AWS VPN

From Dave-Wiki

Deploying a VPN in AWS Peered with a Palo Alto On-Prem Firewall

Overview

This guide details how to deploy an AWS Site-to-Site VPN and peer it with a Palo Alto on-premises firewall. It includes VPN configuration using **AWS Console, CLI, and Terraform**, along with troubleshooting steps using AWS CLI.

Prerequisites

  • **AWS Account** with permissions to create VPNs, VPCs, and Route Tables.
  • **Palo Alto Networks Firewall** with public IP connectivity.
  • **IPSec VPN configuration details** (e.g., Phase 1 & Phase 2 settings).

AWS Site-to-Site VPN Deployment

[ Manual Deployment: Using AWS Console ]

Step 1: Create a Virtual Private Gateway (VGW)

  1. Navigate to VPC > Virtual Private Gateways.
  2. Click Create Virtual Private Gateway.
  3. Provide a name and select Amazon Default ASN or specify your own.
  4. Click Create Virtual Private Gateway.
  5. Attach the VGW to your target VPC.

Step 2: Create a Customer Gateway (CGW)

  1. Navigate to VPC > Customer Gateways.
  2. Click Create Customer Gateway.
  3. Provide a name and enter the public IP of your Palo Alto firewall.
  4. Set the type to Static and enter the on-prem ASN if needed.
  5. Click Create Customer Gateway.

Step 3: Create a Site-to-Site VPN Connection

  1. Navigate to VPC > Site-to-Site VPN Connections.
  2. Click Create VPN Connection.
  3. Select the Virtual Private Gateway (VGW).
  4. Select the previously created Customer Gateway (CGW).
  5. Choose Static Routing or BGP.
  6. Click Create VPN Connection.

Step 4: Add VPN Routes

  1. Navigate to Route Tables.
  2. Select the appropriate route table.
  3. Click Edit Routes and add a route for the **on-prem network CIDR** pointing to the VGW.

Step 5: Download VPN Configuration for Palo Alto

  1. Go to Site-to-Site VPN Connections.
  2. Select the VPN Connection.
  3. Click Download Configuration.
  4. Choose Palo Alto Networks as the vendor.
  5. Apply the settings to your Palo Alto firewall.

[ Manual Deployment: Using AWS CLI ]

Step 1: Create Virtual Private Gateway

aws ec2 create-vpn-gateway --type "ipsec.1"
aws ec2 attach-vpn-gateway --vpn-gateway-id vgw-xxxxxxxx --vpc-id vpc-xxxxxxxx

Step 2: Create Customer Gateway

aws ec2 create-customer-gateway --type "ipsec.1" --public-ip "203.0.113.1" --bgp-asn 65000

Step 3: Create VPN Connection

aws ec2 create-vpn-connection --customer-gateway-id cgw-xxxxxxxx --vpn-gateway-id vgw-xxxxxxxx --type "ipsec.1"

Step 4: Add VPN Route to Route Table

aws ec2 create-route --route-table-id rtb-xxxxxxxx --destination-cidr-block 192.168.1.0/24 --gateway-id vgw-xxxxxxxx

[ Deployment Using Terraform ]

resource "aws_vpc" "vpn_vpc" {
  cidr_block = "10.10.0.0/16"
  tags = { Name = "VPN-VPC" }
}

resource "aws_vpn_gateway" "vgw" {
  amazon_side_asn = 64512
  tags = { Name = "VPN-VGW" }
}

resource "aws_vpn_gateway_attachment" "vgw_attach" {
  vpc_id         = aws_vpc.vpn_vpc.id
  vpn_gateway_id = aws_vpn_gateway.vgw.id
}

resource "aws_customer_gateway" "cgw" {
  bgp_asn    = 65000
  ip_address = "203.0.113.1"
  type       = "ipsec.1"
  tags = { Name = "OnPrem-CGW" }
}

resource "aws_vpn_connection" "vpn" {
  vpn_gateway_id      = aws_vpn_gateway.vgw.id
  customer_gateway_id = aws_customer_gateway.cgw.id
  type                = "ipsec.1"
  static_routes_only  = true
  tags = { Name = "AWS-Palo-VPN" }
}

resource "aws_route_table" "vpn_route_table" {
  vpc_id = aws_vpc.vpn_vpc.id
  route {
    cidr_block = "192.168.1.0/24"
    gateway_id = aws_vpn_gateway.vgw.id
  }
  tags = { Name = "VPN-Route-Table" }
}

Palo Alto Firewall Configuration

Phase 1 (IKE) Configuration

  • IKE Version: IKEv1 or IKEv2
  • Authentication: Pre-Shared Key (from AWS VPN config)
  • Encryption: AES-256
  • Hash: SHA-256
  • DH Group: 14
  • Lifetime: 28800 seconds

Phase 2 (IPSec) Configuration

  • Protocol: ESP
  • Encryption: AES-256
  • Authentication: SHA-256
  • PFS Group: 14
  • Lifetime: 3600 seconds

Routes and NAT Considerations

  • Ensure AWS VPC CIDR is included in the tunnel’s routing table.
  • If NAT is enabled on Palo Alto, add proper NAT rules for VPN traffic.
  • AWS static routes or BGP should reflect the on-prem network.

Troubleshooting AWS VPN Using AWS CLI

Check VPN Connection Status

aws ec2 describe-vpn-connections --vpn-connection-ids vpn-xxxxxxxx
  • Look for `"State": "available"` in the output.

Check Tunnel Status

aws ec2 describe-vpn-connections --query "VpnConnections[].VgwTelemetry"
  • Look for `"Status": "UP"` for each tunnel.

Check BGP Routes (If BGP is used)

aws ec2 describe-route-tables --filters "Name=association.vpc-id,Values=vpc-xxxxxxxx"
  • Ensure VPN routes are present.

Check AWS Logs for VPN Issues

Enable VPN logging: 

aws ec2 modify-vpn-connection-options --vpn-connection-id vpn-xxxxxxxx --enable-logging

Check CloudWatch Logs for VPN

If VPN logging is enabled: 

aws logs describe-log-groups --query "logGroups[?contains(logGroupName, 'VPN')].logGroupName"
aws logs get-log-events --log-group-name "/aws/vpn" --limit 10

Palo Alto Troubleshooting

Check IPSec Tunnel Status

On Palo Alto CLI: 

show vpn ike-sa
show vpn ipsec-sa

Debug VPN Traffic

Enable debug logs: 

debug ike gateway gateway-name on debug
tail follow yes mp-log ikemgr.log

Check NAT Rules (If Used)

Ensure proper NAT rules exist: 

show running nat-policy

Check Firewall Logs

  • Go to Palo Alto Web UI → MonitorSystem Logs.
  • Look for IKE phase failures or misconfigurations.

Common Issues and Fixes

Issue Cause Resolution
AWS VPN tunnel is down Incorrect IKE/IPSec settings on Palo Alto Verify AWS VPN configuration download and ensure correct settings.
No traffic over VPN Missing static routes or BGP misconfiguration Ensure proper routes are added to AWS and Palo Alto.
Tunnel flaps Mismatched IKE lifetime settings Set identical IKE Phase 1 & 2 lifetimes on both sides.
Palo Alto shows IKE Phase 1 down Incorrect pre-shared key Re-enter the pre-shared key in Palo Alto.
Retrieved from "https://davehome.net/wiki/index.php?title=AWS_VPN&oldid=475"