Cisco IPSec LAN-TO-LAN - Page 2

mediaos718 · ‎07-16-2018

I have an IPsec LAN-to-LAN tunnel between a Cisco router and a Palo Alto FW. The tunnel remains UP-ACTIVE if there is interesting traffic - The tunnels goes down if there is no interesting traffic. The problem I am having is that I cannot bring the tunnel up from the Cisco side - If I initiate a ping from the Cisco side to go through the VPN, this will not bring the tunnel up. If I initiate the ping from the Palo Alto side then the tunnel comes up.

How do I have to configure the Cisco router to keep the tunnerl UP-ACTIVE at all time?

How can I bring the tunnel up from the Cisco router side?

rypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

lifetime 28400

crypto isakmp key MYVPN! address x.x.x.x

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

mode transport

!

crypto map MYMAP 10 ipsec-isakmp

set peer x.x.x.x

set security-association lifetime kilobytes 65000

set transform-set MYSET

match address Dublin_Subnet

ip access-list extended Dublin_Subnet

permit ip host 192.168.100.1 host 10.117.0.160 log

!

mediaos718 · ‎07-16-2018

All, this has been resolved. The Palo was using "set pfs group5" - I added this config and the tunnel comes up and stays up.

Richard Burts · ‎07-17-2018

Thanks for posting back to the forum and telling us that the issue is resolved and that the problem was a mismatch in configuration of pfs. +5 for solving your own problem. It is a very good thing when someone asks the forum for help with a problem and then is able to find the solution themselves. Congratulations.

HTH

Rick

HTH

Rick