https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47353#M34808 <HTML><HEAD></HEAD><BODY><P>Hi Srikanth,</P><P></P><P>To answer your questions above:-</P><P></P><P>1. Palo Alto firewall is a route based VPN firewall.</P><P>2. It is not mandatory to use proxy ids when establishing the tunnel between two PA devices.</P><P>3. The two 2 IKE SA that you see the for the VPN tunnel are ike phase 1 and ike phase 2 negotiation process after which the tunnel is established.</P><P>4. Configuring Hub and spoke route based VPN:- <A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1608">https://live.paloaltonetworks.com/docs/DOC-1608</A></P><P></P><P>Did I answer your questions?</P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Tue, 25 Sep 2012 10:51:48 GMT ppatel 2012-09-25T10:51:48Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47351#M34806 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><IMG alt="IKE SA Palo Alto.jpg" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/4171_IKE SA Palo Alto.jpg" width="450" /></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Hi this is one the sample output that i captured when i established a VPN tunnel between 2 PA firewalls.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">As far as my knowledge goes Ike SA's are bi directional and IPSEC SA's are uni directional correct me if i am wrong.</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">But here i see 2 SA's in Phase 1 , but all i establised was only 1 VPN tunnel .</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Can some throw some light on this please . Thanks</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">I have few other questions like :</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">1. Can we implement policy&nbsp; based VPN's in Palo Alto or everything is Route based ?</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">2. Do we mandatorily need to specify proxy id even though both sides i am running route based vpn and both side PA firewalls?</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">3. IKE SA's are bidirectional and IPSEC SA are unidirectional , but i see 2 IKE SA for the same VPN tunnel.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">4. Can we implement HUB and Spoke VPN's on PA firewalls , the reason why i ask this i assume we have to assign an ip address for the tunnel interface and configure as multi point in case of juniper i could not see such option here on PA firewall.</P></BODY></HTML> Tue, 25 Sep 2012 10:22:04 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47351#M34806 srikanth 2012-09-25T10:22:04Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47352#M34807 <HTML><HEAD></HEAD><BODY><P>Hi Srikanth,</P><P></P><P>I am attaching the vpn output from the old thread thread .</P><P><IMG alt="ike-sa output.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/4172_ike-sa output.PNG" width="450" /></P><P></P><P>When you execute a command,&nbsp; &gt;show vpn ike-sa , it shows the negotiation process of phase 1 and phase 2 both</P><P>Check to see phase-1 SA's and phase-2 SA's. </P><P></P><P>In phase-1 SA you will see the ike crypto algorithms that you had set under Network &gt; Network Profiles&gt; Ike Crypto</P><P></P><P>In phase-2 SA you will see the ipsec crypto algorithms that you had set under Network &gt; Network Profiles&gt; Ipsec Crypto</P><P></P><P>&gt;show vpn ipsec-sa ,&nbsp; will show you the tunnel that has been set up between the two peers along with the tunnel name and algorithms it negotiated with the peer once the phase 1 and phase 2 negotiations complete.</P><P></P><P>Here is the link to the document on how to trouble shoot vpn connectivity issues.</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-3671">https://live.paloaltonetworks.com/docs/DOC-3671</A></P><P></P><P>Let me know if this helps.</P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Tue, 25 Sep 2012 10:45:26 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47352#M34807 ppatel 2012-09-25T10:45:26Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47353#M34808 <HTML><HEAD></HEAD><BODY><P>Hi Srikanth,</P><P></P><P>To answer your questions above:-</P><P></P><P>1. Palo Alto firewall is a route based VPN firewall.</P><P>2. It is not mandatory to use proxy ids when establishing the tunnel between two PA devices.</P><P>3. The two 2 IKE SA that you see the for the VPN tunnel are ike phase 1 and ike phase 2 negotiation process after which the tunnel is established.</P><P>4. Configuring Hub and spoke route based VPN:- <A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1608">https://live.paloaltonetworks.com/docs/DOC-1608</A></P><P></P><P>Did I answer your questions?</P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Tue, 25 Sep 2012 10:51:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47353#M34808 ppatel 2012-09-25T10:51:48Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47354#M34809 <HTML><HEAD></HEAD><BODY><P>1. Cant one combine PBF (policy based forwarding) with a route-based vpn tunnel as nexthop?</P></BODY></HTML> Tue, 25 Sep 2012 19:35:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47354#M34809 mikand 2012-09-25T19:35:18Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47355#M34810 <HTML><HEAD></HEAD><BODY><P>Traffic sourcing from a particular zone in the pbf policy can be forced to egress out the tunnel interface.</P><P>Monitoring traffic is sourced from the forwarding egress interface defined in the PBF policy</P><P><IMG alt="pbf.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/4235_pbf.PNG" width="450" /></P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Thu, 27 Sep 2012 09:16:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-implementations/m-p/47355#M34810 ppatel 2012-09-27T09:16:20Z