2/28/23, 6:22 PM https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?

id=kA10g000000Clh5CAC

Resource List: IPSec Configuring and Troubleshooting

Created On 09/25/18 19:54 PM - Last Modified 05/12/21
21:34 PM

IPSec Resource List VPNs PAN-OS

163512
Environment
Palo Alto Firewalls
Any PAN-OS.
IPSec configuration.

Resolution
The following table provides a list of valuable resources on understanding and configuring IPSec and Tunneling:

Title Description Type

Basic

How to configure IPSec VPN Configure IPSec VPN Document

Configure Palo Alto Networks device as an

Configuring the Palo Alto Networks device as an IPSec Document
IPSec

IPSec crypto options Options for IPSec crypto Document

Why is GlobalProtect slower on SSL VPN compared to GlobalProtect slower on SSL VPN compared to
Document
IPSec VPN? IPSec VPN

NAT traversal in an IPSec gateway NAT traversal in an IPSec gateway Document

Config guidelines when terminating IPSec VPN tunnels

Configuration guidelines Document
on the firewall

Sample IPSec tunnel configuration - Palo Alto

Sample IPSec tunnel configuration Document
Networks firewall to Cisco ASA

The IPSEC tunnel comes up but hosts behind peer are

IPSec tunnel troubleshooting Document
not reachable

IPSec VPN with peer ID set to FQDN

IPSec VPN with peer ID set to FQDN Document

What encryption is used when enabling IPSec for Encryption used when enabling IPSec for Document
GlobalProtect? GlobalProtect

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC 1/3
2/28/23, 6:22 PM https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC

Intermediate

IPSec tunnel details Troubleshooting IPSec tunnels Document

Differences between IPSec and LSVPN tunnel The differences between the normal
Document
monitoring IPSec/LSVPN tunnel monitoring

IPSec traffic being discarded IPSec traffic troubleshooting Document

How to verify if IPSec tunnel monitoring is working Verify if IPSec tunnel monitoring is working Document

IPSec VPN error: IKE phase-2 negotiation failed as

IPSec VPN error troubleshooting Document
initiator, quick mode

IPSec interoperability between Palo Alto Network IPSec interoperability between Palo Alto
Document
firewalls and Cisco ASA Networks firewalls and Cisco ASA firewall series

How to configure dynamic routing over IPSec against Configure dynamic routing over IPSec against
Document
Cisco routers Cisco routers

Configuring route based IPSec with overlapping

Configure route-based IPSec Document
networks

GlobalProtect configuration for the IPSec client on GlobalProtect configuration for the IPSec client
Document
Apple iOS devices on Apple iOS

Site-to-site VPN between Palo Alto Networks firewall Site-to-site VPN between Palo Alto Networks
Document
and Cisco router is unstable or intermittent firewall and Cisco router

Configuring captive portal for users over site-to-site

Configure captive portal for users Document
IPSec VPN

IPSec VPN IKE phase 1 is down but tunnel is active IPSec troubleshooting Document

Tips for configuring a Juniper SRX IPSec VPN tunnel Configuring a Juniper SRX IPSec VPN tunnel to
Document
to a Palo Alto Networks firewall a Palo Alto Networks firewall

Dynamic IPSec site-to-site between Cisco ASA and IPSec site-to-site between Cisco ASA and Palo
Document
Palo Alto Networks firewall Alto Networks

How does the firewall handle diffserv headers in an

Diffserv headers in an IPSec Tunnel Document
IPSec tunnel?

Advanced

IPSec tunnel is up and packet is getting dropped with Packet is getting dropped with wrong SPI
Document
wrong SPI counter increase counter increase

Configuring route-based IPSec using OSPF Configuring route-based IPSec Document

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC 2/3
2/28/23, 6:22 PM https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC

IPSec error: IKE phase-1 negotiation is failed as

IPSec troubleshooting Document
initiator, main mode due to negotiation timeout

Site-to-site IPSec excessive rekeying on only one

IPSec troubleshooting Document
tunnel on system logs

CLI commands to status, clear, restore and monitor an

IPSec CLI commands Document
IPSec VPN tunnel

What do the port numbers in an IPSec-ESP session

IPSec-ESP session Document
represent?

Configuring IPSec VPN between PAN-OS and

IPSec VPN between PAN-OS and CheckPoint Document
CheckPoint Edge / Safe@Office

Configuring site-to-site IPSec VPN in layer 2 Configuring site-to-site IPSec VPN in Layer 2 Document

Site-to-site IPSec VPN between Palo Alto Networks

IPSec troubleshooting Document
firewall and Cisco router using VTI not passing traffic

Configuring IKEv2 VPN for Microsoft Azure

Configuring IKEv2 VPN for Microsoft Azure Document
Environment

Dual ISP VPN site to site Tunnel Failover with Static Setup Site to Site VPN tunnels (IKEv1 and
Route Path-Monitoring IKEv2) per ISP for redundancy of traffic over the Document
tunnels.
Note: If you have a suggestion for an article, video or discussion not included in this list please submit the content through
the feedback column on the right and it will be added to the master list.

Attachments

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC 3/3