topic Re: IPSec tunnel between PA-220 and VM300 in Azure in General Topics

IPSec tunnel between PA-220 and VM300 in Azure

anthony.goethals — Fri, 08 Jun 2018 19:59:06 GMT

Trying to build a IPSec tunnel between a lab PA220 and a VM300 we have in operation in an Azure environment. I think I've got all the necessary ingredients covered, and I've checked all the "How To" docs I can find, but still no luck.

Are there any gotchas related to this kind of setup that I should know about as I proceed? Any advice would be helpful.

Re: IPSec tunnel between PA-220 and VM300 in Azure

OtakarKlier — Fri, 08 Jun 2018 20:21:27 GMT

Hello,

What are you seeing in the logs, traffic and system? The system logs show the VPN connections. Also not sure about Azure, but Google and AWS have load balancers in front of the hosted VM's, may want to double check and see if those ACL's are open?

Regards,

Re: IPSec tunnel between PA-220 and VM300 in Azure

Raido_Rattameister — Fri, 08 Jun 2018 20:28:51 GMT

If no interesting traffic then tunnel is down.

You can initiate tunnel on one side with command:

> test vpn ipsec-sa tunnel <tunnel-name>

And check logs at other side.

Re: IPSec tunnel between PA-220 and VM300 in Azure

hfregoso — Sat, 09 Jun 2018 08:02:07 GMT

Whats the stae of your phase 1 ?

Is the issue with phase 2?

One recommendation is to use proxy ids with Azure, I know proxy ids ar eonly for cisco devices but this is one exception to the rule.

I wish I could help more but having more details would come in handy.

Re: IPSec tunnel between PA-220 and VM300 in Azure

anthony.goethals — Sat, 09 Jun 2018 13:03:28 GMT

@OtakarKlier wrote:
Hello,
What are you seeing in the logs, traffic and system? The system logs show the VPN connections. Also not sure about Azure, but Google and AWS have load balancers in front of the hosted VM's, may want to double check and see if those ACL's are open?

Regards,

From the PA220 I can test the vpn and I see it initiate but I can't find anything in the VM300 logs indicating failed connection attempts. We might not have a policy setup yet to show the connection attempts. Our Azure fabric is in production and used for a great many other things at this time --- not just for the Palo.

I did make sure in the Azure fabric to allow ipsec connectiivty through the public facing interface with a inbound port rule, but not sure if I did enough to allow connectivity. I've approached this mostly as a Palo-to-Palo tunnel peer connection setup, so not sure if I've done my homework on the Azure side.

Re: IPSec tunnel between PA-220 and VM300 in Azure

anthony.goethals — Sat, 09 Jun 2018 13:27:13 GMT

@hfregoso wrote:
Whats the stae of your phase 1 ?
Is the issue with phase 2?

One recommendation is to use proxy ids with Azure, I know proxy ids ar eonly for cisco devices but this is one exception to the rule.

I have cli access from the PA220 so I've been running the initial vpn test from there, but I don't have CLI access from the cloud side, yet, so I have not initiated anything from that side, yet. The system logs on either side don't show me anything related to the VPN, so that might be my problem.

The proxy IDs is something I have not tried yet, and I was just reading about that yesterday. I will give that a try.

I mostly wanted to make sure that, with the VM300 in the Azure cloud, I was treating this setup properly and not overlooking some issue related to the particular environment. The PA220 is coming off a working cable modem connection we use for lab setups, and as far as I know, if I allow access through the public facing interface on the Azure side, there's nothing else I have to do in Azure spcifically.

Other than that, on both sides I have the ethernet interfaces with static IP addresses added to virtual routers that allow public facing access, as well as their own security zones. The IPsec tunnels are also in the same securty zones, and both tunnels are in 192.168.100.x/24 subnets with .1 as the IP on one side and .10 as the IP on the other. The peer addresses are correct on each side of the tunnel, and the IKE Gateways have the correct local and peer addresses. I'm using the default IKE Crypto and IPSec crypto on both sides.

The one thing I want to try is the proxy IP addressing, so I'll give that a try, but wanted to make sure I wasn't overlooking something special. Thanks in advance for the advice.

Re: IPSec tunnel between PA-220 and VM300 in Azure

JimMcGrady — Fri, 05 Mar 2021 02:27:05 GMT

Networking in Azure is very abstract. When setting up a Palo Alto gateway in Azure as a VPN gateway, did you need to use NAT traversal? The PA only sees its private IP as Azure handles the public. Please let us know if you get it working.