This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

vladimir.stepanov
L1 Bithead

‎11-29-2018 02:56 AM

Hello dear colleagues,

 

according to the documentation, there is a limitation for IKE gateways:

All IKE gateways configured on the same interface or local IP address must use the same crypto
profile. (c) 

The same restriction is mentioned in the PANOS v8.1 course.

 

First of all, it seems strange that we cannot use different IKE options for different peers. Second, I use different IKE Crypto Profiles for different IKE gateways on the same public interface without any problem. I can see that they do use different algorithms for encrypting, hashing, DH group, etc. So it works.

 

  Is it some obsolete information they just forgot to remove? 

 

Regards,

Vladimir Stepanov

0 Likes Likes
16 REPLIES 16

Raido_Rattameister
L7 Applicator
In response to robert.hoffmann

‎07-13-2020 05:55 AM

From 9.1 you can't commit unless all dynamic peers have same crypto profile.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

robert.hoffmann
L2 Linker
In response to robert.hoffmann

‎07-13-2020 07:11 AM

Sounds like a bad joke. This is an irony that would be funny were it not so tragic.

(1)

santonic
L5 Sessionator
In response to robert.hoffmann

‎07-19-2020 11:07 PM

Yes, that sounds like a step backwards in 9.1. What is the logic behind this?

0 Likes Likes

ppk_vs
L1 Bithead
In response to santonic

‎07-22-2020 03:04 AM

Is it mentioned somewhere in the release notes? I didn't found it, so I am afraid that they just broken it occasionally.

It is sad, the paloalto is becoming a really **bleep** product. The support is awful, it needs to explain to support engineers how things should work. During one of my last discussions, I have spent four hours proving with references to the documentation and with tests in the lab I created especially for this. And this ticket is still on the engineering side for 8 months without any estimate.

Another problem unresolved for more than three months and the only feedback is that they may be fix it in 9.0.11, but for now there is even no estimation date for 9.0.10.

 GeoIP is not reliable and there is no easy procedure on how to fix errors there, the support proposes to rollback the content database to the old that was a week ago, or just wait, "maybe it will be fixed in some future update".

  External dynamic lists from the PaloAlto are abandoned before there were thousands of malicious IPs, not just hundreds. 

 

robert.hoffmann
L2 Linker
In response to ppk_vs

‎07-22-2020 04:47 AM

I have had the exact same experience.
And the GeoIP bug hits also the fqdn-Objects. For this bug support needed 12d to find out and publish to me.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks