P> <P>Thanks.</P> Sat, 06 Apr 2024 18:09:45 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-palo-vm-ipsec-tunnel-to-another-azure-palo-vm/m-p/582852#M2139 iamroott 2024-04-06T18:09:45Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-palo-vm-ipsec-tunnel-to-another-azure-palo-vm/m-p/587919#M2182 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1261564789">@iamroott</a>&nbsp;wrote:<BR /> <P>Hello,</P> <P>I am running into an issue. I have 1 Azure subscription with multiple regions (US , Europe etc). I have a Palo Alto Virtual Appliance in front of each region. Which filters all traffic going to and from the regions. I have successfully built tunnels with no issues to my on premise Palo Altos, but can't seem to figure out why I can't build the tunnels from one VM in the US region to another VM in the Europe region.</P> <P>&nbsp;</P> <P>Anytime I try to initiate the tunnels, the SA fails due to timeout.&nbsp;</P> <P>&nbsp;</P> <P>Now I tried to use UDRs to make sure that it wasn't taking any Azure backend routing. Tried ikev2/ikev1, auto/manual/aggressive modes, security policies, anything I could think of trying.</P> <P>&nbsp;</P> <P>Has anyone successfully built IPSEC Tunnels from one PA VM to another PA VM within the same tenant?</P> <P>&nbsp;</P> <P>Thanks.</P> <HR /></BLOCKQUOTE> <P>Hello,</P> <P>&nbsp;</P> <P>Certainly! Building IPsec tunnels between Palo Alto Networks VM-Series firewalls within the same Azure tenant is a common requirement for creating secure communication channels. Let’s address this issue step by step:</P> <P>&nbsp;</P> <P>IKEv2 for Dynamic Routing:<BR />Microsoft Azure requires IKEv2 for dynamic routing (also known as route-based VPN). IKEv1 is restricted to static routing only. Ensure that you’re using IKEv2 for your VPN configuration.<BR />Verify that your Palo Alto Networks firewall is running PAN-OS 7.1.4 or a newer version, as these fully support the necessary route-based VPN and crypto profiles for connecting to Azure’s dynamic VPN architecture.</P> <P><BR />Configuration Steps:</P> <P><BR />Azure Configuration:</P> <P>Deploy an Azure Virtual Network Gateway (if not already created).<BR />Define IP address ranges for each local network site that you’ll be connecting to Azure. These ranges are essential for dynamic routing.<BR />Refer to Microsoft’s documentation for detailed instructions on setting up the VPN gateway in the Azure environment.</P> <P><BR />Palo Alto Networks Firewall Configuration:</P> <P><BR />Tunnel Interface:<BR />Inside the Palo Alto Networks WebGUI, navigate to Network &gt; Interfaces &gt; Tunnel.<BR />Add a new tunnel interface.<BR />Select a virtual router and an appropriate security zone.<BR />Optionally, assign an IP address on the same subnet as the Azure Gateway for dynamic routing and/or tunnel monitoring within the IPv4 tab.</P> <P><BR />IKE Gateway:<BR />Add an IKE Gateway in Network &gt; Network Profiles &gt; IKE Gateway.<BR />Configure the IKEv2 parameters based on Microsoft Azure’s supported crypto parameters.</P> <P><BR />IPSec Crypto Profile:<BR />Create an IPSec Crypto Profile with the necessary parameters (encryption, authentication, and DH group) that align with Azure’s requirements.</P> <P><BR />Security Policies:<BR />Define security policies to allow traffic between the VMs in different regions.</P> <P><BR />Monitor and Troubleshoot:<BR />Monitor the tunnel status and logs to identify any issues.<BR />Check if there are any specific error messages related to the SA timeout.<BR />Consider packet captures or debug logs to diagnose further.</P> <P><BR />Common Pitfalls:<BR />Ensure that the public IP addresses used in your configuration are correct.<BR />Verify that the security policies allow traffic between the VMs.<BR />Double-check the IKE and IPSec parameters (encryption, authentication, DH group) to match Azure’s requirements.<BR /><BR /></P> <P>I hope the information may helps you.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 25 May 2024 05:18:17 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-palo-vm-ipsec-tunnel-to-another-azure-palo-vm/m-p/587919#M2182 Dennisleon 2024-05-25T05:18:17Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-palo-vm-ipsec-tunnel-to-another-azure-palo-vm/m-p/588192#M2183 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1261564789">@iamroott</a>&nbsp;,</P> <P>&nbsp;</P> <P>Could you share the system logs for the tunnel?&nbsp;</P> Wed, 29 May 2024 02:52:01 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-palo-vm-ipsec-tunnel-to-another-azure-palo-vm/m-p/588192#M2183 JayGolf 2024-05-29T02:52:01Z