Name: #paloaltofirewalltraining | Day 38| Palo Alto Site-to-Site VPN Explained in Detail
Uploaded: 2025-06-22 19:30:04
Duration: 14 min 41 s

Question 1

How does a Palo Alto site-to-site VPN tunnel get established (Phase 1 vs Phase 2)?

Accepted Answer

In my explanation, Phase 1 is purely for key exchange and identity verification, and Phase 2 is for the actual data encryption. First the devices negotiate policies and build the secure foundation, then Phase 2 decides how your traffic will be encrypted and authenticated. Think like this: Phase 1 creates the tunnel keys, Phase 2 uses them to protect the data going through the tunnel.

Question 2

What is IKE or ISAKMP in Palo Alto VPN, and are they different?

Accepted Answer

IKE and ISAKMP are basically used to represent the same negotiation concept, but you’ll see different terms in different places. In this video I keep it simple: it’s the Phase 1 negotiation process where both sides agree on algorithms, exchange DH keys, and authenticate each other. The goal is to build the secure association before data starts flowing.

Question 3

Main Mode vs Aggressive Mode in IKE: what is the difference?

Accepted Answer

Main Mode has 6 messages and Aggressive Mode has 3 messages during Phase 1. In real industry, mostly Main Mode is used, not Aggressive Mode. Also in Main Mode, the first four messages are clear text in capture, and the 5th and 6th become encrypted.

Question 4

Why do I get “no matching policy” during IKE Phase 1?

Accepted Answer

This happens when the initiator sends its supported encryption, hashing, authentication, and DH proposals, and the responder doesn’t find a match in its configured IKE policy. If the algorithms don’t align, the responder will reject it. That’s why I always tell you to verify both sides have the same compatible proposals.

Question 5

What is Diffie-Hellman doing in Phase 1 of a site-to-site VPN?

Accepted Answer

Diffie-Hellman generates a private key and public key on both sides, then the public keys are exchanged. After calculation, both sides derive the same shared key value. That shared key is then used to encrypt the authentication exchange (pre-shared key or certificate) so the identity check is protected.

Question 6

What is PFS (Perfect Forward Secrecy) in Phase 2 and do I need it?

Accepted Answer

PFS means you enable DH again in Phase 2, so a fresh key is generated for the data phase instead of relying only on Phase 1 derived keys. DH in Phase 2 is optional, but if you want extra security, you enable it. The idea is: even if Phase 1 key is compromised, Phase 2 can still have a new key.

Question 7

What is VPN rekey and why is it important?

Accepted Answer

Rekey is important because keys are breakable over time—every algorithm has some time window where attackers can try to crack it. So we set lifetimes (like 8 hours, 24 hours, etc.) and new keys get generated before someone can realistically crack the existing key. And as I mentioned, rekey happens continuously and there is no user impact during the rekey process.

#paloaltofirewalltraining | Day 38| Palo Alto Site-to-Site VPN Explained in Detail

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech