AWS Site-to-Site VPN Configuration Guide for Palo Alto Firewalls with IPv6 Connectivity

19 minute read
Content level: Advanced
1

Step-by-step guide to set up a hybrid environment with IPv6 connectivity using a Palo Alto Site-to-Site VPN to connect to your AWS environment

Introduction

This article guides you through configuring a Site-to-Site VPN between an AWS Transit Gateway with a VPN attachment and a Palo Alto Firewall. It will also cover exchanging IPv6 routes using BGP to minimize manual effort and control routing advertising using BGP policies. We recommend you use BGP-capable devices, when available, because the BGP protocol offers robust capabilities to assist failover to the second VPN tunnel if the first tunnel goes down.

This guide covers:

  • Creating a Customer Gateway on AWS
  • Creating an AWS Site-to-Site VPN connection
  • Creating a Site-to-Site VPN connection on a Palo Alto firewall
  • Creating policy rules that are required to establish a Site-to-Site VPN connection to AWS
  • Establishing BGP sessions between your AWS Transit Gateway and a Palo Alto firewall
  • Verifying the connectivity between AWS and the Palo Alto firewall across the VPN tunnel

Pre-requisites

  • Familiarity with AWS Virtual Private Cloud (VPC), AWS Transit Gateway (TGW), as well as VPC and TGW route tables.
  • Familiarity with how the Site-to-Site VPN service handles IPv6 traffic.
  • An AWS Transit Gateway configured in your AWS account.
  • VPCs with IPv6 CIDR blocks attached to the Transit Gateway.
  • Familiarity with BGP. For more information on BGP, please visit this guide.
  • A Palo Alto firewall running PAN-OS. This guide was written using Palo Alto firewalls running PAN-OS 10.2.8.
  • Palo Alto Firewall interfaces are configured with static and publicly routable IPv4 addresses, assigned to security zones, and assigned to a virtual router. If your firewall requires NAT traversal, please review this Palo Alto Knowledge Base article.
  • An on-premises IPv6 subnet
  • A default route configured on the Palo Alto firewall pointing to the internet.

Guide Architecture Overview

Figure 1: An overview of the architecture used in this guide

Figure 1: An overview of the architecture used in this guide

The above diagram summarizes the architecture used in this guide. In the guide, we have 3 VPCs in a dualstack configuration with both IPv4 and IPv6 CIDRs. The 3 VPCs are attached to the transit gateway. Each VPC has applications running on port 80 with no access to the internet. The on-premises environment is configured with an IPv6 CIDR block, and the Palo Alto firewall has public IPv4 addresses available for use.

Part 1: Configure the Customer Gateway on AWS console

Navigate to VPC > Virtual Private Network > Customer Gateways

Select Create customer gateway:

  • Enter the customer gateway Name tag.
  • Enter a BGP ASN (autonomous system number). We are using ASN 65512 for the Palo Alto Firewall (Customer Gateway) and 64512 for the Transit gateway. For more details about using a BGP ASN on with an AWS Site-to-Site VPN, please refer to this guide.
  • Enter the Public IP address of the Palo Alto firewall. In this guide, we are using interface Ethernet 1/1 on the Palo Alto firewall. This address must be an IPv4 address.
  • In this guide, we will use the pre-shared key method for authentication. Do not select a certificate ARN if you are following this guide. For more details about using certificate-based authentication with an AWS Site-to-Site VPN, please refer to this guide.
  • When finished, select Create customer gateway.

Figure 2: Creating the customer gateway

Figure 2: Creating the customer gateway

Part 2: Configure the AWS Site-to-Site VPN connection and associate it with the Transit Gateway

In this section, we will configure the VPN tunnels. AWS recommends using Internet Key Exchange version 2 (IKEv2) where possible, because of the lower overhead in establishing a tunnel and enhanced health check functionality, as compared to IKEv1. For more information on the benefits of IKEv2 with Palo Alto, refer to this guide.

