IPSec S2S VPN between Palo Alto and 3rd party Security FW Vendor -> ISAKMP Negotiation

CarloInt — Tue, 27 Nov 2018 12:43:22 GMT

Hi,

I am trying to setup a Site to Site VPN between a Palo Alto FW and a 3rd Party Security FW Vendor;

I would like to undestand under which condition the Palo Alto FW would attempt to start an ISAKMP negotiation (for Phase 1) with the IPSec peer counterpart.

I'm familiar with the Cisco ASA setup - where, for ex., the tunnel is brought up only when interesting traffic is actually attempting to flow through the Unit -> how is the behavior in the case of the PA ?

Does the unit attempt to start the IPSEC tunnel automatically as soon as the config is pushed / committed (also without any interesting traffic hitting the unit) ?

Is this is the case, assuming that the tunnel could not be successfully established on the 1st attempt, does the PA attempt periodically to perform the ISAKMP negotiation ?

I haven't labbed this scenario yet (planning on doing) - nevertheless any heads up would be appreciated.

Thanks

Re: IPSec S2S VPN between Palo Alto and 3rd party Security FW Vendor -> ISAKMP Negotiation

Brandon_Wertz — Tue, 27 Nov 2018 13:51:34 GMT

It's been my experience that as long as the tunnel peers can communicate the "tunnel Info" icon will come up, but if no "interesting traffic" is going down the tunnel then the icon for the "IKE Info" will show down.

Here's an example from one of my FWs

topic Re: IPSec S2S VPN between Palo Alto and 3rd party Security FW Vendor -> ISAKMP Negotiation in General Topics

IPSec S2S VPN between Palo Alto and 3rd party Security FW Vendor -> ISAKMP Negotiation

Re: IPSec S2S VPN between Palo Alto and 3rd party Security FW Vendor -> ISAKMP Negotiation