ike policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ike policy

L4 Transporter

What part of the configuration on the PA matching what is called the ike policy on the Cisco?

22 REPLIES 22

As per my understanding, It's only relevant if you have multiple IKE policies. The lowest numbered one is checked first. If it matches the IKE properties (policies) on the other end, it's used. Otherwise, it moves down the priority list to see if the other policies match.

Related Cisco Disciussion: https://supportforums.cisco.com/discussion/11254861/question-related-ike-policy-priority

Thanks

Yeah there are 3 or 4 ike policies with different priorities

For the tunnel to form, both devices must agree on at least one ike policy. You can specify multiple ike policies, or crypto settings, and as long as both devices have at least one match, they will use that match to form the tunnel. The priorities on the Cisco side allow you to specify which policies you want the Cisco device to try using first - if the other side's policy matches then great - otherwise move down to the next policy based on priority. It is simply a way to show preference for a specific policy.

For example, it allows you to always use 3des if the other side supports it, and if not, then negotiate AES128, etc...

With PA, in the IKE Crypto profile, you can specify multiple options for DH group, authentication, and encryption. By doing so, you are telling the PA to utilize any combination of the settings specified to form the tunnel. As long as the peer device has a policy that matches one of those combinations, the devices will use that match and the tunnel will form.

Mostly its the cisco side that I am having problem figuring out, it looks as thought everything matches and the tunnel comes up for an extended period of time and then drops until the cisco initiates a new tunnel

Retired Member
Not applicable

It sounds like you are hitting phase 2 lifetime and tunnel drops due to lack of traffic across the tunnel. PANOS defaults to 1 hour for ipsec-sa 2 lifetime. Have you checked with Cisco to see what is their ipsec SA lifetime?

Based on your last comment, seems that tunnel is functioning as expected. You may want to also check with Cisco to see if they have a way to keep their tunnels always up.

infotech wrote:

There seem to be more than one policy on the ike policies on the cisco how do I know which one matches the PA?

In the Cisco configuration the phase 1 will use each of the policies in order as they appear in the configuration.  As long as you have a matching policy on your side to one of them the phase 1 should complete.

For phase two the Cicso configuration usually specifies a proposal set that you must also match.

Are you connecting to an ASA or a Cisco Integrated services router?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I am connecting to an asa 5505 firewall. It is up for 8 hours and then it just drops and comes up again on its own. If I do try to bring it up manually it has to be done from the cisco side by pinging an address on the PA side.

Yes I have checked the lifetime on both sides. Whether they match of not the same thing happens

  • 6812 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!