Discover the key configuration aspect to verify when phase two of a policy-based VPN connection fails to establish – the Proxy-IDs, which define the specific traffic to be encrypted and sent through the VPN tunnel.
Table of Contents
Question
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
A. IKE Crypto Profile
B. Security policy
C. Proxy-IDs
D. PAN-OS versions
Answer
C. Proxy-IDs
Explanation
If phase two of a VPN connection fails to establish when using a policy-based VPN configuration, the engineer should verify the Proxy-IDs.
Explanation:
In a policy-based VPN configuration, Proxy-IDs play a crucial role in defining the specific traffic that should be encrypted and sent through the VPN tunnel. They specify the source and destination IP addresses, protocols, and ports that the VPN tunnel should protect.
If the Proxy-IDs are misconfigured or do not match between the two VPN peers, phase two of the VPN negotiation, which is responsible for establishing the IPsec Security Association (SA) and defining the encryption and authentication algorithms, will fail.
To resolve the issue, the engineer should review and ensure that the Proxy-IDs are correctly configured on both VPN peers. The Proxy-IDs must match precisely for the VPN tunnel to be established successfully.
By verifying and correcting any mismatches in the Proxy-ID configurations, the engineer can resolve the phase two VPN connection issue and establish a successful VPN tunnel between the two peers.
Palo Alto Networks Certified Network Security Engineer PCNSE certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Palo Alto Networks Certified Network Security Engineer PCNSE exam and earn Palo Alto Networks Certified Network Security Engineer PCNSE certification.