How to configure PAN to Azure VPN tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to configure PAN to Azure VPN tunnel

Not applicable

I'm sure I'm not the first one to do this, but since I wasn't able to find a document on how exactly to do it, I figured I'd contribute one. I'd appreciate any corrections or optimizations.

The Azure side documentation is pretty clear online and honestly there aren't many options available to configure. But here are is my Azure address space for clarification.

PAN-AZU-Config.PNG

And my defined local networks, with a gateway address of my PAN VPN endpoint.

PAN-AZU-Config2.PNG

Next I configured the Tunnel interface, which is pretty vanilla, just have to assign an IP on the same subnet as the Azure Gateway Subnet (I used the last usable IP on the subnet), select a virtual router and the appropriate security zone (the zone I selected is the same as the one my other servers are on, so I don't need new policies).

PAN-AZU-Tunnel.5.PNG

The settings of my default IKE Crypto profile were the same as for Azure, but here they are just in case.

PAN-AZU-IKE-Crypto.PNG

I had to create a new IPSec Crypto Profile for Azure due to the 3600 lifetime instead of lifetime on my other tunnels (you can modify the default if this is your only tunnel or if your other tunnels use the same settings).

PAN-AZU-IPSecCrypto.PNG

Create an IKE Gateway selecting the external interface of your PAN and the IP of that interface for "Local IP Address" (this will match the VPN Gateway Address configured on the Local Address in Azure that you're tunneling to). The Peer IP Address can be obtained from the Azure Virtual Network Dashboard of the same Azure Virtual Network. The Local Identification IP Address should match the Local IP Address on the same screen. The Pre-shared Key can be obtained by clicking "Manage Key" on the Azure Virtual network Dashboard of the Azure Network, then copy and paste it

PAN-AZU-IKE-Gateway.PNG

Now create a new IPSec Tunnel with the newly created Tunnel Interface, IKE Gateway and IPsec Crypto Profile.

PAN-AZU-IPSecTunnel.PNG

Go to the Proxy IDs tab and create at least one ID with the appropriate local and remote subnets (Local should matched the defined "Local Networks" you configured in Azure with the appropriate gateway address of your PAN IPSec tunnel endpoint and remote should match the configured Azure address space).

PAN-AZU-ProxyIDs.PNG

Finally create a route to direct traffic via the tunnel interface to the Auzre Virtual Network.

PAN-AZU-route.PNG

At this point a ping to the Azure Virtual Network should bring the tunnel up, if not, check the System log to troubleshoot (at this time no ping responses are received, but other traffic is working, need to figure that one out).

PAN-AZU-UP-UP.PNG

8 REPLIES 8

L6 Presenter

very good document.Thanks.

Hopefully some paloalto-person can make a DOCS version of above 🙂

L0 Member

Thanks for taking the time to document and share your solution.

L5 Sessionator

Hi,

Thx for your time and your shared. Great Job

V.

L0 Member

Hi,

Thanks for the doc. Just an addition, when you setup the gateway on the Azure side you need to make sure you chose the "static routing" option. With "dynamic routing" selected Azure will default to using IKE v2 which the PA does not appear to understand and hence will not complete Phase 1 negotiation (Notify Message Type: NO-PROPOSAL-CHOSEN (14)).

M

L1 Bithead

I have seen an incident where the only change to make VPN stable is we disabled Dead Peer Detection, which is not supported per Microsoft's doc and not found in Azure ASA template configuration.

http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx

For the Phase 2 Security Association (SA) Lifetime (Throughput), Azure uses 102,400,000 KB. However we are not able to use this value on PA. I think this is not significant. However, I can have this field blank in my lab. My PANOS version is 6.0.6.

Just adding the official PA document for Azure VPN to the thread.

How to Configure VPN Tunnel Between a Palo Alto Networks Firewall and Azure

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L1 Bithead

I'm not sure if this document has been updated, I thought it might be useful for people to know that PAN OS prior to 7.0 only use IKEv1 and do not support the Windows Azure Dynamic Routing, Static Routing is required when using IKEv1 with PAN OS prior to v7.0

  • 9233 Views
  • 8 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!