IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the differences within the configuration and some listings from common CLI outputs for both firewalls.

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

I am using exactly the same lab environment as in my last blogpost. Please refer to it for any details about the IP addressing scheme, etc. I am still running at PAN-OS version 8.0.3 and FortiOS v5.4.5, build1138.

To use IKEv2 for an IPsec VPN tunnel you must only change the phase 1 settings on both endpoints, such as shown in the following screenshots for the Palo Alto Networks as well as for the Fortinet firewall:

For the sake of completeness here is my Fortinet configuration in CLI mode. It also shows the two default routes as well as the two VPN routes:

 

After committing the changes and some initial traffic the VPN tunnel comes up. The Palo GUI shows the “IKEv2” mode while the Fortinet does not list the used mode:

The CLI outputs from both firewalls changed a bit compared to the IKEv1 output. For example, the Palo lists the “Child SAs” in the ike-sa detail part and the “traffic selectors” in the vpn flow. Formerly they were called “proxy-id”.

Here are some outputs from the Palo Alto:

And this are the outputs from the FortiGate. Note that there seems to be a bug for the  get vpn ike gateway command because it resulted in a closed PuTTY session after hundreds of lines! Have a look at the lines 23-37 which I only listed four times here:

Ciao.

Featured image: “In die Röhre gucken” by Silke is licensed under CC BY-ND 2.0.

One thought on “IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

Leave a Reply

Your email address will not be published. Required fields are marked *