Navigate to VPC > Virtual Private Network (VPN) > Site-to-Site VPN connections

Select Create VPN Connection:

  • Enter the VPN connection Name
  • Select Transit gateway in Target gateway type and select the desired transit gateway.
  • In the Customer gateway section, choose existing and select the customer gateway that was created in Part 1.
  • In the Routing options section, choose Dynamic (require BGP).
  • In the Tunnel inside IP version, select IPv6.
  • Using an Accelerated Site-to-Site VPN connection is out of scope for this guide. For more details, refer to the User Guide.

Figure 3: Creating the VPN connection

Figure 3: Creating the VPN connection

  • Expand the Tunnel 1 and Tunnel 2 options section.
  • For the Local and Remote IPv6 network CIDR sections, leave the default ::/0. This will be controlled by firewall policy and routing advertisements, addressed in a later section of this guide.
  • Enable the tunnel activity log and tunnel endpoint lifecycle control. AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, IKE negotiations, and dead peer detection (DPD) protocol messages. Tunnel endpoint lifecycle control provides control over the schedule of endpoint replacements.

Figure 4: Enabling the tunnel activity log and tunnel endpoint lifecycle control

Figure 4: Enabling the tunnel activity log and tunnel endpoint lifecycle control

We recommend being more selective with IKE Phase 1 and Phase 2 parameters. These options can be modified by selecting “Edit tunnel (#) options”. Your decisions will depend on your specific compliance and security requirements. For a list of supported parameters, please refer to the VPN tunnel options documentation. Ensure modifications in this section are applied to both VPN tunnels.

Figure 5: Advanced tunnel encryption options

Figure 5: Advanced tunnel encryption options

Encryption algorithms

AWS supports both AES128-GCM-16 and AES256-GCM-16. We recommend AES256-GCM-16 where supported and within requirements.

Integrity algorithms

Integrity algorithms ensure the sender’s identity and also ensure that the message has not been modified in transit. Select your SHA algorithm based on your customer gateway device support and security requirements. If you don’t have specific requirements, then we recommend using SHA-384 because of its performance and security characteristics.

DH group numbers

A Diffie-Hellman (DH) group determines how key material is generated for encryption. As with SHA, we recommend you pick DH groups based on compatibility with your customer gateway device and your security requirements. If you don’t have specific requirements, then we recommend using DH group 20 because of its security characteristics.

IKE version

To establish an IPsec tunnel, the IKE protocol is used. IKE has two iterations: IKEv1 and IKEv2. We recommend using IKEv2, as it gives some key performance optimizations over IKEv1.

For more details on how AWS secures the IPsec tunnel and the shared responsibility model, please refer to this blog post, AWS Site-to-Site VPN, choosing the right options to optimize performance.

After the tunnel creation, a VPN connection summary will be displayed.

Figure 6: VPN connection details after creation

Figure 6: VPN connection details after creation

Part 3: Configure the site-to-site VPN on the Palo Alto firewall

In this section, we will guide you on how to configure your Palo Alto Firewall tunnel interface.

The inside tunnel IP addresses can be found in the AWS console to navigate to VPC > Site-to-Site VPN Connections > vpn-abcde and selecting the Tunnel Details tab.

Figure 7: Displaying the inside IPv6 CIDR block

Figure 7: Displaying the inside IPv6 CIDR block

Step 1 - Create a tunnel Interface:

The steps in this section will take place in the Palo Alto user interface. Step 1 will need to be repeated for both AWS tunnel endpoints. Before continuing, ensure IPv6 is enabled on the AWS Site-to-Site VPN connection.

Navigate to Network > Interfaces > Tunnel:

Select Add

  • Assign a Virtual Router and Security Zone: These are requirements for Palo Alto’s interfaces. You can also create a security zone from this interface by clicking on the security zone tab. Refer to Figure 8.

Figure 8: Creating a tunnel interface in the Palo Alto firewall

Figure 8: Creating a tunnel interface in the Palo Alto firewall

  • Configure the tunnel IPv6 address. Within the /126 CIDR block assigned by AWS, the AWS side is the first available IP address and the Palo Alto side is the second available IP address.

