How to create IPsec and IKE crypto profiles from CLI

How to create IPsec and IKE crypto profiles from CLI

806
Created On 05/21/25 08:06 AM - Last Modified 10/20/25 20:30 PM


Objective


  • Provides the CLI commands to create an IPSec and IKE crypto profiles from CLI on a Palo Alto Networks firewall.

 

Environment


  • All platforms
  • All PANOS versions
  • VPN
  • IPsec

Procedure


The commands below should be executed in the order listed:

> configure
#set network ike crypto-profiles ike-crypto-profiles ike-crypto dh-group <value> encryption <value> hash <value> lifetime hours <value>
#set network ike crypto-profiles ipsec-crypto-profiles ipsec-crypto dh-group <value> esp authentication <value> encryption <value>
#set network ike crypto-profiles ipsec-crypto-profiles ipsec-crypto lifetime hours <value>

To view the configured ike-crypto-profiles enter configuration mode (configure) and execute "show network ike crypto-profiles ike-crypto-profiles ike-crypto":

ike-crypto {
  dh-group group2;
  encryption aes-256-gcm;
  hash sha256;
  lifetime {
    hours 8;
  }
}

To view the configured ipsec-crypto-profiles enter configuration mode (configure) and execute "show network ike crypto-profiles ipsec-crypto-profiles ipsec-crypto":

ipsec-crypto {
  dh-group group2;
  esp {
    authentication sha256;
    encryption aes-256-gcm;
  }
  lifetime {
    hours 8;
  }
}

 

 

Additional Information


How to Configure an IPSEC VPN with Route and Tunnel Configuration from CLI

https://paloaltonetworks.lightning.force.com/lightning/r/Knowledge__kav/ka14u000000UNw0AAG/view
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNEiKAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail