VPN on PAN-OS

Don't enable replay protection unless required as it impacts VPN throughput performance.

IKEv2 DH 14 or 19.

AWS-GCM-128 with SHA-256 for best throughput (if we ignore SHA-1). (See this page.)

MODP

• Diffie-Hellman Group 1 (768-bit)
• Diffie-Hellman Group 2 (1024-bit)
• Diffie-Hellman Group 5 (1536-bit)
• Diffie-Hellman Group 14 (2048-bit)
• Diffie-Hellman Group 15 (3072-bit)

ECP

• Diffie-Hellman Group 19 (256-bit random)
• Diffie-Hellman Group 20 (384-bit random)
• Diffie-Hellman Group 21 (521-bit random)

When configuring VPN tunnels between two PAN firewalls in AWS, the tunnels need to use Local ID as they are both behind NAT. PAN to AWS VPN GW doesn't need this however.

debug ike gateway gatewayname on dump

tail follow yes mp.log ike.log

debug ike gateway gatewayname off

For VM firewalls, Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps. This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 Mbps.

More details in this article.

show session info | match Throughput