- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-04-2014 05:25 AM
Is it possible in the PAN to do on-demand vpn tunnels? This is used quite a bit in the Cisco world.. especially for vendors.
They often are setup so the tunnel is configured but when the vendor needs to connect for support, the end-user needs to connect to their ASA and initiate the tunnel basically.
09-04-2014 07:51 AM
Hi,
Today you can't disable a VPN in a PA. The only thing you can do is to delete your tunnel
I know there are many request for that. May be introduce in 6.1 version.
Hope help.
v.
09-04-2014 07:54 AM
Hello mackwage,
Are you talking about site to site IPSec VPN tunnel...? The PAN firewall will bring the IPSec VPN tunnel upon interesting traffic by default.
Thanks
09-04-2014 09:03 AM
HULK Get out of here with that "interesting traffic" terminology. That is Cisco jargon. :smileylaugh:
Thanks for the help!
09-04-2014 09:11 AM
I control ours by a security policy using two external IP addresses, and disable/enable the security policy as needed.
09-04-2014 09:40 AM
Could try something of the form,
* Configure your security policies such that only outgoing VPN connections are accepted.
* Configure the VPN as passive.
When you need the VPN, on the CLI use the 'test vpn ipsec-sa tunnel <name>' command to bring the session up.
It may not work; but it would be what I'd try to achieve that...
11-12-2014 06:09 AM
Hi SDorsey,
VPN Tunnel is initiated in two circumstances.
1. In case of interested traffic. >>>>>>>>>>>>>Sorry for Cisco Jargon.
2. By using a Test vpn command.
Now it stays up until SAs life time. Cisco also behaves in exactly same way.
If there is a traffic than it stays up and remains up until SA expires. Inbetween if you want to terminate it than clear flows.
Could you please tell me more specific information on "On demand" word.
Regards,
Hardik Shah
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!