https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23339#M17011 <HTML><HEAD></HEAD><BODY><P>I'm not sure if this document has been updated, I thought it might be useful for people to know that PAN OS prior to 7.0 only use IKEv1 and do not support the Windows Azure Dynamic Routing, Static Routing is required when using IKEv1 with PAN OS prior to v7.0</P></BODY></HTML> Thu, 13 Aug 2015 18:54:08 GMT CDIPAN 2015-08-13T18:54:08Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23331#M17003 <HTML><HEAD></HEAD><BODY><P>I'm sure I'm not the first one to do this, but since I wasn't able to find a document on how exactly to do it, I figured I'd contribute one. I'd appreciate any corrections or optimizations.</P><P></P><P>The Azure side documentation is pretty clear online and honestly there aren't many options available to configure. But here are is my Azure address space for clarification.</P><P><IMG __jive_id="5923" alt="PAN-AZU-Config.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5923_PAN-AZU-Config.PNG" width="450" /></P><P>And my defined local networks, with a gateway address of my PAN VPN endpoint.</P><P></P><P><IMG __jive_id="5948" alt="PAN-AZU-Config2.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5948_PAN-AZU-Config2.PNG" width="450" /></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Next I configured the Tunnel interface, which is pretty </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">vanilla</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">, just have to assign an IP on the same subnet as the Azure Gateway Subnet (I used the last usable IP on the subnet), select a virtual router and the appropriate security zone (the zone I selected is the same as the one my other servers are on, so I don't need new policies). </SPAN></P><P><IMG __jive_id="5942" alt="PAN-AZU-Tunnel.5.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5942_PAN-AZU-Tunnel.5.PNG" width="450" /></P><P>The settings of my default IKE Crypto profile were the same as for Azure, but here they are just in case.</P><P><IMG __jive_id="5944" alt="PAN-AZU-IKE-Crypto.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5944_PAN-AZU-IKE-Crypto.PNG" width="450" /></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">I had to create a new IPSec Crypto Profile for Azure due to the 3600 lifetime instead of lifetime on my other tunnels (you can modify the default if this is your only tunnel or if your other tunnels use the same settings). </SPAN></P><P><IMG __jive_id="5943" alt="PAN-AZU-IPSecCrypto.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5943_PAN-AZU-IPSecCrypto.PNG" width="450" /></P><P>Create an IKE Gateway selecting the external interface of your PAN and the IP of that interface for "Local IP Address" (this will match the VPN Gateway Address configured on the Local Address in Azure that you're tunneling to). The Peer IP Address can be obtained from the Azure Virtual Network Dashboard of the same Azure Virtual Network. The Local Identification IP Address should match the Local IP Address on the same screen. The Pre-shared Key can be obtained by clicking "Manage Key" on the Azure Virtual network Dashboard of the Azure Network, then copy and paste it</P><P><IMG __jive_id="5949" alt="PAN-AZU-IKE-Gateway.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5949_PAN-AZU-IKE-Gateway.PNG" width="450" /></P><P>Now create a new IPSec Tunnel with the newly created Tunnel Interface, IKE Gateway and IPsec Crypto Profile.</P><P><IMG __jive_id="5945" alt="PAN-AZU-IPSecTunnel.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5945_PAN-AZU-IPSecTunnel.PNG" width="450" /></P><P>Go to the Proxy IDs tab and create at least one ID with the appropriate local and remote subnets (Local should matched the defined "Local Networks" you configured in Azure with the appropriate gateway address of your PAN IPSec tunnel endpoint and remote should match the configured Azure address space).</P><P><IMG __jive_id="5946" alt="PAN-AZU-ProxyIDs.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5946_PAN-AZU-ProxyIDs.PNG" width="450" /></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Finally create a route to direct traffic via the tunnel interface to the Auzre Virtual Network.</SPAN></P><P><IMG __jive_id="5950" alt="PAN-AZU-route.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5950_PAN-AZU-route.PNG" width="450" /></P><P>At this point a ping to the Azure Virtual Network should bring the tunnel up, if not, check the System log to troubleshoot (at this time no ping responses are received, but other traffic is working, need to figure that one out).</P><P><IMG __jive_id="5951" alt="PAN-AZU-UP-UP.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5951_PAN-AZU-UP-UP.PNG" width="450" /></P></BODY></HTML> Mon, 11 Mar 2013 12:56:30 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23331#M17003 bjdraw 2013-03-11T12:56:30Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23332#M17004 <HTML><HEAD></HEAD><BODY><P>very good document.Thanks.</P></BODY></HTML> Mon, 03 Jun 2013 14:32:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23332#M17004 Retired Member 2013-06-03T14:32:15Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23333#M17005 <HTML><HEAD></HEAD><BODY><P>Hopefully some paloalto-person can make a DOCS version of above <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Mon, 03 Jun 2013 17:56:28 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23333#M17005 mikand 2013-06-03T17:56:28Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23334#M17006 <HTML><HEAD></HEAD><BODY><P>Thanks for taking the time to document and share your solution.</P></BODY></HTML> Fri, 05 Jul 2013 18:03:58 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23334#M17006 zp0192g 2013-07-05T18:03:58Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23335#M17007 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thx for your time and your shared. Great Job</P><P></P><P>V.</P></BODY></HTML> Mon, 08 Jul 2013 07:16:47 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23335#M17007 VinceM 2013-07-08T07:16:47Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23336#M17008 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the doc. Just an addition, when you setup the gateway on the Azure side you need to make sure you chose the "static routing" option. With "dynamic routing" selected Azure will default to using IKE v2 which the PA does not appear to understand and hence will not complete Phase 1 negotiation (Notify Message Type: NO-PROPOSAL-CHOSEN (14)).</P><P></P><P>M</P></BODY></HTML> Mon, 07 Oct 2013 08:46:48 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23336#M17008 ITNetworksTeam 2013-10-07T08:46:48Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23337#M17009 <HTML><HEAD></HEAD><BODY><P>I have seen an incident where the only change to make VPN stable is we disabled Dead Peer Detection, which is not supported per Microsoft's doc and not found in Azure ASA template configuration.</P><P></P><P><A class="jive-link-external-small" href="http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx</A><SPAN> </SPAN></P><P></P><P>For the Phase 2 Security Association (SA) Lifetime (Throughput), Azure uses 102,400,000 KB. However we are not able to use this value on PA. I think this is not significant. However, I can have this field blank in my lab. My PANOS version is 6.0.6.</P></BODY></HTML> Mon, 05 Jan 2015 06:55:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23337#M17009 terence.lee 2015-01-05T06:55:10Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23338#M17010 <HTML><HEAD></HEAD><BODY><P>Just adding the official PA document for Azure VPN to the thread.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5207">How to Configure VPN Tunnel Between a Palo Alto Networks Firewall and Azure</A></P></BODY></HTML> Mon, 05 Jan 2015 22:48:52 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23338#M17010 pulukas 2015-01-05T22:48:52Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23339#M17011 <HTML><HEAD></HEAD><BODY><P>I'm not sure if this document has been updated, I thought it might be useful for people to know that PAN OS prior to 7.0 only use IKEv1 and do not support the Windows Azure Dynamic Routing, Static Routing is required when using IKEv1 with PAN OS prior to v7.0</P></BODY></HTML> Thu, 13 Aug 2015 18:54:08 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-pan-to-azure-vpn-tunnel/m-p/23339#M17011 CDIPAN 2015-08-13T18:54:08Z