[{"content":"","date":null,"permalink":"https://fahad.link/tags/bgp/","section":"Tags","summary":"","title":"Bgp"},{"content":"","date":null,"permalink":"https://fahad.link/categories/","section":"Categories","summary":"","title":"Categories"},{"content":"","date":null,"permalink":"https://fahad.link/tags/cisco/","section":"Tags","summary":"","title":"Cisco"},{"content":"","date":null,"permalink":"https://fahad.link/","section":"Code Red","summary":"","title":"Code Red"},{"content":"","date":null,"permalink":"https://fahad.link/tags/gre/","section":"Tags","summary":"","title":"Gre"},{"content":"If you\u0026rsquo;ve ever needed to set up a GRE-over-IPSec tunnel between a Palo Alto firewall and a Cisco router, you\u0026rsquo;ve probably noticed the documentation is thin on the ground — especially when it comes to interoperability between the two platforms. I recently went through this exercise between a PA-VM (PAN-OS 11.2.5) and a Cisco CSRv-8000 (IOS-XE 17.16.1a) and learned some things the hard way.\nThe Goal #Replicate a production pattern where a customer device connects to a target router using GRE tunnels encapsulated inside IPSec — the same architecture used in financial trading networks where encrypted, routed tunnels carry sensitive traffic between sites.\nThe reference design uses:\nIPSec as the outer encryption layer (ESP, transport mode) GRE (protocol 47) as the inner encapsulation, creating a routed point-to-point tunnel Loopback addresses as the tunnel endpoints for both GRE and IPSec BGP or static routes running over the GRE tunnel for overlay routing The Topology # graph LR subgraph pa[\"PA-VM — PAN-OS 11.2 — Customer Side\"] pa_eth[\"eth1/3\\n10.21.0.1/24\"] pa_lo[\"Lo.100\\n172.20.1.20/32\"] pa_tun[\"tunnel.10\\n192.168.75.110/30\"] end subgraph csr[\"CSRv-8K — IOS-XE 17.16 — Target Side\"] csr_gi[\"Gi1\\n10.21.0.2/24\"] csr_lo[\"Lo0\\n192.168.50.50/32\"] csr_tun[\"Tunnel0\\n192.168.75.109/30\"] end pa_eth --- |\"Underlay 10.21.0.0/24\"| csr_gi pa_lo -.- |\"IPSec ESP Endpoints\"| csr_lo pa_tun === |\"GRE-over-IPSec Overlay\"| csr_tun style pa fill:#1a3a4a,stroke:#42a5f5,stroke-width:2px,color:#e0e0e0 style csr fill:#1a3a2e,stroke:#66bb6a,stroke-width:2px,color:#e0e0e0 style pa_eth fill:#263238,stroke:#42a5f5,color:#e0e0e0 style pa_lo fill:#263238,stroke:#ffb74d,color:#e0e0e0 style pa_tun fill:#263238,stroke:#ef5350,color:#e0e0e0 style csr_gi fill:#263238,stroke:#66bb6a,color:#e0e0e0 style csr_lo fill:#263238,stroke:#ffb74d,color:#e0e0e0 style csr_tun fill:#263238,stroke:#ef5350,color:#e0e0e0 On the wire, packets are encapsulated as follows:\nflowchart LR ip[\"IP Header\\nsrc: 172.20.1.20\\ndst: 192.168.50.50\"] --\u003e esp[\"ESP Header\\nSPI + Seq\"] esp --\u003e gre[\"GRE\\nProtocol 47\"] gre --\u003e payload[\"Original\\nIP Payload\"] payload --\u003e auth[\"ESP Auth\\nIntegrity\"] style ip fill:#1a3a4a,stroke:#42a5f5,stroke-width:2px,color:#e0e0e0 style esp fill:#4a2a1a,stroke:#ffb74d,stroke-width:2px,color:#e0e0e0 style gre fill:#1a3a2e,stroke:#66bb6a,stroke-width:2px,color:#e0e0e0 style payload fill:#3a1a3a,stroke:#ce93d8,stroke-width:2px,color:#e0e0e0 style auth fill:#4a2a1a,stroke:#ffb74d,stroke-width:2px,color:#e0e0e0 The Cisco Side: Full Configuration #Cisco IOS-XE handles GRE-over-IPSec with two separate, well-understood constructs: a GRE tunnel interface and a crypto map on the physical interface.\nInterfaces #interface Loopback0 description -Loopback for GRE Tunnel Termination- ip address 192.168.50.50 255.255.255.255 interface Tunnel0 ip address 192.168.75.109 255.255.255.252 ip mtu 1408 ip tcp adjust-mss 1360 tunnel source 192.168.50.50 tunnel destination 172.20.1.20 no keepalive interface GigabitEthernet1 ip address 10.21.0.2 255.255.255.0 no ip redirects no ip proxy-arp negotiation auto crypto map CMAP-VPN Key points:\nLoopback0 is the GRE tunnel source and IKE identity Tunnel0 is the GRE tunnel interface with overlay IP; no keepalive is required because PAN-OS doesn\u0026rsquo;t echo Cisco GRE keepalives GigabitEthernet1 has the crypto map applied — this is where IPSec encryption happens IKE and IPSec #crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 crypto ipsec transform-set TS-GRE-TRANSPORT esp-aes 256 esp-sha256-hmac mode transport crypto map CMAP-VPN local-address