Hi this is one the sample output that i captured when i established a VPN tunnel between 2 PA firewalls.
As far as my knowledge goes Ike SA's are bi directional and IPSEC SA's are uni directional correct me if i am wrong.
But here i see 2 SA's in Phase 1 , but all i establised was only 1 VPN tunnel .
Can some throw some light on this please . Thanks
I have few other questions like :
1. Can we implement policy based VPN's in Palo Alto or everything is Route based ?
2. Do we mandatorily need to specify proxy id even though both sides i am running route based vpn and both side PA firewalls?
3. IKE SA's are bidirectional and IPSEC SA are unidirectional , but i see 2 IKE SA for the same VPN tunnel.
4. Can we implement HUB and Spoke VPN's on PA firewalls , the reason why i ask this i assume we have to assign an ip address for the tunnel interface and configure as multi point in case of juniper i could not see such option here on PA firewall.
Hi Srikanth,
I am attaching the vpn output from the old thread thread .
When you execute a command, >show vpn ike-sa , it shows the negotiation process of phase 1 and phase 2 both
Check to see phase-1 SA's and phase-2 SA's.
In phase-1 SA you will see the ike crypto algorithms that you had set under Network > Network Profiles> Ike Crypto
In phase-2 SA you will see the ipsec crypto algorithms that you had set under Network > Network Profiles> Ipsec Crypto
>show vpn ipsec-sa , will show you the tunnel that has been set up between the two peers along with the tunnel name and algorithms it negotiated with the peer once the phase 1 and phase 2 negotiations complete.
Here is the link to the document on how to trouble shoot vpn connectivity issues.
https://live.paloaltonetworks.com/docs/DOC-3671
Let me know if this helps.
Regards
Parth
Traffic sourcing from a particular zone in the pbf policy can be forced to egress out the tunnel interface.
Monitoring traffic is sourced from the forwarding egress interface defined in the PBF policy
Regards
Parth
