topic Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN in General Topics

several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

vladimir.stepanov — Thu, 29 Nov 2018 10:56:52 GMT

Hello dear colleagues,

according to the documentation, there is a limitation for IKE gateways:

All IKE gateways configured on the same interface or local IP address must use the same crypto
profile. (c)

The same restriction is mentioned in the PANOS v8.1 course.

First of all, it seems strange that we cannot use different IKE options for different peers. Second, I use different IKE Crypto Profiles for different IKE gateways on the same public interface without any problem. I can see that they do use different algorithms for encrypting, hashing, DH group, etc. So it works.

Is it some obsolete information they just forgot to remove?

Regards,

Vladimir Stepanov

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Raido_Rattameister — Thu, 29 Nov 2018 14:38:13 GMT

Can you point out where it is in documentation?

You can definitely use diferent crypto profiles on same interface in diferent IKE gateways.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

BPry — Thu, 29 Nov 2018 14:56:12 GMT

@vladimir.stepanov,

As @Raido_Rattameister mentioned this is either poorly worded or simply not correct. You can only assign one profile per IKE gateway (obviously), but as long as you use a different IKE gateway you can have multiple profiles assigned regardless of them sharing the same physical interface.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

vladimir.stepanov — Thu, 29 Nov 2018 15:38:31 GMT

At first I have seen it in the paloalto online course for Pan-OS 8.1, module about Site-to-Site VPN, IKE Gateway configuration. After I started to search and found the same in the PAN-OS Admin Guide 8.0 - Page 691

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Remo — Thu, 29 Nov 2018 22:25:10 GMT

???

I have never seen or heard of this note and since 5.0 I use different profiles for the ike gateways ... also with 8.0

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

santonic — Fri, 30 Nov 2018 07:04:57 GMT

Definitelly a mistake. This would make firewall practically useless for VPNs.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

vladimir.stepanov — Fri, 30 Nov 2018 09:43:41 GMT

Ok, thanks everybody, I am going to report them about this mistake. Just strange that this is mentioned in several sources.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Retired Member — Fri, 10 Jul 2020 15:54:08 GMT

Also on 9.1. Admin Guide site 907.

After Upgrading from working 9.0.8 with multiple IKE crypto profiles on same Interface / IP I got an auto commit error.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Raido_Rattameister — Mon, 13 Jul 2020 03:07:44 GMT

Are your peers configured with dynamic IPs?

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Retired Member — Mon, 13 Jul 2020 05:41:01 GMT

Yes, my peers configured with dynamic IP's

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Raido_Rattameister — Mon, 13 Jul 2020 12:55:30 GMT

From 9.1 you can't commit unless all dynamic peers have same crypto profile.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Retired Member — Mon, 13 Jul 2020 14:11:04 GMT

Sounds like a bad joke. This is an irony that would be funny were it not so tragic.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

santonic — Mon, 20 Jul 2020 06:07:39 GMT

Yes, that sounds like a step backwards in 9.1. What is the logic behind this?

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

ppk_vs — Wed, 22 Jul 2020 10:04:40 GMT

Is it mentioned somewhere in the release notes? I didn't found it, so I am afraid that they just broken it occasionally.

It is sad, the paloalto is becoming a really **bleep** product. The support is awful, it needs to explain to support engineers how things should work. During one of my last discussions, I have spent four hours proving with references to the documentation and with tests in the lab I created especially for this. And this ticket is still on the engineering side for 8 months without any estimate.

Another problem unresolved for more than three months and the only feedback is that they may be fix it in 9.0.11, but for now there is even no estimation date for 9.0.10.

GeoIP is not reliable and there is no easy procedure on how to fix errors there, the support proposes to rollback the content database to the old that was a week ago, or just wait, "maybe it will be fixed in some future update".

External dynamic lists from the PaloAlto are abandoned before there were thousands of malicious IPs, not just hundreds.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Retired Member — Wed, 22 Jul 2020 11:47:01 GMT

I have had the exact same experience.
And the GeoIP bug hits also the fqdn-Objects. For this bug support needed 12d to find out and publish to me.

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

MortensenKnud — Thu, 27 Aug 2020 08:02:01 GMT

We have the same problem int 9.0.9-h1 with dynamic peers, we didn't have a problem on 9.0.4

Re: several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

SubaMuthuram — Sat, 05 Dec 2020 05:05:31 GMT

Hi team,

Any documentation related to this issue, Where I can show to my customer?.