Palo Alto Networks Knowledgebase: Is IKEv2 Supported on the Palo Alto Networks Device?

Is IKEv2 Supported on the Palo Alto Networks Device?

11262
Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:45 PM
VPNs
Resolution

IKEv2 support is included with PAN-OS 7.0.

IKEGateway1.JPG


Before PAN-OS 7.0

Palo Alto Networks firewall running PAN-OS 6.1 or lower, only supported IKEv1.

The following errors would be seen if IKEv2 was configured.

info     vpn     ike_se ike-neg 0  IKE phase-1 SA is deleted SA: x.x.x.x[500]-y.y.y.y[500] cookie:8673a55186fc8c10:0000000000000000.

info     vpn     ike_se ike-neg 0  IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: x.x.x.x[500]-y.y.y.y[500] cookie:8673a55186fc8c10:0000000000000000. Due to timeout.

info     vpn            ike-gen 0  0:x.x.x.x[500] - y.y.y.y[500]:0x30f02178:unknown ikev2 peer

info     vpn            ike-gen 0  received unencrypted Notify payload (NO-PROPOSAL-CHOSEN) from IP y.y.y.y[500] to x.x.x.x[500], ignored.

info     vpn            ike-gen 0  0:x.x.x.x[500] - y.y.y.y[500]:0x30f03638:unknown ikev2 peer

info     vpn     ike_se ike-neg 0  IKE phase-1 negotiation is started as initiator, main mode. Initiated SA: x.x.x.x[500]-y.y.y.y[500] cookie:8673a55186fc8c10:0000000000000000.

owner: ashaikh



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClppCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language