How to configure a basic S2S VPN in Palo Alto

Here's a quick how to for setting up a very simple S2S IPSEC VPN on a Palo Alto.

1. Create a tunnel interface
• Here you will also create the security zone that will be used
2. Create the IKE Gateway and specify your tunnel’s security zone
• Include the Peer address and your outside interface
3. Create your IKE crypto policy
4. Create your IPSEC crypto policy
5. Create a new IPSEC Tunnel using the IKE/IPSEC Crypto policies you made.  
• Also create under this any Proxy IDs you may require to conform with a Cisco IPSEC VPN.  They're very similar to policies that you might create on a netscreen.
6. Create 2 new policies for the inbound and outbound traffic via the S2S VPN.
• These are typically the local and remote destination networks.  You need to put them in twice for inbound and outbound permissions.
7. Add the tunnel interface to the default virtual router and add the static routes to your remote network via your tunnel interface.

Remember that when creating a S2S with any Cisco device, you will need to use Proxy IDs.  They mimic the ACLs that Cisco uses to define interesting traffic and are needed during the initial P2 setup.

Enjoy!  Let me know if there are any question.  

- David Pagán