This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2018 02:56 AM
Hello dear colleagues,
according to the documentation, there is a limitation for IKE gateways:
All IKE gateways configured on the same interface or local IP address must use the same crypto
profile. (c)
The same restriction is mentioned in the PANOS v8.1 course.
First of all, it seems strange that we cannot use different IKE options for different peers. Second, I use different IKE Crypto Profiles for different IKE gateways on the same public interface without any problem. I can see that they do use different algorithms for encrypting, hashing, DH group, etc. So it works.
Is it some obsolete information they just forgot to remove?
Regards,
Vladimir Stepanov
16 REPLIES 16
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2018 06:38 AM
Can you point out where it is in documentation?
You can definitely use diferent crypto profiles on same interface in diferent IKE gateways.
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Palo Alto Networks certified from 2011
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2018 06:56 AM
As @Raido_Rattameister mentioned this is either poorly worded or simply not correct. You can only assign one profile per IKE gateway (obviously), but as long as you use a different IKE gateway you can have multiple profiles assigned regardless of them sharing the same physical interface.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2018 07:35 AM - edited 11-29-2018 07:38 AM
At first I have seen it in the paloalto online course for Pan-OS 8.1, module about Site-to-Site VPN, IKE Gateway configuration. After I started to search and found the same in the PAN-OS Admin Guide 8.0 - Page 691
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2018 02:25 PM
???
I have never seen or heard of this note and since 5.0 I use different profiles for the ike gateways ... also with 8.0
Related Content
- QoS cleartext match issue in General Topics
- Not able to apply QoS profile to interface in Next-Generation Firewall Discussions
- QOS Config in General Topics
- QoS - Guaranteed bandwith in General Topics
- How do I assign SD-wan interface profile to template when all sites have different speeds for fiber and cable. in Panorama Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks