This is the diagram is used to deploy this lab.
![](https://tungle.ca/wp-content/uploads/2022/03/image-291-1024x397.png)
In this lab.
- Configure VPN site to site IKEv2 between Palo Alto and Virtual Private Gateway on AWS.
- Implementing multi-master domain controllers on-prem and AWS.
- Authenticating OpenVPN tunnel via LDAP to support people working from home to access corporate servers on AWS.
- Disconnect the domain controller on-prem to simulate migrating corporate servers to AWS in the near future.
![](https://tungle.ca/wp-content/uploads/2022/03/image-398.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-347.png)
Core Switch configuration.
CoreSW
conf t
hostname CoreSW
ip routing
ip dhcp excluded-address 172.16.10.1 172.16.10.10
!
ip dhcp pool VLAN10
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 172.16.20.12
interface GigabitEthernet0/0
no switchport
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 10,20,99
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk allowed vlan 10,20,99
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
interface Vlan10
ip address 172.16.10.1 255.255.255.0
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
!
router ospf 1
router-id 1.1.1.1
network 172.16.0.0 0.0.255.255 area 0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.254
---
SWCore#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/3, Gi1/0, Gi1/1, Gi1/2
Gi1/3, Gi2/0, Gi2/1, Gi2/2
Gi2/3, Gi3/0, Gi3/1, Gi3/2
Gi3/3
10 End users active
20 Servers active
99 Native VLAN active
Check Kali VM., start SSH and Apache service on this machine.
![](https://tungle.ca/wp-content/uploads/2022/03/image-292.png)
On Palo Alto.
LAN interface.
![](https://tungle.ca/wp-content/uploads/2022/03/image-397.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-293.png)
e1/1 belongs to the VPN zone, and e1/2 belongs to the LAN zone, respectively.
![](https://tungle.ca/wp-content/uploads/2022/03/image-294.png)
Create a new network object for the PA LAN subnet.
![](https://tungle.ca/wp-content/uploads/2022/03/image-295.png)
Configure SNAT to allow traffic from the PA LAN subnet to access the Internet.
![](https://tungle.ca/wp-content/uploads/2022/03/image-296.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-297.png)
Configure OSPF on PA.
![](https://tungle.ca/wp-content/uploads/2022/03/image-298.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-299.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-301.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-302.png)
Allow ICMP on the Mgmt interface to troubleshoot.
![](https://tungle.ca/wp-content/uploads/2022/03/image-304.png)
Ping from PA.
![](https://tungle.ca/wp-content/uploads/2022/03/image-303.png)
Ping from a VM on the PA LAN subnet.
![](https://tungle.ca/wp-content/uploads/2022/03/image-305.png)
+ Create a new VPC.
![](https://tungle.ca/wp-content/uploads/2022/03/image-306.png)
Create a private subnet.
![](https://tungle.ca/wp-content/uploads/2022/03/image-307.png)
Create and attach Internet gateway to your VPC.
![](https://tungle.ca/wp-content/uploads/2022/03/image-308-1024x473.png)
Route table.
![](https://tungle.ca/wp-content/uploads/2022/03/image-309-1024x599.png)
Add a new route to your Internet Gateway.
![](https://tungle.ca/wp-content/uploads/2022/03/image-310-1024x390.png)
Go to VPN, create a customer gateway.
![](https://tungle.ca/wp-content/uploads/2022/03/image-311.png)
Create a new VPN gateway.
![](https://tungle.ca/wp-content/uploads/2022/03/image-312.png)
Attach it to your VPC.
![](https://tungle.ca/wp-content/uploads/2022/03/image-313.png)
Create a VPN site to site.
![](https://tungle.ca/wp-content/uploads/2022/03/image-314.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-315.png)
Go to the Route table and add a new route to PA LAN subnet.
![](https://tungle.ca/wp-content/uploads/2022/03/image-316-1024x366.png)
Click Download Configuration and select information as the following screenshot.
![](https://tungle.ca/wp-content/uploads/2022/03/image-317-1024x447.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-321-1024x520.png)
Open the file to use for configuring PA.
![](https://tungle.ca/wp-content/uploads/2022/03/image-318.png)
Configure IKECrypto.
![](https://tungle.ca/wp-content/uploads/2022/03/image-319-1024x496.png)
Configure IPSECCrypto.
![](https://tungle.ca/wp-content/uploads/2022/03/image-320-1024x506.png)
Configure IKE Gateway.
![](https://tungle.ca/wp-content/uploads/2022/03/image-322-1024x545.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-323.png)
Create a new interface tunnel 1 for VPN IPSEC site to site between FG on AWS and PA.
![](https://tungle.ca/wp-content/uploads/2022/03/image-324.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-325-1024x504.png)
Configure IPSEC Tunnel.