Loopback0 crypto map CMAP-VPN 10 ipsec-isakmp set peer 172.20.1.20 set transform-set TS-GRE-TRANSPORT match address ACL-ENCRYPT-GRE ip access-list extended ACL-ENCRYPT-GRE permit gre host 192.168.50.50 host 172.20.1.20 The critical details:\nTransform set uses mode transport — not tunnel mode (the default). Transport mode is correct for GRE-over-IPSec because GRE already provides the outer IP header. Using tunnel mode here was the original cause of Phase 2 failure (NO-PROPOSAL-CHOSEN). crypto map local-address Loopback0 sources IKE from the loopback — the PAN-OS equivalent is the IKE gateway local-address setting. The ACL matches only GRE (protocol 47) between loopback addresses. This is the interesting traffic selector — only GRE gets encrypted, everything else passes in cleartext. Routing #ip route 0.0.0.0 0.0.0.0 10.21.0.1 ip route 172.20.1.20 255.255.255.255 10.21.0.1 The static route for 172.20.1.20 (PAN-OS loopback) points to the physical next-hop. This must stay on the physical underlay — routing it through Tunnel0 would create a recursive dependency.\nBGP #router bgp 65001 bgp router-id 192.168.50.50 bgp log-neighbor-changes network 10.21.0.0 mask 255.255.255.0 network 192.168.50.50 mask 255.255.255.255 neighbor 192.168.75.110 remote-as 65002 BGP peers with the PAN-OS tunnel IP (192.168.75.110), meaning the TCP session traverses GRE-over-IPSec. Cisco advertises its loopback and connected network.\nThe PAN-OS Side: Full Configuration #What I Tried First (and Failed) #My initial approach was to mirror the Cisco architecture: create a standalone GRE tunnel under Network \u0026gt; GRE Tunnels (available since PAN-OS 9.0) and a separate IPSec tunnel for encryption:\nset network tunnel gre gre-to-cisco tunnel-interface tunnel.10 set network tunnel gre gre-to-cisco local-address interface loopback.100 set network tunnel gre gre-to-cisco peer-address ip 192.168.50.50 Every commit failed with:\nError: tunnel configuration error (Module: device) client device phase 1 failure I tested exhaustively — multiple tunnel interfaces, minimal configs, different zone assignments. The management plane accepted the syntax, but the data plane rejected it at commit time.\nRoot Cause: PA-VM Doesn\u0026rsquo;t Support Standalone GRE #PAN-OS GRE tunnels (Network \u0026gt; GRE Tunnels) are only supported on hardware platforms — PA-3200, PA-5200, PA-7000 series, and newer. PA-VM does not support this feature.\nThis is documented in the PAN-OS networking features compatibility matrix, though it\u0026rsquo;s easy to miss since the CLI and Web UI still expose the GRE configuration options.\nTakeaway: If you\u0026rsquo;re labbing GRE tunnels on a PA-VM, standalone GRE won\u0026rsquo;t work. The config parses but the commit always fails.\nWhat Actually Works: enable-gre-encapsulation on the IPSec Tunnel #PAN-OS provides an alternative: the enable-gre-encapsulation yes flag on the IPSec tunnel. This combines GRE and IPSec into a single tunnel construct.\nInterfaces #set network interface ethernet ethernet1/3 layer3 ip 10.21.0.1/24 set network interface loopback units loopback.100 ip 172.20.1.20/32 set network interface tunnel units tunnel.10 ip 192.168.75.110/30 set network interface tunnel units tunnel.10 mtu 1408 ethernet1/3 is the physical underlay link to Cisco loopback.100 is the IKE/GRE endpoint identity (equivalent to Cisco\u0026rsquo;s Loopback0) tunnel.10 is the combined GRE+IPSec tunnel interface with the overlay IP All three interfaces are in the wan zone:\nset vsys vsys1 zone wan network layer3 [ ethernet1/3 tunnel.10 loopback.100 ] IKE Gateway #set network ike gateway cisco-ike-gw authentication pre-shared-key set network ike gateway cisco-ike-gw protocol version ikev1 set network ike gateway cisco-ike-gw protocol ikev1 exchange-mode main set network ike gateway cisco-ike-gw protocol ikev1 ike-crypto-profile cisco-ike-phase1-prof set network ike gateway cisco-ike-gw local-address interface loopback.100 set network ike gateway cisco-ike-gw local-address ip 172.20.1.20/32 set network ike gateway cisco-ike-gw peer-address ip 192.168.50.50 set network ike gateway cisco-ike-gw local-id id 172.20.1.20 type ipaddr set network ike gateway cisco-ike-gw peer-id id 192.168.50.50 type ipaddr The local-address on loopback.100 is the PAN-OS equivalent of Cisco\u0026rsquo;s crypto map local-address Loopback0.