{"id":327,"date":"2022-05-17T21:56:19","date_gmt":"2022-05-18T01:56:19","guid":{"rendered":"https:\/\/opentextbc.ca\/paloalto\/chapter\/s2s-vpn-palo-alto-on-prem-azure\/"},"modified":"2023-11-28T19:06:00","modified_gmt":"2023-11-29T00:06:00","slug":"s2s-vpn-palo-alto-on-prem-azure","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/paloalto\/chapter\/s2s-vpn-palo-alto-on-prem-azure\/","title":{"raw":"4.3 Site-to-Site VPN between Palo Alto on Premise and Palo Alto in the Azure","rendered":"4.3 Site-to-Site VPN between Palo Alto on Premise and Palo Alto in the Azure"},"content":{"raw":"
\n

Learning Objectives<\/p>\n\n<\/header>\n

\n
    \n \t
  • Configure a Virtual Network in Microsoft Azure<\/li>\n \t
  • Set up and configure the Azure VPN Gateway for IPsec VPN<\/li>\n \t
  • Implement Network Security Groups (NSGs) in Azure for traffic control<\/li>\n \t
  • Monitor and troubleshoot IPsec VPN connections on Palo Alto<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    Scenario<\/strong>: In this lab, we will create a site-to-site VPN from Palo Alto on-premise to Palo Alto in the Azure. Knowing the configuration of section 4.2 is necessary for this lab. I have created management and ethernet1\/1 as a DHCP, so they will receive an IP address from Cloud.<\/div>\n\n[caption id=\"attachment_302\" align=\"aligncenter\" width=\"1510\"]\"Main Figure 4.68: Main scenario[\/caption]\n

    On-Premise Palo Alto Configuration<\/h2>\n\n\n\n\n\n\n\n
    Devices<\/th>\nInterface<\/th>\nIP address<\/th>\n<\/tr>\n
    Palo Alto<\/th>\nManagement<\/td>\nDHCP Client<\/td>\n<\/tr>\n
    Ethernet 1\/1<\/td>\nDHCP Client<\/td>\n<\/tr>\n
    Ethernet 1\/2<\/td>\n192.168.10.1\/24<\/td>\n<\/tr>\n
    WebTerm<\/th>\nEth0<\/td>\n192.168.10.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      \n \t
    1. Configure the interfaces of the firewall. Set Ethernet1\/1 as a Untrust Zone and Ethernet1\/2 as a Trust Zone.\n\n[caption id=\"attachment_303\" align=\"aligncenter\" width=\"1447\"]\"Firewall Figure 4.69: Firewall Interfaces[\/caption]<\/li>\n \t
    2. Create a tunnel.1<\/strong> and set the tunnel as Untrust zone.\n\n[caption id=\"attachment_304\" align=\"aligncenter\" width=\"1190\"]\" Figure 4.70: Create a tunnel[\/caption]<\/li>\n \t
    3. Create two static routes, one pointing to 142.232.197.254 (on-Prem Default Gateway) and the other one sending the traffic of Azure through the tunnel.\n\n[caption id=\"attachment_306\" align=\"aligncenter\" width=\"500\"]\"Create Figure 4.71: Create a static route to default gateway[\/caption]\n\n[caption id=\"attachment_306\" align=\"aligncenter\" width=\"500\"]\"Create Figure 4.72: Create a static route to Azure[\/caption]<\/li>\n \t
    4. For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as following figures. You have to configure local and peer identification.\n\n[caption id=\"attachment_308\" align=\"aligncenter\" width=\"450\"]\"Create Figure 4.73: Create an IKE Gateway[\/caption]\n\n[caption id=\"attachment_308\" align=\"aligncenter\" width=\"500\"]\"Create Figure 4.74: Create an IPsec Tunnel[\/caption]<\/li>\n \t
    5. Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.\n\n[caption id=\"attachment_309\" align=\"aligncenter\" width=\"1420\"]\"Create Figure 4.75: Create two security policies[\/caption]<\/li>\n<\/ol>\n

