This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

How to configure PAN to Azure VPN tunnel

bjdraw
Not applicable

‎03-11-2013 05:56 AM

I'm sure I'm not the first one to do this, but since I wasn't able to find a document on how exactly to do it, I figured I'd contribute one. I'd appreciate any corrections or optimizations.

The Azure side documentation is pretty clear online and honestly there aren't many options available to configure. But here are is my Azure address space for clarification.

PAN-AZU-Config.PNG

And my defined local networks, with a gateway address of my PAN VPN endpoint.

PAN-AZU-Config2.PNG

Next I configured the Tunnel interface, which is pretty vanilla, just have to assign an IP on the same subnet as the Azure Gateway Subnet (I used the last usable IP on the subnet), select a virtual router and the appropriate security zone (the zone I selected is the same as the one my other servers are on, so I don't need new policies).

PAN-AZU-Tunnel.5.PNG

The settings of my default IKE Crypto profile were the same as for Azure, but here they are just in case.

PAN-AZU-IKE-Crypto.PNG

I had to create a new IPSec Crypto Profile for Azure due to the 3600 lifetime instead of lifetime on my other tunnels (you can modify the default if this is your only tunnel or if your other tunnels use the same settings).

PAN-AZU-IPSecCrypto.PNG

Create an IKE Gateway selecting the external interface of your PAN and the IP of that interface for "Local IP Address" (this will match the VPN Gateway Address configured on the Local Address in Azure that you're tunneling to). The Peer IP Address can be obtained from the Azure Virtual Network Dashboard of the same Azure Virtual Network. The Local Identification IP Address should match the Local IP Address on the same screen. The Pre-shared Key can be obtained by clicking "Manage Key" on the Azure Virtual network Dashboard of the Azure Network, then copy and paste it

PAN-AZU-IKE-Gateway.PNG

Now create a new IPSec Tunnel with the newly created Tunnel Interface, IKE Gateway and IPsec Crypto Profile.

PAN-AZU-IPSecTunnel.PNG

Go to the Proxy IDs tab and create at least one ID with the appropriate local and remote subnets (Local should matched the defined "Local Networks" you configured in Azure with the appropriate gateway address of your PAN IPSec tunnel endpoint and remote should match the configured Azure address space).

PAN-AZU-ProxyIDs.PNG

Finally create a route to direct traffic via the tunnel interface to the Auzre Virtual Network.

PAN-AZU-route.PNG

At this point a ping to the Azure Virtual Network should bring the tunnel up, if not, check the System log to troubleshoot (at this time no ping responses are received, but other traffic is working, need to figure that one out).

PAN-AZU-UP-UP.PNG

1 person had this problem.
Labels:
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks