IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

Reply
L1 Bithead

IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

I am trying to setup site-2-site VPN between a Cisco router and PaloAlto 820 running 8.1.9HF4.  Everything is working fine in IKEv1

but it is not working in IKEv2.  Look like PaloAlto is not playing nice with Cisco devices.  If I replace the PaloAlto with Checkpoint firewall, it works fine with Cisco in IKEv2.  

 

I have a ticket open with PaloAlto TAC and they are investigating but TAC is moving very slow and I need to get it working in the next 48 hours.  PAN TAC engineer told me that there are lot of issues with PAN IKEv2 and 3rd party vendors like Cisco.

 

Anyone able to to get IKEv2 working between PAN and Cisco without any issues?

Tags (2)
L1 Bithead

Re: IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

I no longer use the Palo Alto for ipsec tunnels, but have in the past. We have added so many, we broke that off into it's own device, which happens to not be a PA product.  I would suggest on the Palo Alto to set the IKE Gateway peer type to dynamic, instead of static. Then let the cisco establish the tunnel.  I ran into an issue with the PA once before with static tunnels and virtual routers. This is just a test to see if that is affecting you. In my issue the dynamic works and static would not.  Other than that, you need to crank up the logging level and see what is causing the tunnel to die.

 

Justin Woodman

L7 Applicator

Re: IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

Hello,

While I have not experienced issues with what you are describing, is there a requirement for ikev2? v1 is still pretty secure if you keep everything at 256 or higher with a strong passphrase.

 

Just a thought.

L1 Bithead

Re: IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

I found the issue and it is not the PAN firewalls.  It is with Cisco IOS device.  The case is currently being investigated by Cisco TAC.  Cisco actually has a bug ID on this:  CSCtq08784.  IKEv2 does not work between Cisco and 3rd party devices

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!