Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:vpn [2021/02/16 10:59] – created bstafford
+++ paloaltonetworks:configuration:vpn [2025/01/05 11:37] (current) – [VPN on PAN-OS] bstafford
@@ Line 5: / Line 5: @@
 AWS-GCM-128 with SHA-256 for best throughput (if we ignore SHA-1). (See [[https://layer77.net/2020/06/16/vpn-throughput-tests-palo-alto-vm-300-to-gcp/|this page]].)
+**MODP**
+  * Diffie-Hellman Group 1 (768-bit)
+  * Diffie-Hellman Group 2 (1024-bit)
+  * Diffie-Hellman Group 5 (1536-bit)
+  * Diffie-Hellman Group 14 (2048-bit)
+  * Diffie-Hellman Group 15 (3072-bit)
+**ECP**
+  * Diffie-Hellman Group 19 (256-bit random)
+  * Diffie-Hellman Group 20 (384-bit random)
+  * Diffie-Hellman Group 21 (521-bit random)
+===== AWS =====
+When configuring VPN tunnels between two PAN firewalls in AWS, the tunnels need to use Local ID as they are both behind NAT. PAN to AWS VPN GW doesn't need this however.
+===== Debug =====
+<code>debug ike gateway gatewayname on dump</code>
+<code>tail follow yes mp.log ike.log</code>
+<code>debug ike gateway gatewayname off</code>
+===== VPN Throughput =====
+For VM firewalls, Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps. This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 Mbps.
+More details in [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP8rCAG|this article]].
+<code>show session info | match Throughput</code>