Configuring IPSEC between PaloAlto and Cisco routers is easy to remember

IPSEC VPN configuration between Palo Alto and Cisco routers


VPN specifications:

Stage 1:

Encoding: 3des

Hash md5

Pre-shared key: 123456

DH group 2

Battery life: 28800 seconds

Stage 2:

Encoding: esp-3des

Hash value: md5

Progression-free survival group 2

IP tunnel:

Palo Alto:


Palo Alto configuration:

Just around these menus:

enter first IKE encryption:

Select Add and fill in the first phase parameters as planned

Next enter IPSEC encryption:

Select Add and fill in the Phase 2 parameters

Next enter IKE gateway

Select Add and fill in the WAN IP parameters, the remote end…

We create a tunnel to carry VPN traffic

Finally enter the “IPSEC Tunnel” to call the above tunnel

Select add

Create additional route to remote LAN range via tunnel (in virtual router)



About Cisco:

Declare route-based VPN type (tunnel creation and encryption)

Stage 1:

Encryption isakmp policy 10


Hash MD5

Certified pre-shared

Group 2

Lifespan 28800

Encryption isakmp key 123456 address

Stage 2:

Encrypted ipsec transform set TS esp-3des esp-md5-hmac

mode tunnel


Encrypted ipsec configuration file HAI_PS

Set transformation set TS

Set pfs group 2


!open tunnel

interface tunnel 0

IP address

Tunnel Source

tunnel mode ipsec ipv4 (Because Palo uses ipsec tunnel mode, I need to declare it to match)

Tunnel destination

Tunnel protection ipsec profile HAI_PS


ip route tunnel 0


In Palo Alto, go to IPSec Tunnel and see green, that’s it

About Cisco:

Show encrypted sessions If you see “UP-ACTIVE”, if you don’t see it, try pinging the 2 LANs to each other and it shows up again.If it doesn’t match, check if the parameters match