https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/293301#M77558 <P>Hello,</P><P>While I have not experienced issues with what you are describing, is there a requirement for ikev2? v1 is still pretty secure if you keep everything at 256 or higher with a strong passphrase.</P><P>&nbsp;</P><P>Just a thought.</P> Fri, 18 Oct 2019 18:12:42 GMT OtakarKlier 2019-10-18T18:12:42Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/293172#M77514 <P>I am trying to setup site-2-site VPN between a Cisco router and PaloAlto 820 running 8.1.9HF4.&nbsp; Everything is working fine in IKEv1</P><P>but it is not working in IKEv2.&nbsp; Look like PaloAlto is not playing nice with Cisco devices.&nbsp; If I replace the PaloAlto with Checkpoint firewall, it works fine with Cisco in IKEv2.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I have a ticket open with PaloAlto TAC and they are investigating but TAC is moving very slow and I need to get it working in the next 48 hours.&nbsp; PAN TAC engineer told me that there are lot of issues with PAN IKEv2 and 3rd party vendors like Cisco.</P><P>&nbsp;</P><P>Anyone able to to get IKEv2 working between PAN and Cisco without any issues?</P> Wed, 16 Oct 2019 18:33:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/293172#M77514 dtran 2019-10-16T18:33:09Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/293176#M77517 <P>I no longer use the Palo Alto for ipsec tunnels, but have in the past. We have added so many, we broke that off into it's own device, which happens to not be a PA product.&nbsp; I would suggest on the Palo Alto to set the IKE Gateway peer type to dynamic, instead of static. Then let the cisco establish the tunnel.&nbsp; I ran into an issue with the PA once before with static tunnels and virtual routers. This is just a test to see if that is affecting you. In my issue the dynamic works and static would not.&nbsp; Other than that, you need to crank up the logging level and see what is causing the tunnel to die.</P><P>&nbsp;</P><P>Justin Woodman</P> Wed, 16 Oct 2019 19:54:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/293176#M77517 JustinWoodman 2019-10-16T19:54:06Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/293301#M77558 <P>Hello,</P><P>While I have not experienced issues with what you are describing, is there a requirement for ikev2? v1 is still pretty secure if you keep everything at 256 or higher with a strong passphrase.</P><P>&nbsp;</P><P>Just a thought.</P> Fri, 18 Oct 2019 18:12:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/293301#M77558 OtakarKlier 2019-10-18T18:12:42Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/295528#M77844 <P>I found the issue and it is not the PAN firewalls.&nbsp; It is with Cisco IOS device.&nbsp; The case is currently being investigated by Cisco TAC.&nbsp; Cisco actually has a bug ID on this:&nbsp;&nbsp;CSCtq08784.&nbsp; IKEv2 does not work between Cisco and 3rd party devices</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 31 Oct 2019 18:11:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-between-pan-os-8-1-9hf4-and-cisco-ios-routers-or-asa/m-p/295528#M77844 dtran 2019-10-31T18:11:05Z