Name: #paloaltofirewalltraining | Day 41 | Configure Ikev2 with Wireshek Detailed analysis
Uploaded: 2025-07-13 19:30:03
Duration: 14 min 7 s

Question 1

How do I configure an IKEv2 site-to-site VPN on Palo Alto firewall?

Accepted Answer

In my lab, I configure the IKE Crypto (Phase 1) policy, then create the IKE Gateway where I set the peer IP, pre-shared key, and select my outside interface (ethernet1/2). The main change is selecting IKE version 2 in the gateway. After that I create the IPsec tunnel with Auto Key and bind it to the IKE gateway, then define Proxy IDs (local and remote subnets) and commit on both sides.

Question 2

What is the difference between IKEv1 and IKEv2 message exchange?

Accepted Answer

In this video I show it using Wireshark: IKEv2 uses fewer messages to establish the tunnel. IKEv2 completes the setup in fewer exchanges, and after the initial messages the negotiation becomes encrypted. Compared to IKEv1 where you see more messages overall, IKEv2 is faster and more strengthened from a security point of view.

Question 3

How can I verify if my IKEv2 IPsec tunnel is up on Palo Alto?

Accepted Answer

I verify it from the firewall GUI under Network > IPsec, where you can see the tunnel and the mode as IKEv2. Then I generate traffic (like ping) and confirm encapsulation and decapsulation counters are increasing. If both sides can ping across the subnets, the tunnel is working end-to-end.

Question 4

How do I capture and analyze IKEv2 in Wireshark for Palo Alto VPN troubleshooting?

Accepted Answer

I capture traffic on the outside interface (in my case ethernet1/2 connected to ISP) and then filter for IKE/IPsec related packets. In the capture, you can see the initial negotiation and then the ESP traffic once data starts flowing. I also show that after the early exchange, the rest of the negotiation becomes encrypted, so you won’t see readable payload like a normal UDP stream.

Question 5

What settings do I need to change to move from IKEv1 to IKEv2 on Palo Alto?

Accepted Answer

Because I’m using the same topology and same base config, the change is minimal. The key thing is selecting IKE version 2 in the IKE Gateway configuration. Everything else—policies, tunnel, proxy IDs—stays very similar, you just ensure both peers match.

Question 6

What are Proxy IDs in Palo Alto IPsec and what did you use in this lab?

Accepted Answer

Proxy IDs are where I define the local and remote subnets that should be protected by the tunnel. In my example, one side is 10.x and the other side is 20.x, so I configure 10-to-20 on one firewall and 20-to-10 on the other. I keep protocol as any because I control what’s allowed using security policies.

Question 7

Do I need security policies for site-to-site VPN traffic on Palo Alto?

Accepted Answer

Yes, you still need security policies to allow traffic between the zones/subnets across the tunnel. In my lab I created policies both ways because traffic can be initiated from site1 to site2 and from site2 to site1. In a real environment you should be restrictive and only allow what the business actually needs.

#paloaltofirewalltraining | Day 41 | Configure Ikev2 with Wireshek Detailed analysis

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech