The following diagram illustrates an IPSec site-to-site between a Palo Alto Networks firewall and Cisco:
Create a tunnel interface and select virtual router and security zone. The security policy needs to allow traffic from the LAN zone to the VPN zone, if placing the tunnel interface in some separate zone other than the internal LAN network zone.
The IP address is not required. To run the routing protocol through the tunnel, you must add an IP address to the tunnel interface.
For this scenario we are using a Loopback interface to simulate a host in an internal zone for testing purposes, otherwise there is no need for the loopback interface.
Create a Phase 1 policy, which will be the same on both sides:
Create a Phase 2 policy, which will be the same on both sides:
The peer IP address must be reachable through the interface Ethernet 1/1, as shown below:
Select the tunnel interface, the IKE gateway, and the IPSec Crypto profile to make sure the Proxy-ID is added, otherwise phase 2 will not come up.
Add the route of the internal network of the other side pointing towards the tunnel interface and select None:
ip access-list extended Crypto_Acl permit ip 10.50.50.0 0.0.0.255 220.127.116.11 0.0.0.255