https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43374#M31818 <HTML><HEAD></HEAD><BODY><P>Hi SDorsey,</P><P></P><P>VPN Tunnel is initiated in two circumstances.</P><P>1. In case of interested traffic. &gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;Sorry for Cisco Jargon.</P><P>2. By using a Test vpn command.</P><P></P><P>Now it stays up until SAs life time. Cisco also behaves in exactly same way.</P><P></P><P>If there is a traffic than it stays up and remains up until SA expires. Inbetween if you want to terminate it than clear flows.</P><P></P><P>Could you please tell me more specific information on "On demand" word.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 12 Nov 2014 14:09:14 GMT hshah 2014-11-12T14:09:14Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43367#M31811 <HTML><HEAD></HEAD><BODY><P>Is it possible in the PAN to do on-demand vpn tunnels? This is used quite a bit in the Cisco world.. especially for vendors. </P><P></P><P>They often are setup so the tunnel is configured but when the vendor needs to connect for support, the end-user needs to connect to their ASA and initiate the tunnel basically. </P></BODY></HTML> Thu, 04 Sep 2014 12:25:15 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43367#M31811 SDorsey 2014-09-04T12:25:15Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43368#M31812 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Today you can't disable a VPN in a PA. The only thing you can do is to delete your tunnel</P><P>I know there are many request for that. May be introduce in 6.1 version.</P><P></P><P>Hope help.</P><P></P><P>v.</P></BODY></HTML> Thu, 04 Sep 2014 14:51:45 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43368#M31812 VinceM 2014-09-04T14:51:45Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43369#M31813 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN class="GINGER_SOFTWARE_mark">mackwage</SPAN>,</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Are you talking about site to site IPSec VPN tunnel...? The PAN firewall will bring the IPSec VPN tunnel upon interesting traffic by default. </SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks<BR /></SPAN></P></BODY></HTML> Thu, 04 Sep 2014 14:54:51 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43369#M31813 HULK 2014-09-04T14:54:51Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43370#M31814 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/19491">HULK</A> Get out of here with that "interesting traffic" terminology. That is Cisco jargon. :smileylaugh:</P><P></P><P>Thanks for the help!</P></BODY></HTML> Thu, 04 Sep 2014 16:03:26 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43370#M31814 SDorsey 2014-09-04T16:03:26Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43371#M31815 <HTML><HEAD></HEAD><BODY><P>I control ours by a security policy using two external IP addresses, and disable/enable the security policy as needed. </P></BODY></HTML> Thu, 04 Sep 2014 16:11:29 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43371#M31815 mharding 2014-09-04T16:11:29Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43372#M31816 <HTML><HEAD></HEAD><BODY><P>Could try something of the form,</P><P></P><P>* Configure your security policies such that only outgoing VPN connections are accepted.</P><P>* Configure the VPN as passive.</P><P></P><P>When you need the VPN, on the CLI use the 'test vpn ipsec-sa tunnel &lt;name&gt;' command to bring the session up.</P><P></P><P>It may not work; but it would be what I'd try to achieve that...</P></BODY></HTML> Thu, 04 Sep 2014 16:40:37 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43372#M31816 ajbool 2014-09-04T16:40:37Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43373#M31817 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>What I looking for is a "ON/OFF switch" for site to site IpSec tunnel.</P><P>Seem it's not possible neither in 6.0 nor in 6.1 ...</P><P></P><P>Thx for all your answer</P><P></P><P>V.</P></BODY></HTML> Wed, 12 Nov 2014 13:00:30 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43373#M31817 VinceM 2014-11-12T13:00:30Z https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43374#M31818 <HTML><HEAD></HEAD><BODY><P>Hi SDorsey,</P><P></P><P>VPN Tunnel is initiated in two circumstances.</P><P>1. In case of interested traffic. &gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;Sorry for Cisco Jargon.</P><P>2. By using a Test vpn command.</P><P></P><P>Now it stays up until SAs life time. Cisco also behaves in exactly same way.</P><P></P><P>If there is a traffic than it stays up and remains up until SA expires. Inbetween if you want to terminate it than clear flows.</P><P></P><P>Could you please tell me more specific information on "On demand" word.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 12 Nov 2014 14:09:14 GMT https://live.paloaltonetworks.com/t5/general-topics/on-demand-ipsec-tunnels/m-p/43374#M31818 hshah 2014-11-12T14:09:14Z