IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

L4 Transporter

I am trying to setup site-2-site VPN between a Cisco router and PaloAlto 820 running 8.1.9HF4.  Everything is working fine in IKEv1

but it is not working in IKEv2.  Look like PaloAlto is not playing nice with Cisco devices.  If I replace the PaloAlto with Checkpoint firewall, it works fine with Cisco in IKEv2.  

 

I have a ticket open with PaloAlto TAC and they are investigating but TAC is moving very slow and I need to get it working in the next 48 hours.  PAN TAC engineer told me that there are lot of issues with PAN IKEv2 and 3rd party vendors like Cisco.

 

Anyone able to to get IKEv2 working between PAN and Cisco without any issues?

3 REPLIES 3

L1 Bithead

I no longer use the Palo Alto for ipsec tunnels, but have in the past. We have added so many, we broke that off into it's own device, which happens to not be a PA product.  I would suggest on the Palo Alto to set the IKE Gateway peer type to dynamic, instead of static. Then let the cisco establish the tunnel.  I ran into an issue with the PA once before with static tunnels and virtual routers. This is just a test to see if that is affecting you. In my issue the dynamic works and static would not.  Other than that, you need to crank up the logging level and see what is causing the tunnel to die.

 

Justin Woodman

Cyber Elite
Cyber Elite

Hello,

While I have not experienced issues with what you are describing, is there a requirement for ikev2? v1 is still pretty secure if you keep everything at 256 or higher with a strong passphrase.

 

Just a thought.

I found the issue and it is not the PAN firewalls.  It is with Cisco IOS device.  The case is currently being investigated by Cisco TAC.  Cisco actually has a bug ID on this:  CSCtq08784.  IKEv2 does not work between Cisco and 3rd party devices

 

 

 

  • 4214 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!