12-18-2020 12:22 PM
Hi
I configure IPsec tunnel.
When I configure with manual on web interface, by default was adding vsys to Tunnel Interface--Virtual system.
But when i configure with cli doesn't visible vsys(it visibles empty).
which command i can used for adding vsys?
12-19-2020 12:33 PM
Do you have Multi vsys config in PA?
Regards
12-24-2020 08:24 AM
Do you want to do config of tunnel interface via CLI or GUI?
Regards
12-31-2020 02:29 PM
As I stated above, I want to do everything with CLI.
And now i am able to :
>creating tunnel interface
>creating IKE gateway
>creating IPsec tunnel
>adding tunnel to routing.
But When I configure IPsec on web interface, I am able to adding vsys. It appears on the "Tunnel Interface"- - >"Virtual system tab" in "Network" - - -> "IPSec Tunnels" tab.
But when i configure with cli doesn't visible any vsys(it visibles empty).
I have searched to this situation. as I understand it, If this section appear empty, vsys takes the default vsys value.
What I want is to be able to change vsys with CLI. I want some tunnel vsys to be vsys1, and others to vsys2.
04-12-2021 03:04 AM
@Rajab725 i just came across your post. Can you share syntax for the below that you have been able to accomplish via cli:
>creating tunnel interface
>creating IKE gateway
>creating IPsec tunnel
>adding tunnel to routing.
Thanks
04-12-2021 05:38 AM
Please try below CLI commands for IPSEC
The following information is used as example data for the commands.
Tunnel: Tunnel.10 (zone = vpn)
Name of the tunnel: NewYork VPN
Virtual Router: Virtual Router 1
IKE Crypto: ike-crypto-profile IKE_Profile
IKE Gateway: NewYork VPN
IPsec Crypto: ipsec-crypto-profile IPsec_Profile
Peer IP address: 100.100.100.1
Subnet on the other side of the tunnel: 192.168.3.0/24
The commands below should be executed in the order listed.
> configure
# set network interface tunnel units tunnel.10 ipv6 enabled no
# set network interface tunnel units tunnel.10 ipv6 interface-id EUI-64
# set network interface tunnel units tunnel.10 comment "NewYork VPN"
# set zone vpn network layer3 tunnel.10
# set network virtual-router "Virtual Router 1" interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 tunnel.10 ]
# set network ike gateway NewYork VPN protocol ikev1 dpd enable no
# set network ike gateway NewYork VPN protocol ikev1 dpd interval 5
# set network ike gateway NewYork VPN protocol ikev1 dpd retry
# set network ike gateway NewYork VPN protocol ikev1 ike-crypto-profile IKE_Profile
# set network ike gateway NewYork VPN protocol ikev1 exchange-mode auto
# set network ike gateway NewYork VPN authentication pre-shared-key key paloalto
# set network ike gateway NewYork VPN protocol-common nat-traversal enable no
# set network ike gateway NewYork VPN protocol-common passive-mode no
# set network ike gateway NewYork VPN peer-address ip 100.100.100.1
# set network ike gateway NewYork VPN local-address interface ethernet1/1
# set network tunnel ipsec NewYork VPN auto-key ike-gateway NewYork VPN
# set network tunnel ipsec NewYork VPN auto-key ipsec-crypto-profile IPsec_Profile
# set network tunnel ipsec NewYork VPN tunnel-monitor enable no
# set network tunnel ipsec NewYork VPN anti-replay yes
# set network tunnel ipsec NewYork VPN copy-tos no
# set network tunnel ipsec NewYork VPN tunnel-interface tunnel.10
# set network virtual-router "Virtual Router 1" routing-table ip static-route Route_to_NewYork interface tunnel.10
# set network virtual-router "Virtual Router 1" routing-table ip static-route Route_to_NewYork metric 10
# set network virtual-router "Virtual Router 1" routing-table ip static-route Route_to_NewYork destination 192.168.3.0/24
Regards
09-20-2022 01:27 PM
I noticed that this is still an issue with 10.1.6. I just wanted to post an update that if I click on the tunnel interface in the GUI and then just click OK, that populates the virtual system field in the IPSec section of the GUI. Something that the GUI updates in the config on the back-end that doesn't appear to happen with the cli commands (even using the syntax and commands mentioned previously).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
