vmc-on-aws-vpn-connectivity-with-PALO-ALTO
VMC-on-AWS VPN Connectivity Options
Goals
- Successfully configure a VPN connection from the VMC on AWS SDDC to the On-Prem Datacenter
Overview of Network Connectivity Options
VPN Options
- Route Based VPN with BGP
- Policy Based VPN
- L2VPN Client using the “NSX Autonomous Edge”
Summary: I ended up going with a Route Based VPN with BGP for my setup, I discovered some limitations with the Palo Alto and Policy Based IPSec VPN, I believe I have to use ProxyIDs if I want it to work. The best option left for me was doing a Route Based IPSec VPN with BGP.
Configure Palo Alto
Create IPSec Crypto Profile on Palo Alto
Create IKE Crypto Profile on Palo Alto
Create IKE Gateway Profile on Palo Alto
Create Tunnel Interface
Create IPSec Tunnel
Create Firewall Rules
BGP Configurations
(default) Virtual Router BGP Settings
- Reject Default Route
- AS Number
- Router ID
- not essential for the VPN process but should have a Router ID defined
- Auth Profile
- Create one as you’ll need this for the SDDC and the Peer Group
Create Peer Group
- Define the name of the Peer Group
- Peer AS on the SDDC is 6500 by default
- Local Address = your tunnel interface you created
- ex. 1.1.1.3/29 (Prefix Length)
- Peer Address = the address of your SDDC
- ex. 1.1.1.2 (IP only defined)
- Select the AUTH Profile
Route Redistribution - it is necessary if you’re using multiple VPN connections in your SDDC to not select “Allow Redistribute Default Route” in my case - I have a static route going to my ISP (ex. 0.0.0.0/0 -> eth1) when this is selected it will redistribute that to the SDDC and may cause issues with other VPN connections - my on-prem NSX had to modified as well to add a static route (see section below)
Configure NSX on SDDC
Configure Route Based IPSEC VPN
- Name
- Local IP Address
- Remote Public IP
- BGP Local IP/Prefix Length
- BGP Remote IP
- BGP Neigbor ASN
- Preshared Key
- Secret
The rest of the settings can be left default if you used the settings as described in the Palo Alto section above
Create a Management Group with IP addresses you want to have access to Management Assets in your SDDC
Create a Compute Group with IP addresses you want to have access to Compute Assets in your SDDC
Using the Compute Group you created create a Gateway Rule under the compute section to allow VPN access; defining the “BGP Subnet” will allow BGP traffic to your On-Prem along with the Policy created on the Palo Alto. Ensure to change the “Applied To”
From here if you have all your configurations in place your Tunnel will be available and BGP will be established.
Tunnel is active on the Palo Alto
Learned Routes on the SDDC show networks from the On-Prem
(Optional) On-prem NSX-T Static Route
In my setup my on-prem Palo Alto’s BGP settings had “Allow Redistribute Default Route” as well as a static route of 0.0.0.0/0 to my eth1 (Untrust) ISP connection.
When this was enabled 0.0.0.0/0 was present on the SDDC learned routes which caused access interruption on another VPN connection we had set up on the SDDC.
The fix was to not “allow redistribute default route” by unchecking and committing, then set up a static route on the on-prem NSX-T T0 gateway to another gateway (on the Palo) that could reach the internet. In my case, my “Edge Uplink” network gateways (which are sub-interfaces on the Palo) have access to the internet.
Helpful Links
VMware VMC on AWS Policy Based VPN Example - Part of the VMC on AWS quick start series - dives into the configuration of the Policy Based VPN setup from the SDDC side in NSX.
Palo Alto How to Configure IPSEC VPN - Generic Palo Alto configuration of IPSEC VPN
How to check Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel - Post Palo Alto IPSEC VPN creation to check status and monitor the newly established VPN Tunnel.
VMC on AWS to Palo Alto - Route based IPSEC VPN - Great article and guide for setting up the VPN Tunnel - the key piece was allowing the BGP network on the SDDC NSX side and
Palo Alto BGP over IPSEC Route Based VPN Tunnel - more information on BGP over IPSEC