Configuring IKEv2 for Microsoft Azure

Environment

Configuring IKEv2 for Microsoft Azure Environment

Microsoft Azure requires IKEv2 for dynamic routing. IKEv1 is restricted to static routing only. For more
information on Microsoft Azure VPN requirements and supported crypto parameters for both IKEv1 and IKEv2,
reference:
https://msdn.microsoft.com/en-us/library/azure/jj156075.aspx#bkmk_DynamicRoutingIPSec

Microsofts Dynamic Routing only requires you to have IP address ranges for each of the local
network sites that youll be connecting to Azure. It is a route-based VPN connection that uses IP
address ranges defined on both gateways and IKEv2 to automatically negotiate the supported
routing prefixes. This is known as traffic selector negotiation under the IKEv2 RFC and PAN-OS
uses Proxy IDs to configure the IP address ranges.

For an example of how to create a multi-site topology, reference:

https://msdn.microsoft.com/library/azure/dn690124.aspx

Configuring the Palo Alto Networks Firewall

IKEv2 is supported in PAN-OS 7.0.0 and later versions, and fully supports the necessary route-
based VPN and crypto profiles to connect to MS Azures dynamic VPN architecture. IKEv1 is
also supported for connections that only require static routing. For this example, the following
topology was used to connect a PA-200 running PAN-OS v7.0.0beta to a MS Azure VPN Gateway.

Generated on 2015-06-23-07:00
1
Configuring IKEv2 for Microsoft Azure Environment

For the PAN-OS IKEv2 Crypto Profile, you must select a combination of Microsoft Azure supported
crypto parameters as stated in Microsofts IPSec Parameters (see first reference link above). Our
example used the following IKE, IPSec, and crypto profile parameters. Note: Public IP addresses
were changed for the purpose of this example.

IKEv2 Gateway Configuration

Under the Advanced Options for the IKEv2 Gateway, select the Enable Passive Mode option.
This instructs the PAN-OS firewall to let the MS Azure VPN gateway initiate the VPN tunnel from
their side.

IKE Crypto Profile Configuration

In our example, both 3DES and AES-128-CBC was listed to show multiple encryption strengths can be
supported.

IPSec Tunnel Configuration

You can optionally configure Tunnel Monitor to ping an IP address on the Microsoft Azure
side. You will also need to configure the necessary Proxy IDs (IP address ranges) for the local
and remote networks using the Proxy ID tab. This is how route-based VPNs are configured for
dynamic routing in the Microsoft Azure environment.

Generated on 2015-06-23-07:00
2
Configuring IKEv2 for Microsoft Azure Environment

IPSec Crypto Profile Configuration

For our example, no-pfs is used for the DH Group and multiple encryption strengths were listed
to allow the two gateways to negotiate the encryption algorythm between the VPN gateways.

By default, Microsoft disables pfs support. To enable perfect forward security, manually enable
it on the tunnel via the Microsoft PowerShell cmdlet:
Set-AzureVNetGatewayIPsecParameters -VNetName VnetNameHere -LocalNetworkSiteName
OnPremNetworkNameHere -pfsGroup 1
If you enable pfs, you should select DH Group 1 on the PAN-OS firewalls tunnel crypto profile.

Checking the Connection

On the PAN-OS firewall under the IPSec Tunnels menu option, check the UI to ensure that the tunnel you
created is up and running. The status columns for the IKE Gateway and the Tunnel Interface should be green if
IKEv2 negotiated correctly and the IPSec Phase 2 tunnel was brought up.

You can also filter on the system log for the vpn type to see the IKE negotiation messages. For
Microsoft Azures VPN connection status, please refer to the Microsoft references stated above.

Generated on 2015-06-23-07:00
3