\nIKE Crypto Profile (Phase 1) #set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof hash sha256 set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof dh-group group14 set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof encryption [ aes-256-cbc aes-128-cbc ] set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof lifetime days 1 IPSec Crypto Profile (Phase 2) #set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp authentication sha256 set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp encryption [ aes-256-cbc aes-128-cbc aes-256-gcm ] set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof lifetime seconds 3600 set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof dh-group no-pfs IPSec Tunnel (with GRE Encapsulation) #set network tunnel ipsec ipsec-tun-to-cisco tunnel-interface tunnel.10 set network tunnel ipsec ipsec-tun-to-cisco ipsec-mode transport set network tunnel ipsec ipsec-tun-to-cisco enable-gre-encapsulation yes set network tunnel ipsec ipsec-tun-to-cisco anti-replay no set network tunnel ipsec ipsec-tun-to-cisco auto-key ike-gateway cisco-ike-gw set network tunnel ipsec ipsec-tun-to-cisco auto-key ipsec-crypto-profile cisco-ipsec-phase2-prof set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco protocol number 47 set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco local 172.20.1.20 set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco remote 192.168.50.50 This is the core of the PA-VM approach:\nipsec-mode transport — matches Cisco\u0026rsquo;s mode transport on the transform set enable-gre-encapsulation yes — PAN-OS adds a GRE header to all traffic entering tunnel.10 Proxy-ID with protocol 47 — equivalent to Cisco\u0026rsquo;s permit gre ACL; tells both sides the SA carries GRE The tunnel interface gets the overlay IP and serves as both the GRE and IPSec endpoint Routing #set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 destination 192.168.50.50/32 set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 interface ethernet1/3 set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 nexthop ip-address 10.21.0.2 set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 metric 10 Same as Cisco — the remote loopback route stays on the physical underlay.\nBGP #set network virtual-router default protocol bgp enable yes set network virtual-router default protocol bgp router-id 172.20.1.20 set network virtual-router default protocol bgp local-as 65002 set network virtual-router default protocol bgp peer-group cisco-peer enable yes set network virtual-router default protocol bgp peer-group cisco-peer type ebgp import-nexthop original set network virtual-router default protocol bgp peer-group cisco-peer type ebgp export-nexthop resolve set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 enable yes set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-as 65001 set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-address ip 192.168.75.109 set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address interface tunnel.10 set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address ip 192.168.75.110/30 set network virtual-router default protocol bgp redist-rules connected-routes enable yes set network virtual-router default protocol bgp redist-rules connected-routes address-family-identifier ipv4 set network virtual-router default protocol redist-profile connected-routes filter type connect set network virtual-router default protocol redist-profile connected-routes priority 1 set network virtual-router default protocol redist-profile connected-routes action redist BGP peers using the tunnel overlay IPs. PAN-OS redistributes connected routes into BGP.\nSecurity Policy #set vsys vsys1 rulebase security rules default-rule to any from any source any destination any application any service any action allow A permissive lab rule — in production you\u0026rsquo;d scope this to specific zones and applications.\nProving GRE Is Working: Cisco Tunnel0 as the Signal #The Cisco Tunnel0 interface being UP/UP is the definitive proof that GRE is working. Tunnel0 is a pure GRE interface — it only processes GRE-encapsulated packets. For it to receive traffic, valid GRE packets must arrive from the expected source.