How do I configure a Palo Alto firewall (v5.x) to send IPsec traffic to the Cloud?
Prerequisites for this guide is that you have an up and working Palo Alto firewall running PAN-OS 5.x
This guide is using PAN-OS v5.x.
GOTO: Network – Interfaces – Tunnel tab
Click “add” and create a new Tunnel Interface using your default virtual router. If you have multiple virtual routers, place the tunnel interface in the virtual router where your internet traffic is egressing.
You will need to set an IP address on the tunnel interface. This address will NOT be used, though, and is a limitation in PAN-OS (where we cannot forward traffic with PBR to an object without an IP address).
In this example, the IP address used belongs in the Trust zone, but it doesn’t seem to matter which IP address you use (as long as it’s a /32 masked address).
GOTO: Network – Zones
Create a new Zone called Cloud (this zone is used to create the “no NAT” rule later on).
Add the Tunnel Interface you created to this zone.
GOTO: Network – Network Profiles – IKE Crypto
Click on “add” and create a new IKE Crypto Profile like this:
GOTO: Network – Network Profiles – IPSec Crypto
Click on “add” and create a new IPSec Crypto Profile like this:
GOTO: Network – Network Profiles – IKE Gateway
Click on “add” and create a new IKE Gateway like this:
GOTO: Network – IPSec Tunnels
Click “add” and set up a new IPSec Tunnel like this:
Use the Tunnel Interface, the IKE Gateway, and the IPSec Crypto Profile created previously.
GOTO: The "Proxy IDs" tab in the IPsec Tunnel object
Click “add” to add the Local network that will access the Cloud:
*** In a normal site-to-site (non-Cloud) VPN, you would create one ProxyID for *each* subnet or service that would like to access the VPN. To work with the Cloud service, however, only create one (1) ProxyID. So make sure that the one (1) ProxyID you are creating covers all subnets you want to send to the Cloud, or create multiple VPN tunnels.
At this stage, the VPN tunnel should go up when you commit the changes.
Now we need to create the rules.
GOTO: Policies – Security
Create a rule that will allow traffic from the zone where your clients reside, to the Cloud zone, that contains BOTH http and https services:
GOTO: Policies – NAT
Create a rule that will disable NAT for traffic sent to the Cloud zone (IPsec traffic to Cloud should NOT be NAT'd):
GOTO: Policies – Policy Based Forwarding
Create a rule that will forward BOTH http and https to your tunnel interface:
When all of this is committed, you should see under Network – IPSec Tunnels that the tunnel is established:
You can also issue the cli command show vpn flow to see that the tunnel is up and active: