Is it possible in the PAN to do on-demand vpn tunnels? This is used quite a bit in the Cisco world.. especially for vendors.
They often are setup so the tunnel is configured but when the vendor needs to connect for support, the end-user needs to connect to their ASA and initiate the tunnel basically.
Today you can't disable a VPN in a PA. The only thing you can do is to delete your tunnel
I know there are many request for that. May be introduce in 6.1 version.
Could try something of the form,
* Configure your security policies such that only outgoing VPN connections are accepted.
* Configure the VPN as passive.
When you need the VPN, on the CLI use the 'test vpn ipsec-sa tunnel <name>' command to bring the session up.
It may not work; but it would be what I'd try to achieve that...
VPN Tunnel is initiated in two circumstances.
1. In case of interested traffic. >>>>>>>>>>>>>Sorry for Cisco Jargon.
2. By using a Test vpn command.
Now it stays up until SAs life time. Cisco also behaves in exactly same way.
If there is a traffic than it stays up and remains up until SA expires. Inbetween if you want to terminate it than clear flows.
Could you please tell me more specific information on "On demand" word.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!