This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

IKEv2 between PAN-OS 8.1.9HF4 and Cisco IOS routers or ASA devices

dtran
L4 Transporter

‎10-16-2019 11:33 AM

I am trying to setup site-2-site VPN between a Cisco router and PaloAlto 820 running 8.1.9HF4.  Everything is working fine in IKEv1

but it is not working in IKEv2.  Look like PaloAlto is not playing nice with Cisco devices.  If I replace the PaloAlto with Checkpoint firewall, it works fine with Cisco in IKEv2.  

 

I have a ticket open with PaloAlto TAC and they are investigating but TAC is moving very slow and I need to get it working in the next 48 hours.  PAN TAC engineer told me that there are lot of issues with PAN IKEv2 and 3rd party vendors like Cisco.

 

Anyone able to to get IKEv2 working between PAN and Cisco without any issues?

0 Likes Likes
3 REPLIES 3

JustinWoodman
L2 Linker

‎10-16-2019 12:54 PM

I no longer use the Palo Alto for ipsec tunnels, but have in the past. We have added so many, we broke that off into it's own device, which happens to not be a PA product.  I would suggest on the Palo Alto to set the IKE Gateway peer type to dynamic, instead of static. Then let the cisco establish the tunnel.  I ran into an issue with the PA once before with static tunnels and virtual routers. This is just a test to see if that is affecting you. In my issue the dynamic works and static would not.  Other than that, you need to crank up the logging level and see what is causing the tunnel to die.

 

Justin Woodman

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎10-18-2019 11:12 AM

Hello,

While I have not experienced issues with what you are describing, is there a requirement for ikev2? v1 is still pretty secure if you keep everything at 256 or higher with a strong passphrase.

 

Just a thought.

0 Likes Likes

dtran
L4 Transporter
In response to JustinWoodman

‎10-31-2019 11:11 AM

I found the issue and it is not the PAN firewalls.  It is with Cisco IOS device.  The case is currently being investigated by Cisco TAC.  Cisco actually has a bug ID on this:  CSCtq08784.  IKEv2 does not work between Cisco and 3rd party devices

 

 

 

0 Likes Likes
  • 4865 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks