Hello friends, welcome back to my PCNSA series—this is day 40, and in this video I’m doing a fully lab-oriented Site-to-Site IPsec VPN configuration on Palo Alto. Before jumping into the lab, I’m assuming you already watched my VPN foundation videos where I explained algorithms, negotiation, and how phase 1/phase 2 works. Here I take an easy topology (two sites, LAN subnets, public IPs, and an ISP in between) and I show you the exact flow I follow in real deployments so you can repeat it in your own lab and real-world scenarios. I start from the basics: hostname, Layer3 interfaces, zones (inside/outside), IP addressing, and very important—default route towards ISP on both firewalls. Then I build phase 1 using an IKE Crypto profile (I use default for simplicity), create the IKE Gateway with peer IP and pre-shared key, and explain options like passive mode, NAT traversal use-cases, main mode, and dead peer detection. After that, I configure phase 2 with an IPsec tunnel, bind it to a tunnel interface, define Proxy IDs (which subnets to encrypt), add static routes to send private traffic via the tunnel, and finally create bidirectional security policies. To verify, I generate ping traffic and show where to check phase 1 status, phase 2 status, and encapsulation/decapsulation counters to confirm encryption and decryption is happening both ways.