| by Chris Lilley | 1 comment

AWS Dynamic IPSec Tunnel using BGP

In this post I setup a VPN tunnel between my AWS VPC and my Home Palo Alto firewall. I wanted to set this up to play with AWS VPN tunnels as well as playing with BGP and IPSec tunnels on a Palo Alto firewall.

In this instance the main reasons to advertise routes over BGP instead of statically set on each end, is for the ease of configuration of any changes. If a new subnet is added behind the firewall it will be advertised to AWS as long as the proper BGP command is in place. The other reason is for resiliency if one of the AWS VPN endpoints goes down. Probably not the biggest deal in a small environment but a learning experience to configure nonetheless.

I’m going to go over the steps necessary to set this up and a challenge I faced on the Palo Alto firewall sides of things.

Configuration in the AWS Console

First step is to create the Customer Gateway. This is just setting the peer IP that will be used to setup the other side of the VPN tunnel. I changed the routing to Dynamic so that the AWS side is ready to be a BGP peer with AS 65000.

Next I created the Virtual GW on the AWS side. I used the Amazon default AS which is 64512.

Then I attached the VGW that was just made to my default VPC.

Next up is creating the VPN tunnel. This connects the VGW and Customer Gateways that were just created.

Configuration on the Palo Alto Firewall

From here AWS gives you the CLI required commands needed to setup everything on the Palo Alto side once you download the .txt file. You can enter all of these commands in the CLI or there is a guide to follow on how to configure with the GUI.

Once all of commands have been set, the VPN tunnel will appear online and the AWS VPC route will be in the route table, confirmed by a couple of show commands.

I ran into an issue where my local route of 192.168.10.0/24 was not being advertised to AWS. I tried playing with the Export commands a bit even. I am running an old firmware on the PA box, so this could possibly be a bug. To get around this I just redistributed the connected route.

Once I did this the route showed showed up in the AWS console.


The last thing that has to be done is to enable route propagation so that the route table will receive the routes from the VGW. This is done under the Propagation tab in the Route table. The route is now in the route table.


1 Comment

Max Felt

Jan 1, 2019, 6:13 am Reply

This is awesome, big fan. Please keep these up <3

Leave a Reply