Tuesday, April 24, 2018
By Oneil Matlock, Fuel member
As a new systems administrator, I have become responsible for administrating network firewalls. Our firewalls are Palo Alto Networks 3020 and 200 devices in multiple locations. Over the past year, one of the most interesting communication methods I have configured has been IPsec tunnels with our partner companies. All of the IPsec tunnel configurations at my company have been between two firewalls, some of them different brands and models.
In an effort to test and train myself without affecting my work environment, I signed up for Comcast Business (5 static IPs included) at home, purchased a used Palo Alto 200 device from eBay (no support), and installed it in my home network environment.
Since then, I have been able to test many situations and became interested in creating a site-to-site IPsec tunnel from my Palo Alto 200 device and Azure. This blog post will demonstrate my steps and results for that configuration.
These notes are compiled after my configuration was complete, and are meant to give a general direction and do require some level of ambiguity. The IPSec settings could vary depending upon environmental requirements. This article is meant to provide one example of a successfully connected configuration.
Prerequisites for this configuration are as follows:
- Palo Alto 200 (PA-200) device
- Public Static IP to assign to PA-200
- Azure subscription or trial
- I used this excellent Microsoft article that provides a guide through the Azure configuration: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
- Created my virtual network according to Microsoft article guideline.
NOTE: I tried to stay consistent with Microsoft example naming conventions for simplicity.
- Created FrontEnd and Gateway subnets.
- Created Virtual Network Gateway.
- NOTE: An Azure public IP address is assigned at this point and should be noted and used during the Palo Alto IKE Gateway configuration.
- Created a local network gateway according to Azure configuration guidelines.
NOTE: The IP address field in this Local Network gateway configuration represents the public IP address of your Palo Alto firewall.
- The next step is to create an IPSec policy including parameters and also a local network gateway connection that is to represent your IPSec connection from your Azure network to your on premise network and Palo Alto firewall.
NOTE: Since the creation of these notes, it is not possible to create the IPSec policy and parameters via Azure portal directly. It was necessary to use Azure PowerShell to finish this configuration.
- Installed and configured Azure PowerShell modules on my local desktop device according to this Microsoft article: https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-5.6.0
- Launched Microsoft PowerShell and execute the following command to connect to Azure.
- After connecting to Azure, I followed the link provided in the Azure general guideline article for IPSec and IKE settings: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell
NOTE: This article does describe a start to finish configuration using PowerShell. However, after following the general guideline, several items are already configured. I did have to maneuver through, define only a subset of variables to eventually define my IPsec policy, create and assign a network gateway connection to my virtual network gateway. These are subset examples of these commands that I had to run to create the IPSec policy, create and assign to the virtual network gateway connection. There would be some effort to customize these commands for your configuration.
$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey 'AzureA1b2C3'
- Using the Azure Cloud Shell interface, accessible in the Azure portal you could review your IPSec parameters.
- Virtual network gateway connection is created and visible in the Azure portal after created from PowerShell.
2. Palo Alto Configuration
- Configure tunnel interface, create, and assign new security zone.
- Create an IKE Crypto profile with the following settings.
- Create a new IKE Gateway with the following settings. Peer IP equals the IP address of the Azure connection public IP address (when received after configuration). Edit configuration later if necessary when received.
- Configure an IKE Gateway and assign the IKE Crypto profile.
- Create a new IPSec Crypto Profile with the following settings.
- Create IPSec tunnel with the following settings.
- No proxy ID was required for this configuration example.
- Added static routes to my virtual router for both Azure Frontend and Gateway subnets.
- Once I completed my Azure and Palo Alto configuration, there is a green status for the IPsec tunnel indicating a successful connection. Additional negotiation information may be viewed from the Palo Alto System Log.
3. Connecting to Azure resources
- After establishing a site-to-site connection to Azure network, I am able to connect to resources that are created on my Azure Frontend network.
For example: I’ve created a new Windows Server 2012 R2 server and able to RDP to using ONLY its private IP address directly from my home network.
I feel accomplished after this self-study project, finally creating and using a meaningful feature in Azure. This site-to-site connection will now allow me to officially extend my test data center into Azure and explore the next set of Azure features in which I am interested. Now that my data center network is connected to Azure, I can create a secondary domain controller VM in Azure as if it resides in my local network. This will be useful for demonstrating disaster recovery and further extend my data center presence in Azure. Furthermore, I would also like to install a Palo Alto VM appliance firewall in my Azure environment to provide the same enterprise class security as I have in my data center.
Have thoughts or comments? We want to hear from you. Start a discussion with other Fuel members below.
Check out these Fuel blog posts for further reading:
- Fuel Community Chat: pVLANs and Securing Outbound Internet Access
- How to Maintain Endpoint Security
- Cybersecurity Question of the Month: April