IPSEC tunnel with Palo Alto firewall

I thought I’d share this experience I have just had with a tunnel from an HD4 to a Palo Alto firewall device.

On matching up settings I found the tunnel established no issue and no errors but traffic would not pass through the tunnel, various things were tried (usual NAT-T enable etc) but to no avail.

After some time and troubleshooting I found that changing the phase1 and 2 settings down resolved the issue despite the fact the tunnel came up with no errors (on both sides)

Originally I had the settings on AES-256-SHA256 (for phase 1 and 2), what I found was changing this on both sides to AES-128-SHA1 did the trick, no other changes made the tunnel re-established and could now pass traffic.

There seemed to be some kind of cross vendor mismatch with the encryption types at the higher level settings.


Very interesting, thanks for sharing!

1 Like