      Azure Configuration<\/h2>\n
        \n \t
      1. Create a Palo Alto firewall in Azure and configure the interfaces. You need to do all steps in section 4.1 and assign public IP address to Ethernet 1 (Untrust Zone).<\/li>\n \t
      2. Create a route in Azure pointing to Trust interface.\n\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"500\"]\"Step1- Figure 4.76: Create a route table[\/caption]\n\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"500\"]\"Step2- Figure 4.77: Create a route table[\/caption]\n\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"500\"]\" Figure 4.78: Create a route table (verify and create)[\/caption]\n\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"500\"]\"Step4 Figure 4.79: Add a Route[\/caption]\n\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"500\"]\"Step5 Figure 4.80: Add a default route pointing to 10.0.2.4 (Trust Interface)[\/caption]\n\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"500\"]\"Step Figure 4.81: Associate Trust route to Trust Subnet[\/caption]\n\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"500\"]\"Step Figure 4.82: Associate fwVNET to Trust Subnet[\/caption]<\/li>\n \t
      3. Set static routes as figures 4.83 and 4.84.\n\n[caption id=\"attachment_318\" align=\"aligncenter\" width=\"500\"]\"Static Figure 4.83: Static route pointing to default gateway[\/caption]\n\n[caption id=\"attachment_318\" align=\"aligncenter\" width=\"500\"]\" Figure 4.84: Static route pointing to tunnel[\/caption]<\/li>\n \t
      4. For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as figures 4.85 and 4.86.\n\n[caption id=\"attachment_320\" align=\"aligncenter\" width=\"500\"]\"Create Figure 4.85: Create an IKE Gateway[\/caption]\n\n[caption id=\"attachment_320\" align=\"aligncenter\" width=\"500\"]\" Figure 4.86: Create an IPsec Tunnel[\/caption]<\/li>\n \t
      5. Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.\n\n[caption id=\"attachment_321\" align=\"aligncenter\" width=\"800\"]\"Create Figure 4.87: Create two security policies[\/caption]<\/li>\n \t
      6. Add windows or Linux VM to Trust Subnet. This VM is for testing ping from Azure side to on-prem. We will not create a public IP address for the VM.\n\n[caption id=\"attachment_323\" align=\"aligncenter\" width=\"500\"]\"Create Figure 4.88: Create a VM[\/caption]\n\n[caption id=\"attachment_323\" align=\"aligncenter\" width=\"500\"]\" Figure 4.89: Assign Trust subnet with no public IP[\/caption]<\/li>\n \t
      7. Now, you should be able to ping and your tunnel should be green.\n\n[caption id=\"attachment_326\" align=\"aligncenter\" width=\"500\"]\"ping Figure 4.90: Ping from WebTerm to Azure[\/caption]\n\n[caption id=\"attachment_326\" align=\"aligncenter\" width=\"500\"]\"Ping Figure 4.91: Ping from Azure to WebTerm[\/caption]\n\n[caption id=\"attachment_326\" align=\"aligncenter\" width=\"1073\"]\"Tunnel Figure 4.92: Tunnel Status[\/caption]<\/li>\n<\/ol>","rendered":"
        \n
        \n

        Learning Objectives<\/p>\n<\/header>\n

        \n
          \n
        • Configure a Virtual Network in Microsoft Azure<\/li>\n
        • Set up and configure the Azure VPN Gateway for IPsec VPN<\/li>\n
        • Implement Network Security Groups (NSGs) in Azure for traffic control<\/li>\n
        • Monitor and troubleshoot IPsec VPN connections on Palo Alto<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
          Scenario<\/strong>: In this lab, we will create a site-to-site VPN from Palo Alto on-premise to Palo Alto in the Azure. Knowing the configuration of section 4.2 is necessary for this lab. I have created management and ethernet1\/1 as a DHCP, so they will receive an IP address from Cloud.<\/div>\n
          \"Main
          Figure 4.68: Main scenario<\/figcaption><\/figure>\n

