several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Showing results for 
Show  only  | Search instead for 
Did you mean: 

several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

L1 Bithead

Hello dear colleagues,


according to the documentation, there is a limitation for IKE gateways:

All IKE gateways configured on the same interface or local IP address must use the same crypto
profile. (c) 

The same restriction is mentioned in the PANOS v8.1 course.


First of all, it seems strange that we cannot use different IKE options for different peers. Second, I use different IKE Crypto Profiles for different IKE gateways on the same public interface without any problem. I can see that they do use different algorithms for encrypting, hashing, DH group, etc. So it works.


  Is it some obsolete information they just forgot to remove? 



Vladimir Stepanov


From 9.1 you can't commit unless all dynamic peers have same crypto profile.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Sounds like a bad joke. This is an irony that would be funny were it not so tragic.

Yes, that sounds like a step backwards in 9.1. What is the logic behind this?

Is it mentioned somewhere in the release notes? I didn't found it, so I am afraid that they just broken it occasionally.

It is sad, the paloalto is becoming a really **bleep** product. The support is awful, it needs to explain to support engineers how things should work. During one of my last discussions, I have spent four hours proving with references to the documentation and with tests in the lab I created especially for this. And this ticket is still on the engineering side for 8 months without any estimate.

Another problem unresolved for more than three months and the only feedback is that they may be fix it in 9.0.11, but for now there is even no estimation date for 9.0.10.

 GeoIP is not reliable and there is no easy procedure on how to fix errors there, the support proposes to rollback the content database to the old that was a week ago, or just wait, "maybe it will be fixed in some future update".

  External dynamic lists from the PaloAlto are abandoned before there were thousands of malicious IPs, not just hundreds. 


I have had the exact same experience.
And the GeoIP bug hits also the fqdn-Objects. For this bug support needed 12d to find out and publish to me.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!