How to Configure Certificate-Based Authentication for IKE on PAN-OS 6.0

Overview

PAN-OS 6.0 introduced the ability to use certificates for IKE authentication. This document describes how to configure IKE authentication using self-signed certificates on a pair of Palo Alto Networks firewalls running PAN-OS 6.0.

Steps

1. Generate a CA (Certificate Authority) certificate on one of the Palo Alto Networks firewalls. This certificate will be used to sign the client certificates for the authentication.
   
2. Export the CA certificate:
   
   Then import it into the peer firewall:
   
3. Now generate on a client certificate on both firewalls and sign each one with the imported CA certificate.
   PA-3000 Series:
   
   PA-2000 Series:
   
4. Create a Certificate Profile on both firewalls and add the CA certificate, as shown in the following example:
   
5. Create an IKE gateway on each firewall and select Certificate for the Authentication setting. In the following example, "Distinguished Name" (DN) is used as identification. The DN is the same as the Common Name of the certificate.
   PA-3000 Series:
   
   PA-2000 Series:
   
6. Create an ipsec tunnel on both firewalls:
   
7. Send traffic through the vpn tunnel to verify that it comes up.
   PA-3000 Series:
   
   PA-2000 Series:
   

owner: rvanderveken