How can I build a dynamic routing based VPN using a Palo-Alto firewall and AWS VPN?

Resolution

Prerequisites

You must have a virtual private cloud (VPC) with an IP-CIDR that doesn't overlap with the on-premise network. This VPC must be associated with a virtual private gateway (VGW) or attached to a transit gateway (TGW).

AWS configuration

1.    Create a customer gateway (CGW). When you create the CGW, you can either provide your autonomous system number (AS number) or choose the default option. When you choose the default, AWS provides an AS number for your CGW.

2.    Create a Site-to-Site VPN. For Gateway, choose VGW or TGW, and for Routing options, choose Dynamic.

3.    Download the configuration file from the AWS Management Console.

The configuration file provides the following:

• AWS public IP and pre-shared key
• IP address and MTU configuration for your Palo-Alto tunnel interface
• Border Gateway Protocol (BGP) configuration and BGP IP to configure in the Palo-Alto firewall

Palo-Alto configuration

Palo-Alto provides next generation firewalls that support route-based VPN, by default. So when you create a VPN between Palo-Alto and AWS, you don't require proxy IDs.

Note: The following encryption, DH-group, and authentication settings remain the same for both IKE-crypto and IPsec-crypto. The lifetime of the phase 1 and phase 2 settings are 8 hours and 1 hour, by default.

• Encryption: AES-256-GCM
• DH-Group: 20
• Authentication: SHA-384

1.    Create the IKE-Crypto profile using the algorithm above.

2.    Create the IPsec-Crypto profile using the algorithm above.

3.    Build the tunnel interface. For IPv4, provide the tunnel interface IP. You can find this in section 3 of the configuration file that you downloaded from the AWS Management Console. Under Advanced, set an MTU OF 1427.

4.    Create the IKE-Gateway, using the following configurations:

• For Version, choose IKEv2 only, and for Authentication, choose pre-shared key.
• In the advanced section, make sure that NAT Traversal is turned on.
• Choose the IKE-Crypto profile that you created in step 1.
• Turn on liveness check at an interval of 5 seconds.

5.    From the Network tab, choose IPsec Tunnels, and then create the IPsec tunnel. Choose the Tunnel interface and IKE-Gateway that you created in the previous step.

6.    Commit changes. After this completes, take SSH access of the firewall, and then run the following commands to start VPN negotiation:

test vpn ike-sa gateway <IKE-Gateway-Name>
        
test vpn ipsec-sa tunnel <IPsec-Tunnel-Name>

On the GUI interface, under IPsec Tunnels, the status is now green.

Configure BGP routing as Palo-Alto

Note: AWS VPN doesn't support graceful restart and Bidirectional Forwarding Detection (BFD).

First, create the redistribution profile. Then, configure BGP using these settings:

1.    On the General tab, choose the check box to turn on BGP.

2.    Add a router ID, and enter the Palo-Alto AS number.

3.    On the Peer-group tab, choose Create a new peer group.

4.    For Peer AS, enter the AWS AS number. For Peer address, enter the AWS BGP IP. You can find both of these numbers in section 4 of the configuration file that you previously downloaded from the AWS Management Console.

4.    In Connection options, for keep-alive interval, choose 10 seconds. For Hold time, choose 30 seconds.

5.    Choose the R****edist rules tab, and then create a redist rule. For Name, choose the redistribution profile that you created previously. Then, choose Commit changes.

Next, verify that BGP is established.

1.    Choose the Network tab, and then choose Virtual router.

2.    Choose More run time stats, and then choose BGP. Under Peer, verify that the status is established.

Related information

How do I download AWS Site-to-Site VPN example configuration files?