“Static Routing = Policy-based<\/em><\/p>\n Dynamic Routing = Route-based<\/em>”<\/p>\n Palo Alto PA500, using software PANos 7.1.2<\/p>\n <\/p>\n Azureside setup as IKEv2 policy based, routing each spesific net to each location (gw), seperate PSK keys for each site.<\/p>\n Step 1, create tunnel interface, assign interface to correct vr and sec zone<\/p>\n Step 2 create IP sec tunnel<\/p>\n bind to tunnel, create new IKE gateway<\/p>\n Step 3,<\/p>\n Setup IKEv2 only mode, bind to interface . Static ip for Azure GW, and preshared key (provided by azure setup)<\/p>\n step 4<\/p>\n I found out that not enabling passive mode worked best for this VPN.<\/p>\n Create new IKE Crypto profile,<\/p>\n Step 5<\/p>\n Azure allows a lot of IKE ciphers, but this one seems to be stable<\/p>\n DHgroup 2, AES-256-cbc, SHA1, keylife 28800 secs<\/p>\n Step 6 Create IPsec crypto profile<\/p>\n Here’s where it gets interesting, according to the samples you should use ESP DHgrp2 AES-252cbc and sha1<\/p>\n And that works. For a while… then the tunnel goes down and never comes up again by itself.<\/p>\n Using this setup<\/p>\n ESP, NO-PFS, aes-256cbc,3des,aes-128-cbc, sha1 and lifetime 3600secs<\/p>\n seems to work the best.<\/p>\n Then the result should look something like this:<\/p>\n step 7<\/p>\n Since we use static routing we\u00a0 simply route the whole \/16 net to the tunnelinterface we created<\/p>\n![\"2\"](\"http:\/\/wp.12p.no\/wp-content\/uploads\/2016\/05\/2.png\")
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n