Site to Site VPN between AWS transit GW and PA FW in AWS

Reply
Highlighted
L0 Member

Site to Site VPN between AWS transit GW and PA FW in AWS

Hello

 

First time posting and looking for help on solution ............i have a PA fw in AWS and i am attempting to setup a VPN to AWS transit GW.

FW set up with ÖUTSIDE int using DHCP and and EIP attached ...

 

AWS TGW (VPN) -------------------------------------------------AWS(single FW with DHCP)

52.x.x.x  -------------------------------------------------EIP-3.x.x.x attached to 10.0.2.10 (-----outside int (FW) inside int 

18.x.x.x

AWS does not initiate session, so firewall must initiate. It works fine if i config a static IP address on Firewall outside interface but if 

i leave it as DHCP it seems to work on and off ......I have been advised that i must leave the PA interface address as DHCP based on 

design guidelines. So i have messed around with IPSEC settings in the hope of getting tunnels to come up by setting the Local and  Remote peer addresses but not luck .......

 

Any ideas or advice please ..............................and is it true that i should not set fixed IP on interfaces of FW 

 

Thanks in advance for advice and help ..

 

Highlighted
L4 Transporter

he tunnel build process is documented here.

https://www.paloaltonetworks.com/resources/reference-architectures/aws

 

In general, if it works intermittently, check your timers in your IKE and IPSec profiles.  Also, ensure that only the VPN ethernet interface has the "Automatically create default route pointing to DG provided by server".  If you have multiple interfaces, you may end up with 2 default routes in the VR that are competing with each other.  If you have EIPs on multiple interfaces, then you give each its own virtual router with a 0.0.0.0/0 route pointing outbound.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQRCA0

Highlighted
L0 Member

Hello

 

Thanks for your response but sadly that was not the correct solution and i am still working on the case ....

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!