\nAfter clearing counters and sending a single ping across the tunnel:\n=== BEFORE === IPSec SA: #pkts encaps: 0, #pkts decaps: 0 Tunnel0: 0 packets input, 0 packets output === AFTER 1 PING === IPSec SA: #pkts encaps: 1, #pkts decaps: 1 Tunnel0: 1 packets input, 1 packets output Both counters increment in lockstep — IPSec encrypted/decrypted one GRE packet each way, and Tunnel0 processed one GRE-encapsulated payload each way.\nThe IPSec SA confirms what\u0026rsquo;s being encrypted:\nlocal ident: (192.168.50.50/255.255.255.255/47/0) ← protocol 47 = GRE remote ident: (172.20.1.20/255.255.255.255/47/0) transform: esp-256-aes esp-sha256-hmac in use settings = {Transport} During early testing when IPSec Phase 2 hadn\u0026rsquo;t negotiated yet, Cisco logged:\n%IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec\u0026#39;d packet not an IPSEC packet, dest_addr=192.168.50.50, src_addr=172.20.1.20, prot=47 This confirms PAN-OS was sending GRE (protocol 47) packets even before IPSec was up — proving enable-gre-encapsulation generates real GRE packets.\nBGP Over the Tunnel #eBGP was established using the tunnel overlay IPs to prove routing protocols work over GRE-over-IPSec. The BGP TCP session itself (port 179) traverses the encrypted GRE tunnel.\nPAN-OS (AS 65002): Peer 192.168.75.109: Established Prefixes received: 2 (192.168.50.50/32, 10.21.0.0/24) Prefixes sent: 4 (connected routes) Cisco (AS 65001): Neighbor 192.168.75.110: Established Prefixes received: 4 (10.20.0.0/24, 10.21.0.0/24, 172.29.129.0/24, 192.168.75.108/30) Prefixes sent: 2 Gotchas and Lessons Learned #IPSec mode mismatch kills Phase 2. The original Cisco config used tunnel mode (the IOS default for transform sets). PAN-OS was set to transport mode. This caused every Phase 2 attempt to fail with NO-PROPOSAL-CHOSEN. Both sides must agree — transport mode is correct for GRE-over-IPSec.\nGRE keepalives don\u0026rsquo;t interop. Cisco GRE keepalives are Cisco-proprietary echo packets. PAN-OS doesn\u0026rsquo;t respond to them, so Cisco Tunnel0 goes to UP/DOWN. Use no keepalive on the Cisco side and PAN-OS tunnel monitoring (with a destination IP) if you need health checking.\nUnderlay routing must stay physical. The loopback addresses are the GRE/IPSec tunnel endpoints. Routing them through the tunnel creates a recursive dependency — the tunnel needs those IPs to function. Overlay subnets go through the tunnel; endpoint reachability stays on the physical link.\nPA-VM GRE limitation is silent. The PAN-OS CLI and Web UI expose GRE tunnel configuration on PA-VM even though it\u0026rsquo;s not supported. The config parses cleanly — the error only appears at commit time. Check the platform compatibility matrix before planning your architecture.\nPlatform Comparison # Aspect Cisco IOS-XE PAN-OS PA-VM GRE tunnel Standalone interface Tunnel0 Not supported (enable-gre-encapsulation on IPSec instead) IPSec Crypto map on physical interface Route-based VPN with proxy-ID Mode Transport (explicit mode transport) Transport (explicit ipsec-mode transport) Interesting traffic ACL: permit gre host \u0026lt;lo\u0026gt; host \u0026lt;lo\u0026gt; Proxy-ID: protocol 47 between loopbacks IKE source crypto map local-address Loopback0 IKE gateway local-address loopback.100 Routing over tunnel Works (BGP, static) Works (BGP, static, redistributed connected) GRE keepalive Supported (but disabled for interop) Not supported (use tunnel monitoring) The setup works well once you know the PA-VM limitation. The enable-gre-encapsulation flag produces wire-compatible packets, and the Cisco side is none the wiser.\nAppendix A: Full PAN-OS PA-VM Configuration (set commands) #Exported directly from the PAN-OS CLI via set cli config-output-format set then show in configure mode. Authentication credentials and default boilerplate profiles have been excluded.