Figure 9: Adding the inside IPv6 CIDR block to the tunnel interface in the Palo Alto firewall

Figure 9: Adding the inside IPv6 CIDR block to the tunnel interface in the Palo Alto firewall

Step 2 - Create IKE Profile:

Go to Network > Network Profiles > IKE Crypto:

Select Add

  • Enter a name for the Crypto Profile
  • Select the desired parameters for DH Group, Authentication, Encryption and IKE timers. Make sure the parameters selected here match what you have selected on AWS side of the VPN connection. If they do not, the tunnel cannot establish.

Figure 10: IKE Crypto Profile configuration in the Palo Alto firewall

Figure 10: IKE Crypto Profile configuration in the Palo Alto firewall

In this guide, we are using the GCM cipher suite, which includes a hashing algorithm within it. Therefore, we have selected “none” in the authentication section. If your connection uses the CBC cipher suite, you will need to select an authentication algorithm that matches what we selected on the AWS side of the VPN connection.

Step 3 - Create IKE Gateway:

Go to Network > Network Profiles > IKE Gateways:

Select Add:

  • Enter a name for the gateway
  • Select IKEv2 only mode as the version
  • Choose IPv4 as the address type
  • Select the tunnel interface (this guide uses ethernet1/1)
  • Enter the Local IP Address. The address in this case is referring to the private IP address associated with the interface, in this case, ethernet 1/1.
  • Select Pre-Shared Key as the authentication method
  • Leave the local identification and Peer identification as default (None).
  • Enter and confirm the Pre-shared Key

Figure 11: IKE Gateway configuration details in the Palo Alto firewall

Figure 11: IKE Gateway configuration details in the Palo Alto firewall

Step 4 - Create an IPSec Crypto Profile

Go to Network > Network Profiles > IPSec Crypto:

Select Add:

  • Enter a Crypto Profile Name
  • Select ESP as the IPSec Protocol
  • Select the desired parameters for Encryption, Authentication, DH Group and IPsec lifetime. The parameters selected here must match what we selected on the AWS side of the VPN connection.

Figure 12: IPSec Crypto Profile options in the Palo Alto firewall

Figure 12: IPSec Crypto Profile options in the Palo Alto firewall

Step 5 - Create an IPSec Tunnel

Go to Network > IPSec Tunnel:

Select Add:

  • Enter the IPSec Tunnel Name
  • Select the tunnel interface that was created in Step 1
  • Leave the Address Type as IPv4
  • Select the IKE Gateway that was created in Step 3
  • Select the IPSec Crypto Profile that was created in Step 4

Figure 13: IPSec Tunnel configuration in the Palo Alto firewall

Figure 13: IPSec Tunnel configuration in the Palo Alto firewall

Part 4: Configure security policies on the Palo Alto firewall

In this guide, we have created a security zone named ‘VPN’ and placed the IPSec tunnels in that zone. The next step is configuring security policies. These security policies are required for the VPN to communicate:

  1. Allow IPSec/IKE traffic from the Public zone to the VPN IP addresses on the AWS side.

  2. Allow BGP traffic from the tunnel interfaces to the AWS site-to-site VPN endpoint.

  3. Allow the desired traffic to flow from the on-premises trusted zone across the VPN to the AWS Transit Gateway.

Figure 14: Palo Alto security policy overview

Figure 14: Palo Alto security policy overview

Part 5: Configure BGP on the Palo Alto firewall

Step 1 - BGP Parameters

Go to Network > Virtual Router:

Depending on your needs, create a new virtual router or select the default option. For more information on virtual routers, please visit this page. In this guide, we will use the default router. Select the BGP option**:**

  • select Enable to enable BGP.
  • Enter BGP router ID - Use the public IP address of the customer gateway to ensure the router ID is unique.
  • Enter the BGP AS Number. This needs to match the ASN that we chose for the customer gateway (65512) in Step 1. if the ASN doesn’t match the customer gateway, the BGP session won’t establish, and it will not exchange routes. Find this information in the downloaded CGW configuration.
  • AWS does not currently support BFD for IPsec VPN, so leave this set to “None”.
  • Select the option to install the routes learned from BGP.
  • Select the option to Aggregate MED to enable route aggregation, even when routes have different Multi-Exit Discriminator (MED) values.
  • Depending on the BGP ASN configured, choose the option for either a 2 Byte or 4 Byte ASN.
  • Select the option “Deterministic MED Comparison” to choose between routes that are advertised by IBGP peers (BGP peers in the same autonomous system).

