topic Re: ike policy in General Topics

ike policy

infotech — Fri, 01 Aug 2014 14:04:11 GMT

What part of the configuration on the PA matching what is called the ike policy on the Cisco?

Re: ike policy

hshah — Fri, 01 Aug 2014 14:30:30 GMT

Hello Infotech,

It can be configured on following location. Let me know if you have further questions.

Regard,

Hardik Shah

Re: ike policy

HULK — Fri, 01 Aug 2014 14:52:48 GMT

Hello Infotech,

Ike policy defines different security parameter you are using for your IKE profile. On PAN firewall it's IKE-crypto.

Once, you will configure the IKE profile, then as a second step, you need to configure a IKE-gateway. It will included local IP, peer IP, exit interface, preshared key, Peer ID type etc.

Hope this helps.

Thanks

Re: ike policy

infotech — Fri, 01 Aug 2014 15:55:51 GMT

There seem to be more than one policy on the ike policies on the cisco how do I know which one matches the PA?

Re: ike policy

HULK — Fri, 01 Aug 2014 15:58:56 GMT

Hello Infotech,

During the phase 1 negotiation, both gateways will exchange their IKE-crypto details and the common profile would be chosen for tunnel.

Thanks

Re: ike policy

HULK — Fri, 01 Aug 2014 16:00:43 GMT

Hello Infotech,

You may configure Max 3 IKE-crypto profile on PAN and at least one should be matched with CISCO.

Thanks

Re: ike policy

infotech — Fri, 01 Aug 2014 16:04:19 GMT

Unless there is des setup on the cisco and it doesn't appear to be available on the PA.

Re: ike policy

hshah — Fri, 01 Aug 2014 16:22:22 GMT

Hi Infotech,

DES is not secure, we only support 3DES and above protocols.

Regards,

Hardik Shah

Re: ike policy

infotech — Fri, 01 Aug 2014 16:26:02 GMT

I understand that but the cisco is old and I think it may have that option still trying to figure out what ike policy and priorities are and how they relate to the PA

Re: ike policy

HULK — Fri, 01 Aug 2014 16:27:31 GMT

PAN firewall supports bellow mentioned encryption technology for IPsec Phase 1 negotiation:

Thanks

Re: ike policy

infotech — Fri, 01 Aug 2014 16:35:29 GMT

Are you saying that aes128 is compatible with des?

Re: ike policy

HULK — Fri, 01 Aug 2014 16:38:32 GMT

No, i mean to say, you have following option to choose for IKE-encryption. It should be identical on both gateways ( PAN---- Cisco).

Thanks

Re: ike policy

infotech — Fri, 01 Aug 2014 16:44:35 GMT

Unless you want to set the PA to does and that option is not available

Re: ike policy

HULK — Fri, 01 Aug 2014 16:54:40 GMT

Since PAN does not support DES, you need to change CISCO IKE-crypto policy accordingly.

Thanks

Re: ike policy

infotech — Fri, 01 Aug 2014 16:56:31 GMT

Yeah there is one part I the cisco side I am trying to verify. The ike policies look like they match but there is something called ike policy priority and I am not 100% sure how to verify that

Re: ike policy

HULK — Fri, 01 Aug 2014 17:17:57 GMT

As per my understanding, It's only relevant if you have multiple IKE policies. The lowest numbered one is checked first. If it matches the IKE properties (policies) on the other end, it's used. Otherwise, it moves down the priority list to see if the other policies match.

Thanks

Re: ike policy

infotech — Fri, 01 Aug 2014 17:22:58 GMT

Yeah there are 3 or 4 ike policies with different priorities

Re: ike policy

jtyler — Fri, 01 Aug 2014 19:32:11 GMT

For the tunnel to form, both devices must agree on at least one ike policy. You can specify multiple ike policies, or crypto settings, and as long as both devices have at least one match, they will use that match to form the tunnel. The priorities on the Cisco side allow you to specify which policies you want the Cisco device to try using first - if the other side's policy matches then great - otherwise move down to the next policy based on priority. It is simply a way to show preference for a specific policy.

For example, it allows you to always use 3des if the other side supports it, and if not, then negotiate AES128, etc...

With PA, in the IKE Crypto profile, you can specify multiple options for DH group, authentication, and encryption. By doing so, you are telling the PA to utilize any combination of the settings specified to form the tunnel. As long as the peer device has a policy that matches one of those combinations, the devices will use that match and the tunnel will form.

Re: ike policy

infotech — Fri, 01 Aug 2014 19:45:14 GMT

Mostly its the cisco side that I am having problem figuring out, it looks as thought everything matches and the tunnel comes up for an extended period of time and then drops until the cisco initiates a new tunnel

Re: ike policy

Retired Member — Fri, 01 Aug 2014 22:47:15 GMT

It sounds like you are hitting phase 2 lifetime and tunnel drops due to lack of traffic across the tunnel. PANOS defaults to 1 hour for ipsec-sa 2 lifetime. Have you checked with Cisco to see what is their ipsec SA lifetime?

Based on your last comment, seems that tunnel is functioning as expected. You may want to also check with Cisco to see if they have a way to keep their tunnels always up.