Unable to save the IKE gateway default version to IKEv2 in the Panorama

• On Panorama IKE gateway is created using the default version is [IKEv2 only mode].
• If the value is left as default (it is not selected from drop-down menu explicitly), this value is not reflected in running-config.
• When pushing the configuration to the Firewall, the firewall recognizes the configuration as IKEv1 so causing the VPN establish issue.

• Any Panorama
• PAN-OS 11.2.x
• "IKEv2 only mode" is displayed as the default option of [Version] field on creating a new IKE Gateway configuration.
   

Software Issue.

Resolution:

1. This issue is resolved under PAN-266279.
2. Upgrading to the fixed versions 10.2.14 or 11.1.8 will resolve the issue.
3. The issue is also resolved in PAN-OS 11.2.5, 12.1.0.

Workaround:

1. Click [Add] and open the configuration window.
2. In [General] tab, change [Version] to other option than "IKEv2 only mode".
3. Select "IKEv2 only mode" as [Version] again, configure other parameters and click [OK].
4. Commit the configuration to Panorama and push it to managed devices.

• When this issue is observed, IKE Gateways with displaying unexpected IKE Crypto Profile ("default" in this case) has no parameter of IKE Versions in the configuration.
• On this condition, the PAN-OS system uses "IKEv1 only mode" as the default parameter for those IKE Gateways and IKE Crypto Profile for IKEv1 is displayed in the list of IKE Gateways though the selected IKE Version in Web management UI is "IKEv2 only mode".
• Hence after modifying the visual issue in Panorama, it is required to push the modified config to the managed devices.