In Figure 15, the option to reject the default route from BGP is selected. The Palo Alto firewall should already have a default route to the internet.

Figure 15: Palo Alto BGP configuration

Figure 15: Palo Alto BGP configuration

For further details about how Palo Alto firewalls select the best path using BGP, please refer to this guide.

Step 2 - Configure Peer Group:

Go to Network > Virtual Router:

Create your router or select the default option and leave other parameters as default. For this guide, we will use the default router**.** Navigate to BGP:

  • Go to Peer Group
  • Select Add
  • Enter a BGP Peer Group Name
  • Select type EBGP and leave other parameters as default. Selecting the option '“Remove Private AS” forces BGP to remove private AS numbers from the AS_PATH attribute in updates that the firewall sends to a peer in another AS. Please refer to this guide for more information.

Figure 16: Palo Alto BGP peer configuration

Figure 16: Palo Alto BGP peer configuration

In this guide, we have enabled equal-cost multi-path routing (ECMP) on the virtual router to take advantage of the higher combined throughput offered. To configure ECMP on your Palo Alto firewall, please refer to this guide. For more on AWS Site-to-Site VPN bandwidth and throughput, please review this documentation. If using the ECMP feature, you must also enable ECMP on your transit gateway by selecting the VPN ECMP support option, as shown below.

Optionally, you can configure MED to influence outbound routes. For more information, please see the documentation. To verify your MED configuration, follow these steps.

Figure 17: AWS Transit Gateway advanced configuration options

Figure 17: AWS Transit Gateway advanced configuration options

Step 3 - Create BGP Peer

Go to Network > Virtual Router:

Create your router or select the default option. For this guide, we will use the default router and go to BGP:

  • Select the BGP peer group that was created in Step 2
  • Select Add
  • Enter the BGP Peer Name
  • Enter the BGP peer AS
  • Select the tunnel interface that was created in the IPSec section (Part 3, Step 1).
  • Select the IP address of the tunnel interface.
  • Select Peer Address Type IP
  • Enter the Peer Address

A BGP network that uses IPv4 multicast routes or IPv6 unicast prefixes needs multiprotocol BGP (MP-BGP) in order to exchange routes of address types other than IPv6 unicast. Please refer to this documentation for more information.

Figure 18: Palo Alto BGP peer advanced configuration

Figure 18: Palo Alto BGP peer advanced configuration

Step 4 - Create a Redistribution Profile. A redistribution rule is required to redistribute host routes and unknown routes that are not on the local RIB and advertise to its neighbors.

Go to Network > Virtual Router:

If you have created your own virtual router, select that, or select the default and go to Redistribution Profile:

In the IPv6 section:

Select Add

  • Under Redistribute, select Redist
  • For this guide, we will advertise connected routes. Please follow the security policy adopted in your organization. The advertised routes are to the AWS Transit Gateway BGP peers.
  • Select the ethernet interfaces that need to be advertised and choose OK to continue.

Figure 19: Palo Alto IPv6 Route Redistribution configuration

Figure 19: Palo Alto IPv6 Route Redistribution configuration

Step 5 - Create BGP Redistribution Rules

Go to Network > Virtual Router:

If you have created your own virtual router, select that, or select the default and go to BGP and then Redist Rules:

Select Add

  • Select the IPv6 address family type
  • Choose the Redistribution Profile created in Step 4
  • Set the metrics to anything between 1 - 65535. The higher the metric, the less preferred the route.

Figure 20: Palo Alto BGP route redistribution configuration rules

Figure 20: Palo Alto BGP route redistribution configuration rules

For further details on BGP redistribution rules, please refer to this Palo Alto guide.

After completing these steps, you will need to commit the changes to the Palo Alto FW after verifying that all the steps are completed.

Part 6 - Verification

Now that the VPN connections are configured, we must verify connectivity. In the AWS console, navigate to VPC > Transit Gateways > Transit Gateway Route Tables

Select your route table. If the VPN and BGP are properly functioning, the routes being propagated from the Palo Alto VPN will appear.

