CloudEOS and vEOS and Palo Alto Firewall VM Pairing (VTI IPsec Tunnel)

Running Configuration for CloudEOS and vEOS1

The following example shows a VTI IPsec tunnel between a CloudEOS and vEOS Router instance and a third party Palo Alto firewall VM router instance.

ip security
ike policy ikebranch1
integrity sha256 
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
ike-policy ikebranch1 
sa-policy sabranch1 
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Ethernet1 
no switchport
ip address 1.0.0.1/24
!
interface Management1 
ip address dhcp
!

interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode ipsec 
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!

Running Configuration on Palo Alto Firewall VM

"ike": {
 "crypto-profiles": {
"ike-crypto-profiles": [
 {
"@name": "veos12-IKE-Phase1",
"hash": {
 "member": "sha512"
},
"dh-group": {
 "member": "group20"
},
"encryption": {
 "member": "aes-256-cbc"
},
"lifetime": {
 "hours": "8"
}
 }
]

 "ipsec-crypto-profiles": [
 {
"@name": "veos12-IPSEC-Phase2",
"esp": {
 "authentication": {
"member": "sha256"
 },
 "encryption": {
"member": "aes-256-cbc"
 }
},
"lifetime": {
 "hours": "2"
},
"dh-group": "group20"
 }

"gateway": {
"entry": {
 "@name": "veos12-IKE-Gateway",
 "authentication": {
"pre-shared-key": {
 "key": "-AQ==ocHnGzxJ4JVLomPyHuZNlg84S7I=BCiu0HIvFeFOSQOx/gmhNQ=="
}
 },
 "protocol": {
"ikev1": {
 "dpd": {
"enable": "yes",
"interval": "100",
"retry": "100"
 },
 "ike-crypto-profile": "veos12-IKE-Phase1"
},
"ikev2": {
 "dpd": {
"enable": "yes"
 },
 "ike-crypto-profile": "veos12-IKE-Phase1"
},
"version": "ikev2-preferred"
 }

 "tunnel": {
 "ipsec": {
"entry": {
 "@name": "veos12-IPSEC-Tunnel",
 "auto-key": {
"ike-gateway": {
 "entry": {
"@name": "veos12-IKE-Gateway"
 }
},
"ipsec-crypto-profile": "veos12-IPSEC-Phase2"
 },
 "tunnel-monitor": {
"enable": "yes",
"destination-ip": "1.0.3.1",
"tunnel-monitor-profile": "Test"
 },
 "tunnel-interface": "tunnel.1",
 "disabled": "no"
}
 }
}
 }