          On-Premise Palo Alto Configuration<\/h2>\n\n\n\n\n\n\n\n
          Devices<\/th>\nInterface<\/th>\nIP address<\/th>\n<\/tr>\n
          Palo Alto<\/th>\nManagement<\/td>\nDHCP Client<\/td>\n<\/tr>\n
          Ethernet 1\/1<\/td>\nDHCP Client<\/td>\n<\/tr>\n
          Ethernet 1\/2<\/td>\n192.168.10.1\/24<\/td>\n<\/tr>\n
          WebTerm<\/th>\nEth0<\/td>\n192.168.10.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
            \n
          1. Configure the interfaces of the firewall. Set Ethernet1\/1 as a Untrust Zone and Ethernet1\/2 as a Trust Zone.
            \n
            \"Firewall
            Figure 4.69: Firewall Interfaces<\/figcaption><\/figure>\n<\/li>\n
          2. Create a tunnel.1<\/strong> and set the tunnel as Untrust zone.
            \n
            \"Create
            Figure 4.70: Create a tunnel<\/figcaption><\/figure>\n<\/li>\n
          3. Create two static routes, one pointing to 142.232.197.254 (on-Prem Default Gateway) and the other one sending the traffic of Azure through the tunnel.
            \n
            \"Create
            Figure 4.71: Create a static route to default gateway<\/figcaption><\/figure>\n
            \"Create
            Figure 4.72: Create a static route to Azure<\/figcaption><\/figure>\n<\/li>\n
          4. For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as following figures. You have to configure local and peer identification.
            \n
            \"Create
            Figure 4.73: Create an IKE Gateway<\/figcaption><\/figure>\n
            \"Create
            Figure 4.74: Create an IPsec Tunnel<\/figcaption><\/figure>\n<\/li>\n
          5. Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.
            \n
            \"Create
            Figure 4.75: Create two security policies<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n

            Azure Configuration<\/h2>\n
              \n
            1. Create a Palo Alto firewall in Azure and configure the interfaces. You need to do all steps in section 4.1 and assign public IP address to Ethernet 1 (Untrust Zone).<\/li>\n
            2. Create a route in Azure pointing to Trust interface.
              \n
              \"Step1-
              Figure 4.76: Create a route table<\/figcaption><\/figure>\n
              \"Step2-
              Figure 4.77: Create a route table<\/figcaption><\/figure>\n
              \"Step3-
              Figure 4.78: Create a route table (verify and create)<\/figcaption><\/figure>\n
              \"Step4
              Figure 4.79: Add a Route<\/figcaption><\/figure>\n
              \"Step5
              Figure 4.80: Add a default route pointing to 10.0.2.4 (Trust Interface)<\/figcaption><\/figure>\n
              \"Step
              Figure 4.81: Associate Trust route to Trust Subnet<\/figcaption><\/figure>\n
              \"Step
              Figure 4.82: Associate fwVNET to Trust Subnet<\/figcaption><\/figure>\n<\/li>\n
            3. Set static routes as figures 4.83 and 4.84.
              \n
              \"Static
              Figure 4.83: Static route pointing to default gateway<\/figcaption><\/figure>\n
              \"Static
              Figure 4.84: Static route pointing to tunnel<\/figcaption><\/figure>\n<\/li>\n
            4. For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as figures 4.85 and 4.86.
              \n
              \"Create
              Figure 4.85: Create an IKE Gateway<\/figcaption><\/figure>\n
              \"Create
              Figure 4.86: Create an IPsec Tunnel<\/figcaption><\/figure>\n<\/li>\n
            5. Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.
              \n
              \"Create
              Figure 4.87: Create two security policies<\/figcaption><\/figure>\n<\/li>\n
            6. Add windows or Linux VM to Trust Subnet. This VM is for testing ping from Azure side to on-prem. We will not create a public IP address for the VM.
              \n
              \"Create
              Figure 4.88: Create a VM<\/figcaption><\/figure>\n
              \"Assign
              Figure 4.89: Assign Trust subnet with no public IP<\/figcaption><\/figure>\n<\/li>\n
            7. Now, you should be able to ping and your tunnel should be green.
              \n
              \"ping
              Figure 4.90: Ping from WebTerm to Azure<\/figcaption><\/figure>\n
              \"Ping
              Figure 4.91: Ping from Azure to WebTerm<\/figcaption><\/figure>\n
              \"Tunnel
              Figure 4.92: Tunnel Status<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n","protected":false},"author":124,"menu_order":6,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-327","chapter","type-chapter","status-publish","hentry"],"part":230,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":1,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/327\/revisions"}],"predecessor-version":[{"id":328,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/327\/revisions\/328"}],"part":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/230"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/327\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=327"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=327"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=327"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/license?post=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}