This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

IPSec tunnel between PA-220 and VM300 in Azure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec tunnel between PA-220 and VM300 in Azure

anthony.goethals
L1 Bithead

‎06-08-2018 12:59 PM

Trying to build a IPSec tunnel between a lab PA220 and a VM300 we have in operation in an Azure environment.  I think I've got all the necessary ingredients covered, and I've checked all the "How To" docs I can find, but still no luck.

 

Are there any gotchas related to this kind of setup that I should know about as I proceed?  Any advice would be helpful.

 

0 Likes Likes
7 REPLIES 7

OtakarKlier
Cyber Elite
Cyber Elite

‎06-08-2018 01:21 PM

Hello,

What are you seeing in the logs, traffic and system? The system logs show the VPN connections. Also not sure about Azure, but Google and AWS have load balancers in front of the hosted VM's, may want to double check and see if those ACL's are open?

 

Regards,

0 Likes Likes

Raido_Rattameister
L7 Applicator
In response to OtakarKlier

‎06-08-2018 01:28 PM

If no interesting traffic then tunnel is down.

You can initiate tunnel on one side with command:

> test vpn ipsec-sa tunnel <tunnel-name>

 

And check logs at other side.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI
0 Likes Likes

hfregoso
L1 Bithead

‎06-09-2018 01:02 AM

Whats the stae of your phase 1 ?

Is the issue with phase 2?

 

One recommendation is to use proxy ids with Azure, I know proxy ids ar eonly for cisco devices but this is one exception to the rule. 

 

I wish I could help more but having more details would come in handy. 

0 Likes Likes

anthony.goethals
L1 Bithead
In response to OtakarKlier

‎06-09-2018 06:03 AM

@OtakarKlier wrote:

Hello,

What are you seeing in the logs, traffic and system? The system logs show the VPN connections. Also not sure about Azure, but Google and AWS have load balancers in front of the hosted VM's, may want to double check and see if those ACL's are open?

 

Regards,

 

From the PA220 I can test the vpn and I see it initiate but I can't find anything in the VM300 logs indicating failed connection attempts.  We might not have a policy setup yet to show the connection attempts.  Our Azure fabric is in production and used for a great many other things at this time --- not just for the Palo.

 

I did make sure in the Azure fabric to allow ipsec connectiivty through the public facing interface with a inbound port rule, but not sure if I did enough to allow connectivity.  I've approached this mostly as a Palo-to-Palo tunnel peer connection setup, so not sure if I've done my homework on the Azure side.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks