- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-01-2014 07:52 AM
Hello Infotech,
Ike policy defines different security parameter you are using for your IKE profile. On PAN firewall it's IKE-crypto.
Once, you will configure the IKE profile, then as a second step, you need to configure a IKE-gateway. It will included local IP, peer IP, exit interface, preshared key, Peer ID type etc.
Hope this helps.
Thanks
08-01-2014 08:55 AM
There seem to be more than one policy on the ike policies on the cisco how do I know which one matches the PA?
08-01-2014 08:58 AM
Hello Infotech,
During the phase 1 negotiation, both gateways will exchange their IKE-crypto details and the common profile would be chosen for tunnel.
Thanks
08-01-2014 09:00 AM
Hello Infotech,
You may configure Max 3 IKE-crypto profile on PAN and at least one should be matched with CISCO.
Thanks
08-01-2014 09:04 AM
Unless there is des setup on the cisco and it doesn't appear to be available on the PA.
08-01-2014 09:22 AM
Hi Infotech,
DES is not secure, we only support 3DES and above protocols.
Regards,
Hardik Shah
08-01-2014 09:26 AM
I understand that but the cisco is old and I think it may have that option still trying to figure out what ike policy and priorities are and how they relate to the PA
08-01-2014 09:27 AM
PAN firewall supports bellow mentioned encryption technology for IPsec Phase 1 negotiation:
Thanks
08-01-2014 09:35 AM
Are you saying that aes128 is compatible with des?
08-01-2014 09:38 AM
No, i mean to say, you have following option to choose for IKE-encryption. It should be identical on both gateways ( PAN---- Cisco).
Thanks
08-01-2014 09:44 AM
Unless you want to set the PA to does and that option is not available
08-01-2014 09:54 AM
Since PAN does not support DES, you need to change CISCO IKE-crypto policy accordingly.
Thanks
08-01-2014 09:56 AM
Yeah there is one part I the cisco side I am trying to verify. The ike policies look like they match but there is something called ike policy priority and I am not 100% sure how to verify that
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!