\nset deviceconfig system type static set deviceconfig system timezone Asia/Riyadh set deviceconfig system service disable-telnet yes set deviceconfig system service disable-http yes set deviceconfig system hostname LAB-FW set deviceconfig system ip-address 192.168.100.63 set deviceconfig system netmask 255.255.255.0 set deviceconfig system default-gateway 192.168.100.3 set deviceconfig system dns-setting servers primary 1.1.1.1 set deviceconfig system dns-setting servers secondary 1.0.0.1 set deviceconfig system ntp-servers primary-ntp-server ntp-server-address sa.pool.ntp.org set deviceconfig system ntp-servers primary-ntp-server authentication-type none set network interface ethernet ethernet1/1 layer3 interface-management-profile ping-only set network interface ethernet ethernet1/2 layer3 ip 10.20.0.1/24 set network interface ethernet ethernet1/2 layer3 interface-management-profile ping-only set network interface ethernet ethernet1/3 layer3 ip 10.21.0.1/24 set network interface ethernet ethernet1/3 layer3 interface-management-profile ping-only set network interface tunnel units tunnel.10 comment \u0026#34;GRE over IPSec Tunnel\u0026#34; set network interface tunnel units tunnel.10 interface-management-profile ping-only set network interface tunnel units tunnel.10 mtu 1408 set network interface tunnel units tunnel.10 ip 192.168.75.110/30 set network interface tunnel units tunnel.20 comment \u0026#34;Outer IPSec Tunnel\u0026#34; set network interface loopback units loopback.100 ip 172.20.1.20/32 set network interface loopback units loopback.100 interface-management-profile ping-only set network interface loopback units loopback.100 comment \u0026#34;Loopback customer side \u0026#34; set network profiles interface-management-profile ping-only ping yes set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof hash sha256 set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof dh-group group14 set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof encryption [ aes-256-cbc aes-128-cbc ] set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof lifetime days 1 set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp authentication sha256 set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp encryption [ aes-256-cbc aes-128-cbc aes-256-gcm ] set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof lifetime seconds 3600 set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof dh-group no-pfs set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof lifesize mb 450 set network ike gateway cisco-ike-gw protocol ikev1 dpd enable no set network ike gateway cisco-ike-gw protocol ikev1 ike-crypto-profile cisco-ike-phase1-prof set network ike gateway cisco-ike-gw protocol ikev1 exchange-mode main set network ike gateway cisco-ike-gw protocol version ikev1 set network ike gateway cisco-ike-gw local-address ip 172.20.1.20/32 set network ike gateway cisco-ike-gw local-address interface loopback.100 set network ike gateway cisco-ike-gw protocol-common nat-traversal enable no set network ike gateway cisco-ike-gw protocol-common fragmentation enable no set network ike gateway cisco-ike-gw peer-address ip 192.168.50.50 set network ike gateway cisco-ike-gw local-id id 172.20.1.20 set network ike gateway cisco-ike-gw local-id type ipaddr set network ike gateway cisco-ike-gw peer-id id 192.168.50.50 set network ike gateway cisco-ike-gw peer-id type ipaddr set network virtual-router default protocol bgp enable yes set network virtual-router default protocol bgp routing-options graceful-restart enable yes set network virtual-router default protocol bgp router-id 172.20.1.20 set network virtual-router default protocol bgp local-as 65002 set network virtual-router default protocol bgp peer-group cisco-peer enable yes set network virtual-router default protocol bgp peer-group cisco-peer type ebgp import-nexthop original set network virtual-router default protocol bgp peer-group cisco-peer type ebgp export-nexthop resolve set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-as 65001 set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address interface tunnel.10 set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address ip 192.168.75.110/30 set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 enable yes set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-address ip 192.168.75.109 set network virtual-router default protocol bgp redist-rules connected-routes enable yes set network virtual-router default protocol bgp redist-rules connected-routes address-family-identifier ipv4 set network virtual-router default protocol redist-profile connected-routes filter type connect set network virtual-router