I'm trying to get an ipsec vpn working with a Palo gateway instance inside of Azure. Because Azure handles the public IP, and the Palo has no awareness of it, i expect NAT traversal will factor heavily. Has anyone got such a topology working?
An old thread on this subject suggests that this is not the recommended approach - that Azure native vpn should be used instead. Heres a post from that discussion:
In our reference architecture and companion deployment guide, we do not typically recommend terminating the VPNs on the Virtual Appliance running in Azure. This is b/c you will need to use SNAT to enforce return path routing through the proper firewall to prevent asymmetric routing as we cannot extend BGP from the firewalls to the Azure Route Table. Instead, you may consider terminating the VPN on the Azure VPN Gateway and use our backhaul routing design to force all traffic to and from the Gateway subnet through the firewall utilizing UDRs and the Load Balancer.
If you have a static IP on the Azure external IP side. You should be able to get this going. Just remember on the Azure PAN on the IKE gateway setting, make sure to use the Local IP Address of the untrust interface in the local IP address. Then on the other PAN in the IKE gateway setting, make sure to add the Peer Identification IP address of the Azure PAN.
Hope that makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!