The following is a sample IPSec tunnel configuration with a Palo Alto Networks firewall connecting to a Cisco ASA firewall.
Phase 1 Proposal
Cisco ASA:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Palo Alto Networks firewall:
<ike-crypto-profiles>
<entry name="default">
<encryption>
<member>aes192</member>
<member>aes256</member>
<member>aes128</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
<member>md5</member>
</hash>
<dh-group>
<member>group2</member>
<member>group1</member>
</dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ike-crypto-profiles>
Phase 2 Proposal
Cisco ASA:
crypto ipsec transform-set palo-alto esp-aes-256 esp-sha-hmac
crypto map outside 20 set transform-set palo-alto
Palo Alto Networks firewall:
<ipsec-crypto-profiles>
<entry name="default">
<esp>
<encryption>
<member>aes256</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group></dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ipsec-crypto-profiles>
<crypto-profiles>
Gateway
Cisco ASA:
crypto map outside 20 set peer 10.9.3.8
tunnel-group 10.9.3.8 type ipsec-l2l
tunnel-group 10.9.3.8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold infinite
prompt hostname context
Cryptochecksum:2e764f8b78fffa0bef7a212795ec0ebe
Palo Alto Networks firewall:
<gateway>
<entry name="XYZ.ASA">
<peer-address>
<ip>10.88.12.253</ip>
</peer-address>
<local-address>
<ip>10.9.3.8/24</ip>
<interface>ethernet1/1</interface>
</local-address>
<authentication>
<pre-shared-key>
<key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>
</pre-shared-key>
</authentication>
<protocol>
<ikev1>
<exchange-mode>auto</exchange-mode>
<ike-crypto-profile>default</ike-crypto-profile>
<dpd>
<enable>yes</enable>
<interval>10</interval>
<retry>3</retry>
</dpd>
</ikev1>
</protocol>
</entry>
</gateway>
Phase 2 - Proxy ID/tunnel
Cisco ASA:
access-list ASAtoPAN extended permit ip 10.211.168.0 255.255.252.0 10.61.0.0 255.255.0.0
crypto map outside 20 match address ASAtoPAN
Palo Alto Networks firewall:
<tunnel>
<ipsec>
<entry name="XYZTunnel">
<anti-replay>no</anti-replay>
<copy-tos>no</copy-tos>
<tunnel-monitor>
<enable>no</enable>
</tunnel-monitor>
<tunnel-interface>tunnel.1</tunnel-interface>
<auto-key>
<ike-gateway>
<entry name="XYZ.ASA"/>
</ike-gateway>
<ipsec-crypto-profile>default</ipsec-crypto-profile>
<proxy-id>
<local>10.61.0.0/16</local>
<remote>10.211.168.0/22</remote>
</proxy-id>
</auto-key>
</entry>
</ipsec>
</tunnel>
Note: Protocol field under proxy-ID should match on both sides.
owner: panagent