Home > Security > IPSec site-to-site VPN tunnel between Palo Alto firewall and Microsoft Azure

IPSec site-to-site VPN tunnel between Palo Alto firewall and Microsoft Azure

It appeared to be quite tricky to marry Azure to PA. There are two  issues with Azure:

1. You have to create you network with Static Routing, not Dynamic (in Azure terms) as with the last one Azure uses only IKE v2 which is not currently supported by PAN firewalls

2. Lifesize for SAs  in phase 2 is proposed only in KB and the value Microsoft suggest is huge (97GB or so). There is no way to match this on PAN firewalls as they allow values up to 65535 only! The workaround for this one is simple yet elegant… set it to 0 on Palo Alto side. Thus  you will rely only on Lifetime which you can easily match with the one on Azure side.

Advertisements
Categories: Security Tags:
  1. No comments yet.
  1. September 3, 2015 at 12:16 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: