paloaltonetworks:configuration:vpn
This is an old revision of the document!
Table of Contents
VPN on PAN-OS
Don't enable replay protection unless required as it impacts VPN throughput performance.
IKEv2 DH 14 or 19.
AWS-GCM-128 with SHA-256 for best throughput (if we ignore SHA-1). (See this page.)
AWS
When configuring VPN tunnels between two PAN firewalls in AWS, the tunnels need to use Local ID as they are both behind NAT. PAN to AWS VPN GW doesn't need this however.
Debug
debug ike gateway gatewayname on dump
tail follow yes mp.log ike.log
debug ike gateway gatewayname off
paloaltonetworks/configuration/vpn.1634811732.txt.gz · Last modified: (external edit)