default protocol redist-profile connected-routes priority 1 set network virtual-router default protocol redist-profile connected-routes action redist set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 loopback.100 tunnel.10 tunnel.20 ] set network virtual-router default ecmp algorithm ip-modulo set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 nexthop ip-address 10.21.0.2 set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 interface ethernet1/3 set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 destination 192.168.50.50/32 set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 metric 10 set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 route-table unicast set network tunnel ipsec ipsec-tun-to-cisco auto-key ike-gateway cisco-ike-gw set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco protocol number 47 set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco local 172.20.1.20 set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco remote 192.168.50.50 set network tunnel ipsec ipsec-tun-to-cisco auto-key ipsec-crypto-profile cisco-ipsec-phase2-prof set network tunnel ipsec ipsec-tun-to-cisco tunnel-monitor enable no set network tunnel ipsec ipsec-tun-to-cisco tunnel-monitor destination-ip 192.168.75.109 set network tunnel ipsec ipsec-tun-to-cisco tunnel-interface tunnel.10 set network tunnel ipsec ipsec-tun-to-cisco ipsec-mode transport set network tunnel ipsec ipsec-tun-to-cisco enable-gre-encapsulation yes set network tunnel ipsec ipsec-tun-to-cisco anti-replay no set zone untrust network layer3 ethernet1/1 set zone internal-net network layer3 ethernet1/2 set zone wan network layer3 [ ethernet1/3 tunnel.10 loopback.100 tunnel.20 ] set rulebase security rules default-rule to any set rulebase security rules default-rule from any set rulebase security rules default-rule source any set rulebase security rules default-rule destination any set rulebase security rules default-rule source-user any set rulebase security rules default-rule category any set rulebase security rules default-rule saas-user-list any set rulebase security rules default-rule saas-tenant-list any set rulebase security rules default-rule application any set rulebase security rules default-rule service any set rulebase security rules default-rule source-hip any set rulebase security rules default-rule destination-hip any set rulebase security rules default-rule action allow set rulebase security rules default-rule log-start no set rulebase security rules default-rule log-end yes set rulebase nat rules outbound-nat-to-untrust source-translation persistent-dynamic-ip-and-port interface-address interface ethernet1/1 set rulebase nat rules outbound-nat-to-untrust to untrust set rulebase nat rules outbound-nat-to-untrust from [ internal-net wan ] set rulebase nat rules outbound-nat-to-untrust source any set rulebase nat rules outbound-nat-to-untrust destination any set rulebase nat rules outbound-nat-to-untrust service any set import network interface [ ethernet1/1 ethernet1/2 ethernet1/3 tunnel.10 loopback.100 tunnel.20 ] Appendix B: Full Cisco IOS-XE CSRv-8000 Configuration #Exported from show running-config. Authentication credentials, PKI certificates, and unused transform sets have been excluded.\nhostname csr-rtr ! vrf definition MGMT description Out-of-Band Management address-family ipv4 exit-address-family ! logging buffered 16384 logging persistent filesize 2000000 no logging console ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 ! crypto isakmp key \u0026lt;REDACTED\u0026gt; address 172.20.1.20 ! crypto ipsec transform-set TS-GRE-TRANSPORT esp-aes 256 esp-sha256-hmac mode transport ! crypto map CMAP-VPN local-address Loopback0 crypto map CMAP-VPN 10 ipsec-isakmp set peer 172.20.1.20 set transform-set TS-GRE-TRANSPORT match address ACL-ENCRYPT-GRE ! interface Loopback0 description -Loopback for GRE Tunnel Termination- ip address 192.168.50.50 255.255.255.255 ! interface Tunnel0 ip address 192.168.75.109 255.255.255.252 ip mtu 1408 ip tcp adjust-mss 1360 tunnel source 192.168.50.50 tunnel destination 172.20.1.20 no keepalive ! interface GigabitEthernet1 ip address 10.21.0.2 255.255.255.0 no ip redirects no ip proxy-arp negotiation auto crypto map CMAP-VPN ! ! GigabitEthernet2-7: shutdown (unused) ! interface GigabitEthernet8 description MANAGEMENT_ONLY vrf forwarding MGMT ip address 192.168.100.163 255.255.255.0 ip access-group ACL-MGMT-IN in negotiation auto ! router bgp 65001 bgp router-id 192.168.50.50 bgp log-neighbor-changes network 10.21.0.0 mask 255.255.255.0 network 192.168.50.50 mask 255.255.255.255 neighbor 192.168.75.110 remote-as 65002 ! ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 10.21.0.1 ip route 172.20.1.20 255.255.255.255 10.21.0.1 ip route vrf MGMT 0.0.0.0 0.0.0.0 192.168.100.1 ip ssh bulk-mode 131072 ! ip access-list extended ACL-ENCRYPT-GRE 10 permit gre host 192.168.50.50 host 172.20.1.20 ! ip access-list extended ACL-MGMT-IN 10 remark Allow SSH specifically to the MGMT interface IP 10 permit tcp any host 192.168.100.163 eq 22 20 remark Allow Ping to the interface (Optional) 20 permit icmp any host 192.168.100.163 echo 30 permit icmp any host 192.168.100.163 echo-reply 40 remark Deny and log everything else 40 deny ip any any log ! line con 0 stopbits 1 line vty 0 4 login local transport input ssh ! end ","date":"22 March 2026","permalink":"https://fahad.link/posts/panos-gre-over-ipsec-with-cisco-iosxe/","section":"Posts","summary":"","title":"GRE-over-IPSec Between PAN-OS and Cisco IOS-XE — What Works and What Doesn't"},{"content":"","date":null,"permalink":"https://fahad.link/tags/ios-xe/","section":"Tags","summary":"","title":"Ios-Xe"},{"content":"","date":null,"permalink":"https://fahad.link/tags/ipsec/","section":"Tags","summary":"","title":"Ipsec"},{"content":"","date":null,"permalink":"https://fahad.link/categories/networking/","section":"Categories","summary":"","title":"Networking"},{"content":"","date":null,"permalink":"https://fahad.link/tags/networking/","section":"Tags","summary":"","title":"Networking"},{"content":"","date":null,"permalink":"https://fahad.link/tags/palo-alto/","section":"Tags","summary":"","title":"Palo-Alto"},{"content":"","date":null,"permalink":"https://fahad.link/tags/pan-os/","section":"Tags","summary":"","title":"Pan-Os"},{"content":"","date":null,"permalink":"https://fahad.link/posts/","section":"Posts","summary":"","title":"Posts"},{"content":"","date":null,"permalink":"https://fahad.link/tags/","section":"Tags","summary":"","title":"Tags"},{"content":"","date":null,"permalink":"https://fahad.link/tags/vpn/","section":"Tags","summary":"","title":"Vpn"},{"content":"About #I\u0026rsquo;m Fahad Yousuf, an IT Nerd and Cybersecurity Consultant.\nThis blog is where I write about networking, security, and random tech experiments.\nBackground #I\u0026rsquo;m a cybersecurity professional and enthusiast with considerable experience in large enterprise, telecommunications, and mission-critical IT/OT infrastructures. Over the years, I\u0026rsquo;ve worked across multiple domains—from hands-on network engineering and systems administration to high-level security architecture and enterprise consulting.\nExperience #Palo Alto Networks — Riyadh, Saudi Arabia — 8 years 11 months\nSr. Principal Professional Services Consultant - EMEA (Nov 2025 – Present) Principal Professional Services Consultant - EMEA (Nov 2022 – Oct 2025) Professional Services Manager (Sep 2021 – Nov 2022) Sr. Professional Services Consultant (Nov 2019 – Aug 2021)\nDelivering high-quality services for the world\u0026rsquo;s leading cybersecurity company. Professional Services Consultant (Jun 2017 – Oct 2019) Saudi Telecom Company — Riyadh, Saudi Arabia\nIT Security Architect (Aug 2015 – Jun 2017)\nSenior IT Security Design advisor. Responsibilities included IT security requirements analysis and solution design for major/minor projects across multiple business units, including business-critical and high-value projects (10M+ SAR). I ensured IT security policy enforcement by enabling and mandating security controls during the design phase, specifying technologies and solutions to apply controls and monitor their efficacy. I designed, reviewed, and approved HLDs and LLDs for multiple IT security solutions, developed RFCs for operational change requests, and acted as Level-3 technical support for ongoing issues in critical IT applications and network connectivity.