IPsec IKEv2 — Cisco IOS ↔ Palo Alto

Topologie

R1 — Cisco IOS

G0/0: 10.0.0.1/30
Tunnel0: 172.16.0.1/30
LAN: 192.168.1.0/24

Initiateur IKEv2

Internet · 10.0.0.0/30 · UDP 500/4500

══════ Tunnel IPsec ESP ══════

FW — Palo Alto

eth1/1 (Untrust): 10.0.0.2/30
tunnel.1: 172.16.0.2/30
eth1/2 (Trust): 192.168.2.1/24

Répondeur IKEv2

Mode: VTI route-based

Auth: Pre-Shared Key

IKE: AES-256 + SHA-256 + DH14

ESP: AES-256 + SHA-256

PSK: MySecret123

Équivalences Cisco IOS ↔ Palo Alto — clique sur un objet

Cisco IOS (CLI)

Palo Alto PAN-OS

Config complète R1 — Cisco IOS CLI

! ══════════════════════════════════════════════
! R1 — IPsec IKEv2 VTI vers Palo Alto
! ══════════════════════════════════════════════

! 1. IKEv2 Proposal ── algorithmes IKE SA ──────
crypto ikev2 proposal PROP-IKEv2
 encryption aes-cbc-256
 integrity sha256
 group 14

! 2. IKEv2 Policy ─────────────────────────────
crypto ikev2 policy POL-IKEv2
 proposal PROP-IKEv2

! 3. Keyring — Pre-Shared Key ─────────────────
crypto ikev2 keyring KR-PA
 peer PALO-ALTO
  address 10.0.0.2
  pre-shared-key MySecret123

! 4. IKEv2 Profile ────────────────────────────
crypto ikev2 profile PROF-IKEv2
 match identity remote address 10.0.0.2 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KR-PA

! 5. IPsec Transform-Set ── Child SA (ESP) ─────
crypto ipsec transform-set TS-ESP esp-aes 256 esp-sha256-hmac
 mode tunnel

! 6. IPsec Profile ────────────────────────────
crypto ipsec profile IPSEC-PROF
 set transform-set TS-ESP
 set ikev2-profile PROF-IKEv2

! 7. Interface VTI ────────────────────────────
interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROF

! 8. Route vers le LAN Palo Alto ──────────────
ip route 192.168.2.0 255.255.255.0 Tunnel0

Config Palo Alto — PAN-OS

Network › Interfaces › Tunnel › Add

Créer l'interface Tunnel

Interface Name : tunnel.1
▸ IPv4 tab → Add : 172.16.0.2/30
▸ Advanced tab → Zone : VPN (créer si absente)
▸ Virtual Router : default

Network › Network Profiles › IKE Crypto › Add

IKE Crypto Profile (= crypto ikev2 proposal)

Name : PROF-IKE-CISCO
DH Group : group14
Authentication : sha256
Encryption : aes-256-cbc
Key Lifetime : 8 hours

Network › Network Profiles › IPsec Crypto › Add

IPsec Crypto Profile (= crypto ipsec transform-set)

Name : PROF-IPSEC-CISCO
IPsec Protocol : ESP
Encryption : aes-256-cbc
Authentication : sha256
DH Group (PFS) : group14
Lifetime : 1 hour

Network › IKE Gateways › Add

IKE Gateway (= keyring + ikev2 profile)

Name : GW-CISCO-R1
▸ General tab :
  Version : IKEv2 only mode
  Interface : ethernet1/1
  Local IP : 10.0.0.2/30
  Peer IP : 10.0.0.1
  Auth : Pre-Shared Key → MySecret123
▸ Advanced Options tab :
  IKE Crypto Profile : PROF-IKE-CISCO
  Liveness Check (DPD) : activer

Network › IPsec Tunnels › Add

IPsec Tunnel (= crypto ipsec profile + tunnel protection)

Name : TUNNEL-CISCO-R1
▸ General tab :
  Tunnel Interface : tunnel.1
  Type : Auto Key
  IKE Gateway : GW-CISCO-R1
  IPsec Crypto Profile : PROF-IPSEC-CISCO

Policies › Security › Add

Security Policy (PAS d'équivalent Cisco VTI — OBLIGATOIRE sur PA)

Règle 1 : Source Zone Trust → Dest Zone VPN → Action Allow
Règle 2 : Source Zone VPN → Dest Zone Trust → Action Allow

⚠️ Palo Alto est zone-based. Sans ces 2 règles : tunnel UP mais tout le trafic est bloqué silencieusement. C'est le piège classique pour les gens qui viennent de Cisco !

Network › Virtual Routers › default › Static Routes › Add

Route statique (= ip route)

Name : TO-CISCO-LAN
Destination : 192.168.1.0/24
Interface : tunnel.1
Next Hop : None (tunnel point-to-point)

Commit (bouton en haut à droite de l'interface)

Commit ── OBLIGATOIRE

Sur Palo Alto, aucune config n'est active tant que tu n'as pas fait Commit. Tout est en "candidate config".

⚠️ Différence fondamentale vs Cisco : sur IOS chaque commande est appliquée immédiatement. Sur PAN-OS, tu travailles sur une config candidate et c'est le Commit qui l'active atomiquement.

