site to site IPsec tunnel between PA and AWS

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

site to site IPsec tunnel between PA and AWS

L2 Linker

HI members


Has anyone had an experienced setting up a site to site tunnel between AWS and PA?

I have set up the IPSEC tunnel on my PA (we did use the parameters as per aws downloaded file). The issue is if I use the server's public IP (actual source) on AWS end as  in proxy ID instead of private IP, the other end can't access my server. In our environment , the use of private ip is restricted. The private IP works fine.Appears that aws side the private is routable and not public ip.


 how can we resolve it. I understand its the issue on AWS end configuration or set up.


Any guidance please AWS experts.


L4 Transporter

Hi @R_Sharma


You are correct, that routing can be changed for private, but not public IPs.

It is how AWS works. Public IP is, as the name suggests “Public”. It is not "your server’s" IP, but is rather an AWS owned IP address, which is NAT-ted by AWS to the private IP of your server. You  cannot control the routing of traffic for public IPs and traffic will always be sent out to internet.  

Hi @BatD

I didn’t understand. I am using VPN peer obviously a public up but in the acl as in proxy ID I want to use public up too not private . How is it setup on Aws end do you know?

@R_Sharma You just can not use the Public IP as proxy-id, you need to use private. This is how AWS works. 

Okay! Thank you. Can I know how it’s set up on aws side which restricts the use of it, if you know.

R_sharma.- I think  AWS  VPNs are designed to use a proxy at their end. The remote interesting traffic (AWS side) is NAT or PATed or  proxy device IP. AWS gives the proxy IP as the parameter  for interesting traffic their side. So in Proxy ID filed we never use public IP, we use proxy IP (private) only. On local PA side we will NAT the AWS proxy IP. 

Needless to say  local/remote peer IPs will always be a public IP. 

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!