https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-ipsec-traffic/m-p/134743#M47387 <P>Hello,</P><P>&nbsp;</P><P>We are setting up Site-to-Site IPSec VPN between PA and Cisco router. The examples provided on PA websites do not&nbsp;suggest any security policy for this. When&nbsp;we use a security policy for 'Outside-Untrust' to 'Outside-Untrust' to allow traffic between IPsec tunnel end points, we can see traffic matching this policy.</P><P>&nbsp;</P><P>Do we need an intrazone policy on 'Outside-Untrust' just for IPSec traffic?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Dec 2016 00:59:07 GMT Farzana 2016-12-28T00:59:07Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-ipsec-traffic/m-p/134743#M47387 <P>Hello,</P><P>&nbsp;</P><P>We are setting up Site-to-Site IPSec VPN between PA and Cisco router. The examples provided on PA websites do not&nbsp;suggest any security policy for this. When&nbsp;we use a security policy for 'Outside-Untrust' to 'Outside-Untrust' to allow traffic between IPsec tunnel end points, we can see traffic matching this policy.</P><P>&nbsp;</P><P>Do we need an intrazone policy on 'Outside-Untrust' just for IPSec traffic?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Dec 2016 00:59:07 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-ipsec-traffic/m-p/134743#M47387 Farzana 2016-12-28T00:59:07Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-ipsec-traffic/m-p/134784#M47391 <P>First you have to allow IPSEC traffic (IKE, ESP...) between (public) IP addresses of both VPN peers.</P><P>Then you have to make rules which traffic to allow througfh VPN (between networks/hosts defined in proxy IDs). Security zones is usually between LAN/trust/internal and zone that you associated with the tunnel interface for that specific VPN.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Dec 2016 07:25:13 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-ipsec-traffic/m-p/134784#M47391 santonic 2016-12-28T07:25:13Z