topic Re: Cisco VPN to Palo Alto VPN Conversion Questions in General Topics

Cisco VPN to Palo Alto VPN Conversion Questions

KevinMedeiros — Wed, 05 Oct 2022 17:41:37 GMT

Hey all,

Long time reader, first-time poster here!

I'm slowly migrating all my Cisco ASA VPN tunnels to my PAs running 8.1.5 (planning to upgrade) and I'm using Panorama 10.0.10 to do this. Everything seems to be going okay except I have a few tunnels that have PFS disabled and no DH group assigned on my Cisco ASA. These tunnels are up and functioning on the Cisco ASA, but I can't seem to get the configuration to commit when I attempt to create the tunnel on the PA with no DH group under network profiles >IKE Crytpo.

I receive a validation error and the commit fails and the setting doesn't get pushed to the firewalls.

I've reached out to support and they suggest adding a DH group, but I'll need to coordinate with these vendors to do so, so I was hoping there was a way around this.

Thanks in advance,

Kevin

Re: Cisco VPN to Palo Alto VPN Conversion Questions

JayGolf — Wed, 05 Oct 2022 21:31:08 GMT

Hi @KevinMedeiros ,

Thanks for posting! To my knowledge a DH group is necessary to complete the IKE crypto configuration. We aren't able to click Ok if it isn't specified.

Re: Cisco VPN to Palo Alto VPN Conversion Questions

BPry — Thu, 06 Oct 2022 01:23:47 GMT

@KevinMedeiros,

I've ran into this in a few migrations, and unfortunately the answer really is to get the vendor to update things on their end as you migrate things. I've had a few instances where we needed to keep an ASA in the mix for a bit as we worked through getting all of the B2B tunnels migrated. Wish I had a better answer for you.