Hi I am trying to configure VPN IPSEC tunneling between a Cisco Router and Palo Alto Firewall.

Showing results for 
Search instead for 
Did you mean: 

Hi I am trying to configure VPN IPSEC tunneling between a Cisco Router and Palo Alto Firewall.

Not applicable

I need guidance on how I could go about working on the configuration. there is only two interfaces/zones on the Firewall, untrust and trust.

The trusted interface leg is connected to the internal network segment and the external interface is connected to the router facing the Telecoms .


L3 Networker

Hello, It may not be this simple but here are the basics...1st you need to create a tunnel interface that belongs to the zone that you want your vpn connections to terminate to. Some people use the trust zone others create a separate zone. 2nd you need to create an iKE gateway that uses your physical untrusted interface that will connect to the peer, this is also where you setup your Peers IP address and the pre-shared key. 3rd create an IPSec tunnel bound to the tunnel interface that you created and select the IKE gateway you created. The key type is usually auto. 4th set up your proxy IDs. ..These should be the source and destination network address for the networks on either end of the tunnel. This will be the inverse of what you have on the Cisco end..known as the interesting traffic or encryption domain.

Hi jteetsel,

Very much thanks for your reply. I am trying to migrate a Cisco Pix to a Palo Alto Firewall and its my fist time working on this. Do you have any experience in this? Kindly share more.

Hi jteetsel,

I will like to check if i am required to configure VPN Rules to allow the IPSEc tunnels to be established cause I notice a lot of access list

created on the Cisco Pix Firewall. Kindly advise, thanks!


Raymond Teo

L5 Sessionator

Hi Raymond,

Please see the document below for the configuration of both cisco and Palo Alto firewall for creating IPSec VPN.


Hopefully this helps.

Thank you


Hi Numan,

I am wondering if you know of a easy migration method whereby you are required to configure tons of IPSEC VPN tunnels on Palo Alto Firewall. I find the manual method of using the GUI to create the tunnels feasible only if there isn't a lot of tunnels. Is there a way to use command line to create VPN tunnels including phase 1 and phase 2 config easily? Kindly advise pls or anyone here in the forums that has done that?

Thank you,

Raymond Teo

The CLI guides for the various versions of PANOS should have what you're looking for... as an example there's a 'set network ike' section starting on page 95 and there's an ipsec subcommand of  'set network tunnel' on page 121 of the PANOS 4.1 CLI guide. There are lots and lots of options and subcommands in the CLI guide... you should be able to piece together commands that build IPSEC and IKE configs for your tunnels.

Hi egearhart,

Thanks. Will you be able to share any sample scripts or command line by sending them to my email at raymondteo79@yahoo.com.sg?

Or please state down some specific examples of how i could accomplish using cli to configure many VPN Tunnels?

Raymond,  I am not sure that anyone has sample scripts.  We all would start with reading the Admin Guide and then copying/pasting the information and building the scripts/command from scratch.

My recommendation is to take a single VPN that you have gotten configured via the GUI and then look at the command structure to build that VPN via the CLI and then you can easily duplicate most of the Phase1 and Phase2 information.

You biggest hurdle may be ensuring that your ProxyIDs match between your remote Cisco and Palo Alto FWs.

Good Luck!!

scantwell's reply covers everything I was thinking... getting a tunnel built using the web GUI and then using Palo Alto's config audit feature to determine the backend CLI commands that are used to build a tunnel is exactly the approach I'd take to scripting tunnel config, with the CLI guide as a command reference if needed

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!