+ Jorge Arredondo Dorantes IT Blog + How to Master Networking CCIE Devnet Programmabilty Automation: Palo Alto Networks on premise VPN Microsoft Azure issue solved

Hello networkers, If you are trying to set up an On Premise VPN using Palo Alto Networks with PAN-OS version prior to 7.1.4 you will be experiencing connectivity issues to Azure route-based VPN gateways.

After I was working with Azure Support, I got this working configuration. This will be your workaround in case you have older version from 7.1.4

Phase 1:
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
DH Group: group2
Lifetime: 11000 seconds
IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)

Phase 2:
Encryption: aes256-cbc
Authentication: sha1
DH Group: no-pfs
Lifetime: 28800 seconds

Gateway:
Passive Mode: Enabled
NAT Traversal: Disabled

If have a newer version from 7.1.4 use:

Phase 1:
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
DH Group: group2
Lifetime: 11000 seconds
IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)

Phase 2:
Encryption: aes256-cbc
Authentication: sha1
DH Group: no-pfs
Lifetime: 3600 seconds

Gateway:
Passive Mode: Disabled
NAT Traversal: Disabled

If you are still experiencing connectivity issues, open a support request from the Azure portal and they will help you.

Jorge Arredondo Dorantes

Network Engineer Instructor Consultant Architect CCIE DevNet certified, Internet entrepreneur and blogger.

* DEVELOPER Skills Python, REST APIs, JSON, XML, Linux Skills, Ansible, puppet, chef, github, docker, NETCONF/YANG, NFV

* SWITCHING Protocols Enterprise Load Sharing L2 (VLAN) design, DC Fabric Path design, Etherchannel, vPCs, multichassis etherchannel pagp lacp, VSS, L2 WAN PPP chap over ethernet, etc.

* ROUTING Protocols BGP OSPF MP-BGP MPLS VRF VPN Tunneling DMVPN, Advanced Routing Policies, Advanced IGP & BGP High Availability..

* ARCHITECTURE Design Cisco sales knowledge, backplane, Distributed / Centralized Control Plane, Data Plane Traffic Enginnering, Oversubscription and Density Best Practices, Infrastructure decision making for complex design, etc.

*IT Vendors such as Cisco Systems, Juniper, VMware, Citrix, HP Procurve, Avaya, Check Point, RedHat Linux, call manager, asterisk, IXIA, oracle and some others.

cisco systems networking tags

dmvpn * ipsec * vpn * L2 * L3 * vpls * mpls bgp ospf expert engineer ccie ccnp ccna routing switching certifications security voice data center service provider design enterprise best ways to tshoot networking less and efective time juniper huawei check point avaya blue coat call manager ips ids ip ios xr DMVPN IPSEC VPN L2 L3 VPLS MPLS BGP OSPF ENGINEER EXPERT CCIE CCNP CCNA CERTIFICATIONS SECURITY VOICE DATA CENTER SERVICE PROVIDER DESIGN ENTERPRISE BEST WAYS TO TSHOOT NETWORKING LESS AND EFECTIVE TIME JUNIPER CHECK POINT AVAYA BLUE COAT CALL MANAGER IPS IDS *

+ Jorge Arredondo Dorantes IT Blog + How to Master Networking CCIE Devnet Programmabilty Automation

Jorge Arredondo Dorantes

Palo Alto Networks on premise VPN Microsoft Azure issue solved

No comments:

Cisco Systems