# ══════════════════════════════════════════════
# PALO ALTO CLI — IPsec IKEv2 vers Cisco R1
# Entrer en mode config : > configure
# ══════════════════════════════════════════════

# 1. Interface Tunnel ──────────────────────────
set network interface tunnel units tunnel.1 ip 172.16.0.2/30
set network interface tunnel units tunnel.1 comment "VPN-CISCO-R1"
set zone VPN network layer3 [ tunnel.1 ]


# 2. IKE Crypto Profile ────────────────────────
set network ike crypto-profiles ike-crypto-profiles PROF-IKE-CISCO dh-group group14
set network ike crypto-profiles ike-crypto-profiles PROF-IKE-CISCO hash [ sha256 ]
set network ike crypto-profiles ike-crypto-profiles PROF-IKE-CISCO encryption [ aes-256-cbc ]
set network ike crypto-profiles ike-crypto-profiles PROF-IKE-CISCO lifetime hours 8


# 3. IPsec Crypto Profile ──────────────────────
set network ike crypto-profiles ipsec-crypto-profiles PROF-IPSEC-CISCO esp encryption [ aes-256-cbc ]
set network ike crypto-profiles ipsec-crypto-profiles PROF-IPSEC-CISCO esp authentication [ sha256 ]
set network ike crypto-profiles ipsec-crypto-profiles PROF-IPSEC-CISCO dh-group group14
set network ike crypto-profiles ipsec-crypto-profiles PROF-IPSEC-CISCO lifetime hours 1


# 4. IKE Gateway ───────────────────────────────
set network ike gateway GW-CISCO-R1 authentication pre-shared-key key MySecret123
set network ike gateway GW-CISCO-R1 protocol ikev2 ike-crypto-profile PROF-IKE-CISCO
set network ike gateway GW-CISCO-R1 protocol ikev2 dpd enable yes
set network ike gateway GW-CISCO-R1 protocol-common nat-traversal enable no
set network ike gateway GW-CISCO-R1 local-address interface ethernet1/1
set network ike gateway GW-CISCO-R1 local-address ip 10.0.0.2/30
set network ike gateway GW-CISCO-R1 peer-address ip 10.0.0.1


# 5. IPsec Tunnel ──────────────────────────────
set network tunnel ipsec TUNNEL-CISCO-R1 tunnel-interface tunnel.1
set network tunnel ipsec TUNNEL-CISCO-R1 ike gateway GW-CISCO-R1
set network tunnel ipsec TUNNEL-CISCO-R1 ike ipsec-crypto-profile PROF-IPSEC-CISCO
set network tunnel ipsec TUNNEL-CISCO-R1 disabled no


# 6. Security Policy ───────────────────────────
set rulebase security rules ALLOW-TRUST-VPN from [ Trust ]
set rulebase security rules ALLOW-TRUST-VPN to [ VPN ]
set rulebase security rules ALLOW-TRUST-VPN source any
set rulebase security rules ALLOW-TRUST-VPN destination any
set rulebase security rules ALLOW-TRUST-VPN action allow

set rulebase security rules ALLOW-VPN-TRUST from [ VPN ]
set rulebase security rules ALLOW-VPN-TRUST to [ Trust ]
set rulebase security rules ALLOW-VPN-TRUST source any
set rulebase security rules ALLOW-VPN-TRUST destination any
set rulebase security rules ALLOW-VPN-TRUST action allow


# 7. Route statique ────────────────────────────
set network virtual-router default routing-table ip static-route TO-CISCO-LAN destination 192.168.1.0/24
set network virtual-router default routing-table ip static-route TO-CISCO-LAN interface tunnel.1
set network virtual-router default routing-table ip static-route TO-CISCO-LAN nexthop next-vr default


# 8. Commit ────────────────────────────────────
commit

Vérification & Troubleshooting

🔵 Cisco IOS

show crypto ikev2 sa show crypto ikev2 sa detail show crypto ipsec sa show interface Tunnel0 show ip route | i 192.168.2 ping 172.16.0.2 source 172.16.0.1 ping 192.168.2.1 source 192.168.1.1 debug crypto ikev2 debug crypto ipsec no debug all

🔴 Palo Alto CLI

show vpn ike-sa gateway GW-CISCO-R1 show vpn ipsec-sa tunnel TUNNEL-CISCO-R1 show vpn flow name TUNNEL-CISCO-R1 show interface tunnel.1 show routing route test vpn ike-sa gateway GW-CISCO-R1 test vpn ipsec-sa tunnel TUNNEL-CISCO-R1 tail follow yes mp-log ikemgr.log tail follow yes mp-log ipsecmgr.log

✅ Cisco — Tunnel UP

show crypto ikev2 sa
→ State: READY

show crypto ipsec sa
→ #pkts encaps/decaps > 0

show interface Tunnel0
→ Tunnel0 is up, line protocol is up

✅ Palo Alto — Tunnel UP

show vpn ike-sa
→ IKEv2 Phase-1 SA: active

show vpn ipsec-sa
→ GW: active, State: active

GUI : Network › IPsec Tunnels
→ Icône verte sur TUNNEL-CISCO-R1

🔧 Troubleshooting rapide

Phase 1 échoue (IKE_SA_INIT) : Algos incompatibles (proposal vs IKE Crypto Profile) — UDP 500 bloqué — mauvaises adresses IP peers

Phase 2 échoue (IKE_AUTH) : PSK différente des deux côtés — problème d'identité (local/remote ID) — mauvais profil IPsec

Tunnel UP mais ping impossible : ⚠️ Sur Palo Alto : Security Policy manquante (Trust↔VPN) — Sur Cisco : route absente ou mauvaise interface source

Tunnel monte puis tombe : Lifetimes incompatibles — DPD/keepalive — MTU (essayer MTU 1400 sur Tunnel0 côté Cisco)

🔐 IPsec IKEv2 — Cisco IOS ↔ Palo Alto