The purpose of this article is to demonstrate how to configure an IPSec VPN using IKEv2 with pre-shared keys between a Cisco ASA and Palo Alto Firewall. This article includes a detailed video and step by step instructions on how to accomplish this.


Palo Alto Firewall 8.1

Configure Address Objects

Configure Tunnel Interface
Network>Interface>Tunnel tab>add

Configure IKE Crypto Profile
Network>Network Profiles>IKE Crypto>Add
Configure IKE Gateway
Network>Network Profiles>IKE Gateway>Add
Configure IPSec Crypto Profile
Network>Network Profiles>IPSec Crypto>Add
Configure IPSec Tunnel
Network>IPSec Tunnels>Add

Configure Routing
Network>Virtual Routers>default>Add

Configure Security Policy

Cisco ASA Firewall 9.9(1)

Configure interesting traffic ACL

access-list VPN-PALO-1 extended permit ip

Configure IKEv2 Policy

crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 20
 prf sha256
 lifetime seconds 28800

Configure IPSec Proposal

crypto ipsec ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
 protocol esp encryption aes-256
 protocol esp integrity sha-256

Configure Crypto Map

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 match address VPN-PALO-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set peer
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set security-association lifetime seconds 28800
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 interface OUTSIDE

Configure Group Policy

group-policy internal
group-policy attributes
 vpn-tunnel-protocol ikev2

Configure Tunnel Group

tunnel-group type ipsec-l2l
tunnel-group general-attributes
tunnel-group ipsec-attributes
 ikev2 remote-authentication pre-shared-key key123
 ikev2 local-authentication pre-shared-key key123