Figure 21: AWS Transit Gateway routes

Figure 21: AWS Transit Gateway routes

In the VPN tunnels details, the 2 tunnel endpoints have a status of Up and the number of routes received from BGP are shown under Details.

Figure 22: AWS Site-to-Site VPN tunnel details and status

Figure 22: AWS Site-to-Site VPN tunnel details and status

For further verification, the VPN log events can be examined using CloudWatch Logs Log Groups.

Figure 23: AWS CloudWatch Logs Log Group detail of Site-to-Site VPN logs

Figure 23: AWS CloudWatch Logs Log Group detail of Site-to-Site VPN logs

Within the Palo Alto firewall, navigate to Network > IPsec Tunnels. The status of both tunnels will be Up.

Figure 24: Palo Alto IPsec Tunnel status

Figure 24: Palo Alto IPsec Tunnel status

To verify the BGP statistics and routes, go to Network > Virtual routers, select More Runtime Stats and choose Forwarding Table in the overlay window.

Figure 25: Palo Alto Routing Information received from the AWS Transit Gateway

Figure 25: Palo Alto Routing Information received from the AWS Transit Gateway

In the same overlay window, choose Peer to see more details about the AWS-side BGP peers.

Figure 26: Palo Alto BGP peer details

Figure 26: Palo Alto BGP peer details

In the same overlay window, choose RIB Out to view the routes being advertised to AWS.

Figure 27: Palo Alto BGP routing information advertised to the AWS Transit Gateway

Figure 27: Palo Alto BGP routing information advertised to the AWS Transit Gateway

If you have instances running in your AWS VPCs, you can now perform connectivity tests. In this example, we have validated that ICMP and HTTP traffic can reach from the on-premises network to our EC2 instances with appropriately-configured security groups, network ACLs and route tables. You can also use the AWS Reachability Analyzer to validate connectivity within the AWS network.

Figure 28: Communication verification across the tunnel using ICMP and HTTP

Figure 28: Communication verification across the tunnel using ICMP and HTTP

Cleanup

The intention of this guide was to assist you in configuring a Site-to-Site VPN connection in a production environment. If this was created for temporary purposes, follow these steps to clean up your AWS environment so that you do not incur unnecessary costs.

  1. Clean up AWS resources.
    1. Delete the VPN connection.
      1. VPC > Virtual Private Network (VPN) > Site-to-Site VPN connections > Select the VPN connection > from Actions Menu > Select Delete VPN connection.
    2. Delete the customer gateway
      1. VPC > Virtual Private Network (VPN) > Customer gateways > Select the customer gateway > from Actions Menu > Delete customer gateway
  2. Clean up the Palo Alto firewall configuration.
    1. Delete BGP configuration
      1. Delete BGP peers Network > Virtual routers > select the configured virtual router > select BGP > Peer Group > select the configured peer Group > select the peers that need to be delete > choose Delete > ok.
      2. Delete the BGP Peer Group Network > Virtual routers > select the configured virtual router > select BGP > peer Group > select the configured peer Group > choose Delete > ok.
    2. Delete the tunnel interfaces
      1. Network > IPsec Tunnels > Select the tunnel interface > choose Delete > Ok.
    3. Delete IPSec policies
      1. Policies > Security > select the desired policies > choose Delete > ok.
    4. Commit the changes

Conclusion

In this guide, we have covered detailed best practices for configuring a Site-to-Site VPN connection between a Palo Alto firewall and an AWS Transit Gateway with a VPN attachment.

When configuring security settings between a Palo Alto firewall and AWS, always refer to the latest AWS Well-Architected Framework Security Pillar documentation, as well as Palo Alto’s Key Firewall Best Practices.

Please see this related re:Post article to accomplish the same task, but using IPv4 connectivity.

Authors: Mostafa Elkhouly, Tyler Applebaum

Special thanks to: Calvin Bock, Pablo Sanchez Carmona, Arshdeep Grover, Nikesh Preethapal, Austin Leath, Seb Gust