\nTechnologies covered included: Firewalls (L4 and NGFWs, multi-vendor), IPS devices, Application Firewalls/Security Solutions, Device/File and Network Encryption Solutions, SIEM Tools (ArcSight), Site-to-Site and SSL VPNs, and Wireless Security / BYOD strategy development.\nNational Guard Health Affairs — Riyadh, Saudi Arabia — 4 years 7 months\nNetwork Security Team Lead (May 2014 – Jun 2015)\nLed the security section of the Data Center Networks and Security team, managing daily administrative and technical operations of security components of CNDC projects. This included oversight of network security, network access control, security auditing and reporting, enterprise-wide risk analysis for new and existing projects, and implementing site-to-site VPN connectivity with medical equipment vendors. I also reviewed and updated enterprise IT security policies at the organizational and departmental levels, and provided consultancy and feedback to technical support teams (server, application, storage, and virtualization) for security aspects in their projects.\nComputer Engineer - Network Security Team (Dec 2010 – Apr 2014)\nNetwork Security specialist at King Abdul Aziz Medical City Riyadh, Corporate Network Data Center, ISID Department. Areas of focus included:\nNetwork Security components (Firewalls, VPNs, etc.) Cisco Network Access Control (NAC) — Management of CAS/CAM Servers Symantec Endpoint Protection — Cluster of 3 Management Servers with ~7,000 clients Management of BlueCoat ProxySG proxy servers Symantec Messaging Gateway (e-mail security) Network infrastructure maintenance (Cisco-based multi-tier network, VSS at distribution layer) SSL/VPN troubleshooting for Juniper-based devices e-Business (Pvt) Ltd\nSystems Engineer (May 2009 – May 2010)\nSystems Engineer responsible for management of production Web, Database (MySQL), and NoSQL datastores (Cassandra) servers on Sun Enterprise Server hardware running Ubuntu Server and Sun Solaris. Responsible for uptime and network quality for production websites with up to 100,000 unique monthly users. Ghulam Ishaq Khan Institute of Engineering and Technology\nComputer Engineer (Jun 2008 – Jan 2009)\nAssisted lecturers in delivering courses including Object Oriented Programming, Data Structures, Operating Systems, and Computer Communication and Networks. Instructed students for lab courses: Introduction to Programming (CS101 Lab) and Introduction to Programming II — Intermediate (CS102 Lab). Bytesense — Lahore, Pakistan\nInternee (2007 – 2008)\nInformation Technology startup company providing local support for Warid\u0026rsquo;s P2P balance transfer system. Education # University of Liverpool — PGDip, Computer and Information Security (2013 – 2016) Ghulam Ishaq Khan Institute of Engineering Sciences and Technology — B.S. Engineering, Electronics Engineering (2003 – 2008) Government College University (GCU), Lahore — Higher Secondary School Certificate, Science (Pre-Engineering) (2001 – 2003) Skills #Cloud Computing, GCP - Cloud Digital Leader, Cloud Applications, VMware vSphere, VMware vCenter, VMware NSX, Proxmox VE, Kubernetes, Certified Kubernetes Administrator, Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), Amazon EKS, Network Security, Firewalls, Python, Network Administration, VPN, Troubleshooting, Linux System Administration, Network Design, Data Center, Programming, Routing, System Deployment, OSPF, XDR, SOAR Use Cases, Requirements Analysis, Cybersecurity, Cisco Technologies, Linux, Operating Systems, Servers, Juniper Networks, Cisco Systems Products, Django, Cisco, VMware Infrastructure, Networking, Endpoint Protection, SIEM, Splunk, VyOS, Cloud Security, Network Virtualization, Security Architecture Design, IT Consulting, Network Access Control (NAC)\nLanguages # English Urdu ","date":"17 March 2025","permalink":"https://fahad.link/about/","section":"Code Red","summary":"","title":"About"},{"content":"Hello World #Trying out Hugo. So far it\u0026rsquo;s being painful but lets see if it sticks.\n","date":"17 March 2025","permalink":"https://fahad.link/posts/hello-world/","section":"Posts","summary":"","title":"Hello World"},{"content":"","date":null,"permalink":"https://fahad.link/authors/","section":"Authors","summary":"","title":"Authors"},{"content":"","date":null,"permalink":"https://fahad.link/series/","section":"Series","summary":"","title":"Series"}]