AWS IPSec Tunnel success?

OMatlock · ‎10-23-2018

Hello folks,

I am so close to a successful AWS IPSec tunnel to my on premise (test) PA200 7.1.15.

I've downloaded the configuration file and using it as a guide, IPs, etc.

But I've been using this article to configure. Main difference is I created a specific AWS zone like I do for all my IPSec Tunnels.

http://www.richardyau.com/?p=240

I am able to access my on premise environment from the AWS EC2 instance, but not from on premise to AWS EC2 172.31.24.69.

I can't ping it or connect to the EC2 via RDP. I see the ping tries in traffic log, but nothing shows up in packet trace for the RDP attempts. <UPDATE> Resolved after correcting IPs for PBF and RDP connection from LAN.

AWS has two VPN connections for redundancy. I have both configured and active.

NOTE: My Azure IPSec tunnel works great!

Configured tunnel interfaces according to AWS text document.

Configured tunnel monitor profile.

Configured PBF like referenced in documentation. <Corrected>

Configured Static routes for both VPN connections (different metric).

Created security rules in and out for AWS zone, open.

No additional NAT rules. Just basic outbound internet rule to Untrust. <corrected>

A ping from a VM inside my LAN ages out. Nothing shows up when I try to RDP, including a packet trace, not even a drop file.

jmeurer · ‎11-19-2018

If you are refering to both tunnels going to the same VPG on the same firewall, yes, leave them in the same zone. While they do not support ECMP, they also do not guarantee the same tunnel will be active always. Putting the tunnels in the same zone will overcome IP Spoofing issue that creates.

Huddlebuy · ‎11-19-2018

Thanks for the suggestion

we will try that option as well. Also AWS suggested the below

Entering configuration mode [edit] # set deviceconfig setting tcp asymmetric-path bypass

# set deviceconfig setting session tcp-reject-non-syn no

# commit

We are quite hesitant to enable this gloabally, as this would also apply for non aws traffic. So enabled this via the zone protection profile - strickly for that zone.

jmeurer · ‎11-19-2018

I agree with your hesitation. In general, routing asymmetry is bad for security visilbility. I would not turn off reject no sync on your internet facing interfaces.

Huddlebuy · ‎11-19-2018

thanks Jmeurer. I will try re-try this by moving to the same zone. Do you know or come across any step by step guide to the setting up process between the tunnels between on-prem palo and aws VPC's.

Kind regards

Anu

jmeurer · ‎11-19-2018

I typically recommend to start with this guide.

https://github.com/PaloAltoNetworks/aws-transit-vpc/blob/master/documentation/Transit_VPC_Manual_Bui...

Once you have your Transit Firewalls built, you can terminate the on-prem Firewalls on the Transit Firwalls with VPNs as if they are another spoke. From there you can control policy locally or with Panorama, creating rules based on zones or subnets.

AWS IPSec Tunnel success?

AWS IPSec Tunnel success?

Show your appreciation!