![](https://tungle.ca/wp-content/uploads/2022/03/image-326.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-327.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-329.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-328.png)
On Virtual Routers, add an interface tunnel 1 on the router settings.
![](https://tungle.ca/wp-content/uploads/2022/03/image-330.png)
Create a new static route to the AWS LAN subnet.
New address object.
![](https://tungle.ca/wp-content/uploads/2022/03/image-331.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-332.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-333.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-334.png)
Create both Security policies to allow traffic from LAN to VPN.
![](https://tungle.ca/wp-content/uploads/2022/03/image-335.png)
+ Back to AWS, create a new Linux and Windows instance on AWS.
Create a new key pair on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-337.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-336.png)
Allow HTTP, SSH, and ICMP on Security Group.
![](https://tungle.ca/wp-content/uploads/2022/03/image-338-1024x391.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-339-1024x761.png)
Back to GNS3, configure a new Windows 2016 server VM.
![](https://tungle.ca/wp-content/uploads/2022/03/image-340-1024x603.png)
Takes notes of IP address of Linux instance on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-341-1024x554.png)
Ping the Linux instance on AWS LAN subnet from PA LAN subnet.
![](https://tungle.ca/wp-content/uploads/2022/03/image-342.png)
The tunnel is up on PA
![](https://tungle.ca/wp-content/uploads/2022/03/image-343.png)
On AWS, the tunnel is up as well.
![](https://tungle.ca/wp-content/uploads/2022/03/image-345-1024x542.png)
Configure Windows 2016 on GNS3.
Install Windows 2016.
![](https://tungle.ca/wp-content/uploads/2022/03/image-346.png)
On Kali, access SSH to Linux VM instance on AWS>
![](https://tungle.ca/wp-content/uploads/2022/03/image-348.png)
Website on-prem.
![](https://tungle.ca/wp-content/uploads/2022/03/image-350.png)
Website on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-351.png)
Change computer name to DC1 and promote it to a domain controller.
![](https://tungle.ca/wp-content/uploads/2022/03/image-352.png)
Create a new Windows VM on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-353-1024x572.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-354-1024x521.png)
Create a new OpenVPN server instance on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-356.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-357-1024x484.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-358-1024x599.png)
Access the OpenVPN server via SSH. Use openvpnas as a user to log in.
![](https://tungle.ca/wp-content/uploads/2022/03/image-359-1024x555.png)
Check the private subnet on OpenVPN is matching with the private subnet on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-360.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-361.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-362.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-363-1024x564.png)
Change the password of openvpn.
![](https://tungle.ca/wp-content/uploads/2022/03/image-364.png)
From Windows 2016 VM on GNS3, access RDP to Windows instance on AWS. Change DNS setting to DC1 on-prem.
![](https://tungle.ca/wp-content/uploads/2022/03/image-365.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-366.png)
Join the machine to domain on-prem and promote it to become additional domain controller.
![](https://tungle.ca/wp-content/uploads/2022/03/image-367.png)
Create a couple of users to test: tung, kevin, test on domain controllers.
![](https://tungle.ca/wp-content/uploads/2022/03/image-373.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-375.png)
On OpenVPN.
Change the setting to authenticate the OpenVPN tunnel via LDAP. We use both LDAP servers on AWS and on-prem.
![](https://tungle.ca/wp-content/uploads/2022/03/image-368-1024x426.png)
Configure LDAP settings to query the corresponding information on domain controllers.
![](https://tungle.ca/wp-content/uploads/2022/03/image-370-1024x646.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-371-1024x417.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-372-1024x510.png)
Access to OpenVPN mgmt interface.
![](https://tungle.ca/wp-content/uploads/2022/03/image-376-1024x390.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-374-1024x702.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-377.png)
Using a kevin user to log in.
![](https://tungle.ca/wp-content/uploads/2022/03/image-378.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-379.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-380.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-384-1024x245.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-386-1024x456.png)
Access a web server on a private subnet on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-381.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-382-1024x698.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-383.png)
Monitor Security traffic on PA.
![](https://tungle.ca/wp-content/uploads/2022/03/image-387.png)
Join Windows 10 to the domain.
![](https://tungle.ca/wp-content/uploads/2022/03/image-388.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-389.png)
Disconnect interface from DC1 to SW2 to simulate migrating servers to AWS cloud.
![](https://tungle.ca/wp-content/uploads/2022/03/image-390-1024x431.png)
Windows 10 is still accessible to the domain on DC2 on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-391.png)
![](https://tungle.ca/wp-content/uploads/2022/03/image-392.png)
Access RDP to DC2 and a web server on AWS.
![](https://tungle.ca/wp-content/uploads/2022/03/image-393.png)
Domain users are able to access a domain controller on AWS and a web server on AWS when the domain controller on-prem was down.