Configuring IKEv2 VPN for Microsoft Azure Environment
Microsoft Azure requires IKEv2 for dynamic routing, also known as route-based VPN. IKEv1 is restricted to static routing only. For more information on Microsoft Azure VPN requirements and supported crypto parameters for both IKEv1 and IKEv2, reference:
Microsoft’s Dynamic Routing only requires you to have IP address ranges for each of the local network sites that you’ll be connecting to Azure. It is a route-based VPN connection that uses IP address ranges defined on both gateways and IKEv2 to automatically negotiate the supported routing prefixes. This is known as “traffic selector negotiation” under the IKEv2 RFC and PAN-OS uses Proxy IDs to configure the IP address ranges.
For an example of how to create a multi-site topology, reference:
IKEv2 is supported in PAN-OS 7.0.0 and later versions, and fully supports the necessary route-based VPN and crypto profiles to connect to MS Azure’s dynamic VPN architecture. This document discusses the basic configuration on a Palo Alto Networks firewall for the same. Configuration of the Microsoft Azure Environment is not discussed in this document and you should refer Microsoft’s documentation to set up VPN gateway in the Azure environment.
Note: Even though PAN-OS 7.0.0 supports the methods to connect to Azure's VPN, Palo Alto Networks recommends to upgrade PAN-OS to 7.1.4 or above FIRST before proceeding.
Here’s a step by step guide on how to set it up for Palo Alto Networks firewall.
For this example, the following topology was used to connect a PA-200 running PAN-OS 7.1.4 to a MS Azure VPN Gateway.
For the PAN-OS IKEv2 Crypto Profile, you must select a combination of Microsoft Azure supported crypto parameters as stated in Microsoft’s IPSec Parameters (see first reference link above). Our example used the following IKE, IPSec, and crypto profile parameters. Note: Public IP addresses were changed for the purpose of this example.
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256Note: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set phase 1 lifetime to 28800 seconds.
DH Group: no-pfsNote: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set IPSec (phase 2) lifetime to 8400 seconds
In ‘route based VPNs’, the routing engine of the device(s) is used to determine reachability even for any VPN networks.
You can optionally configure “Tunnel Monitor” to ping an IP address on the Microsoft Azure side. You will also need to configure the necessary Proxy IDs (IP address ranges) for the local and remote networks using the Proxy ID tab. This is how route-based VPNs are configured for “dynamic routing” in the Microsoft Azure environment.
On the PAN-OS firewall under the IPSec Tunnels menu option, check the UI to ensure that the tunnel you created is up and running. The status columns for the IKE Gateway and the Tunnel Interface should be green if IKEv2 negotiated correctly and the IPSec Phase 2 tunnel was brought up.
You can also filter on the system log for the “vpn” type to see the IKE negotiation messages. For Microsoft Azure’s VPN connection status, please refer to the Microsoft references stated above.
A general check you can use is:
> show vpn tunnel
TnID Name(Gateway) Local Proxy IP Ptl:Port Remote Proxy IP Ptl:Port Proposals
---- ------------- -------------- -------- ------------ --- -------- ---------
For more commands to help troubleshoot VPN connections, please see: