Configuring IKEv2 IPsec VPN for Microsoft Azure Environment
Resolution
Microsoft Azure requires IKEv2 for dynamic routing, also known as route-based VPN. IKEv1 is restricted to static routing only. For more information on Microsoft Azure VPN requirements and supported crypto parameters for both IKEv1 and IKEv2, reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Microsoft’s Dynamic Routing only requires you to have IP address ranges for each of the local network sites that you’ll be connecting to Azure. It is a route-based VPN connection that uses IP address ranges defined on both gateways and IKEv2 to automatically negotiate the supported routing prefixes. This is known as “traffic selector negotiation” under the IKEv2 RFC and PAN-OS uses Proxy IDs to configure the IP address ranges.
For an example of how to create a multi-site topology, reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
IKEv2 is supported in PAN-OS 7.1.4 and newer versions, and fully supports the necessary route-based VPN and crypto profiles to connect to MS Azure’s dynamic VPN architecture. This document discusses the basic configuration on a Palo Alto Networks firewall for the same. Configuration of the Microsoft Azure Environment is not discussed in this document and you should refer Microsoft’s documentation to set up VPN gateway in the Azure environment.
Note: Palo Alto Networks recommends to upgrade PAN-OS to 7.1.4 or above FIRST before proceeding.
Configuring the Microsoft Azure Portal
For instructions on configuring the Azure VPN through the Azure portal, please visit Microsoft's site here:
Create a VNet with a Site-to-Site connection using the Azure portal
If you need instructions using PowerShell, see here:
Create a VNet with a Site-to-Site VPN connection using PowerShell
If you need instructions using the Classic portal, see here:
Create a VNet with a Site-to-Site connection using the classic portal
Configuring the Palo Alto Networks Firewall
Here’ is a step by step guide on how to set up the VPN for a Palo Alto Networks firewall.
For this example, the following topology was used to connect a PA-200 running PAN-OS 7.1.4 to a MS Azure VPN Gateway.
For the PAN-OS IKEv2 Crypto Profile, you must select a combination of Microsoft Azure supported crypto parameters as stated in Microsoft’s IPSec Parameters (see first reference link above). Our example used the following IKE, IPSec, and crypto profile parameters. Note: Public IP addresses were changed for the purpose of this example.
Tunnel Interface
- Inside the WebGUI in Network > Interfaces > Tunnel, Add a new tunnel interface. Select a virtual router and appropriate security zone.
- Optional: Assign an IP on same subnet as the Azure Gateway for dynamic routing and/or tunnel monitoring inside the IPv4 tab.
IKE Gateway
- Add an IKE Gateway (Network > Network Profiles >IKE Gateway). The following values are to be configured:
- Version: Set to ‘IKEv2 Only mode’ OR ‘IKEv2 preferred mode’
- Interface: Set to the public(internet) facing interface of the firewall used to connect to Azure.
- Local IP Address: IP address of the external interface of the firewall. If not behind a NAT device, this will be the VPN Gateway Address as configured in Azure.
- Peer IP Address: IP address of the Azure VPN Gateway. This can be obtained from the Azure Virtual Network dashboard. Note: Make sure you use the NAT-ed IP on Azure to define the peer IP.
- Pre-shared Key: Azure uses a Pre-shared key(PSK or Pre-Shared Secret) for authentication. The Key should be configured as the same value on Azure VPN settings and Palo Alto Networks’ firewall.
(Note: See links above for Azure configuration information) - On the Advanced Options tab, leave the Enable Passive Mode (Set as responder) unchecked, and in the IKEv2 section leave Liveness Check enabled. Note: Enable NAT traversal if the firewall is behind a NAT device.
- ‘IKE Crypto Profile’ is set to default. A new crypto profile can be defined to match the IKE crypto settings of Azure VPN.
DH Group: group2Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
Note: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set phase 1 lifetime to 28800 seconds.
- Version: Set to ‘IKEv2 Only mode’ OR ‘IKEv2 preferred mode’
IPSec Tunnel
Add a new IPSec tunnel (Network->IPSec Tunnels). The following values are to be configured:
- Tunnel Interface: Select the configured Tunnel Interface in Step 1. above.
(Optional: Use the ‘Show Advanced Options’ to configure tunnel monitoring, if desired.)
- IKE Gateway: Select the IKE Gateway configured in Step 2. above.
- IPSec Crypto Profile:(Network > Network Profiles > IPSec Crypto) Select an ‘IPSec Crypto Profile’. This can be default if it matches the Azure settings, otherwise create a new one with Add at the bottom of the IPSec Crypto window.
Encryption: aes256-cbc
Authentication: sha1
DH Group: no-pfs
Note: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set IPSec (phase 2) lifetime to 8400 seconds
Network Reachability
In ‘route based VPNs’, the routing engine of the device(s) is used to determine reachability even for any VPN networks.
- Use the ‘Virtual Router’ settings (Network->Virtual Router-><VR Name>) to add a Static Route for the remote network with the Interface set to being the Tunnel Interface configured in Step 1. This should match the local network settings on Azure.
IPSec Tunnel Configuration
You can optionally configure “Tunnel Monitor” to ping an IP address on the Microsoft Azure side. You will also need to configure the necessary Proxy IDs (IP address ranges) for the local and remote networks using the Proxy ID tab. This is how route-based VPNs are configured for “dynamic routing” in the Microsoft Azure environment.
Checking the Connection
On the PAN-OS firewall under the IPSec Tunnels menu option, check the UI to ensure that the tunnel you created is up and running. The status columns for the IKE Gateway and the Tunnel Interface should be green if IKEv2 negotiated correctly and the IPSec Phase 2 tunnel was brought up.
You can also filter on the system log for the “vpn” type to see the IKE negotiation messages. For Microsoft Azure’s VPN connection status, please refer to the Microsoft references stated above.
A general check you can use is:
> show vpn tunnel TnID Name(Gateway) Local Proxy IP Ptl:Port Remote Proxy IP Ptl:Port Proposals ---- ------------- -------------- -------- ------------ --- -------- ---------
For more commands to help troubleshoot VPN connections, please see:
How to Troubleshoot IPSec VPN connectivity issues