I config IPSec betwen two PA device: 1 PA5020 and 1 PA
I config as guide: How to Configure Certificate Based Authentication for IKE on PAN-OS 6.0
I generate CA on PA 5020 and import to PA 200
But on PA 200 i can't sign new Cert with the imported CA certificate.
I try generate all cert on PA 5020 ( root CA & signed CA) and import to PA 200.
But when config IKE gateaway, i can't chose CA
Something wrong, but i don't where
Pls help me
Could you please show us the snapshot of the CA imported ?
Also can you try generating the certificate to be used on PA-200 on PA-5020 itself ?
Hope it helps !
When you exported and imported certificate did you by any chance exported private key also?
Make sure you have imported private key of the certificate along with certificate. If that is done for sure you sign another certificate.
Export certificate : make sure you click on private key and put passphrase. Exa; Passphrase is "test123"
Import Certificate : Make sure you click Import Private key. Put above specified passphrase "test123"
Thanks for support,
now, i can import and used Cert
But, my tunnel IPSEC can't UP
I don't know what wrong.
Could you please apply below mentioned CLI command to initiate the tunnel manually:
> test vpn ike-sa gateway XXXXXX
Initiate IKE SA: Total 1 gateways found. 1 ike sa found.
> test vpn ipsec-sa tunnel XXXXXX
Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.
After applying above CLI commands, i would request you to check MOnitor > Logs > System for more detail information (subtype= "vpn")
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!