several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Showing results for 
Show  only  | Search instead for 
Did you mean: 

several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

L1 Bithead

Hello dear colleagues,


according to the documentation, there is a limitation for IKE gateways:

All IKE gateways configured on the same interface or local IP address must use the same crypto
profile. (c) 

The same restriction is mentioned in the PANOS v8.1 course.


First of all, it seems strange that we cannot use different IKE options for different peers. Second, I use different IKE Crypto Profiles for different IKE gateways on the same public interface without any problem. I can see that they do use different algorithms for encrypting, hashing, DH group, etc. So it works.


  Is it some obsolete information they just forgot to remove? 



Vladimir Stepanov


Cyber Elite
Cyber Elite

Can you point out where it is in documentation?

You can definitely use diferent crypto profiles on same interface in diferent IKE gateways.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011


As @Raido_Rattameister mentioned this is either poorly worded or simply not correct. You can only assign one profile per IKE gateway (obviously), but as long as you use a different IKE gateway you can have multiple profiles assigned regardless of them sharing the same physical interface. 

At first I have seen it in the paloalto online course for Pan-OS 8.1, module about Site-to-Site VPN, IKE Gateway configuration. After I started to search and found the same in the PAN-OS Admin Guide 8.0 - Page 691


ike crypto profiles.PNG



I have never seen or heard of this note and since 5.0 I use different profiles for the ike gateways ... also with 8.0

Definitelly a mistake. This would make firewall practically useless for VPNs.

Ok, thanks everybody, I am going to report them about this mistake. Just strange that this is mentioned in several sources.

L2 Linker

Also on 9.1. Admin Guide site 907.


After Upgrading from working 9.0.8 with multiple IKE crypto profiles on same Interface / IP I got an auto commit error.status auto commit job public.JPG


ike crypto profile.JPG

Are your peers configured with dynamic IPs?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes, my peers configured with dynamic IP's

From 9.1 you can't commit unless all dynamic peers have same crypto profile.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Sounds like a bad joke. This is an irony that would be funny were it not so tragic.

Yes, that sounds like a step backwards in 9.1. What is the logic behind this?

Is it mentioned somewhere in the release notes? I didn't found it, so I am afraid that they just broken it occasionally.

It is sad, the paloalto is becoming a really **bleep** product. The support is awful, it needs to explain to support engineers how things should work. During one of my last discussions, I have spent four hours proving with references to the documentation and with tests in the lab I created especially for this. And this ticket is still on the engineering side for 8 months without any estimate.

Another problem unresolved for more than three months and the only feedback is that they may be fix it in 9.0.11, but for now there is even no estimation date for 9.0.10.

 GeoIP is not reliable and there is no easy procedure on how to fix errors there, the support proposes to rollback the content database to the old that was a week ago, or just wait, "maybe it will be fixed in some future update".

  External dynamic lists from the PaloAlto are abandoned before there were thousands of malicious IPs, not just hundreds. 


I have had the exact same experience.
And the GeoIP bug hits also the fqdn-Objects. For this bug support needed 12d to find out and publish to me.

  • 16 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!