https://live.paloaltonetworks.com/t5/general-topics/site-to-site-palo-alto-vpn-is-failing/m-p/472726#M103239 <P>I apologize if this is posted in the wrong message board. It is unclear to me where I should specifically be asking this type of question.&nbsp;</P><P>&nbsp;</P><P>I configured a site-to-site IPSec VPN between two Palo Alto's and they are both failing on Phase 1 and Phase 2. The local addresses are in the same IP address range and I am not able to change them. A test VPN was setup with different internal IP ranges works, but to try and make the internal ranges work, we are NATing the internal ranges to a unique NAT range.&nbsp;</P><P>&nbsp;</P><P>I had followed the directions from this article and double checked the configuration:&nbsp;<A href="https://faatech.be/palo-alto-networks-ipsec-site-to-site-with-overlapping-subnets-networks/" target="_blank" rel="nofollow noreferrer noopener">https://faatech.be/palo-alto-networks-ipsec-site-to-site-with-overlapping-subnets-networks/</A>. We will also need to configure both network with additional zones traversing the tunnel, but have not done anything with that yet as we cannot get the first zone working.&nbsp;</P><P>&nbsp;</P><P>I am happy to provide any error messages and configs if anyone needs them. Thanks in advance!</P> Mon, 14 Mar 2022 02:52:02 GMT sophia.legare 2022-03-14T02:52:02Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-palo-alto-vpn-is-failing/m-p/472726#M103239 <P>I apologize if this is posted in the wrong message board. It is unclear to me where I should specifically be asking this type of question.&nbsp;</P><P>&nbsp;</P><P>I configured a site-to-site IPSec VPN between two Palo Alto's and they are both failing on Phase 1 and Phase 2. The local addresses are in the same IP address range and I am not able to change them. A test VPN was setup with different internal IP ranges works, but to try and make the internal ranges work, we are NATing the internal ranges to a unique NAT range.&nbsp;</P><P>&nbsp;</P><P>I had followed the directions from this article and double checked the configuration:&nbsp;<A href="https://faatech.be/palo-alto-networks-ipsec-site-to-site-with-overlapping-subnets-networks/" target="_blank" rel="nofollow noreferrer noopener">https://faatech.be/palo-alto-networks-ipsec-site-to-site-with-overlapping-subnets-networks/</A>. We will also need to configure both network with additional zones traversing the tunnel, but have not done anything with that yet as we cannot get the first zone working.&nbsp;</P><P>&nbsp;</P><P>I am happy to provide any error messages and configs if anyone needs them. Thanks in advance!</P> Mon, 14 Mar 2022 02:52:02 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-palo-alto-vpn-is-failing/m-p/472726#M103239 sophia.legare 2022-03-14T02:52:02Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-palo-alto-vpn-is-failing/m-p/473385#M103288 <P>Hello,</P><P>Option 1;</P><P>-Use nat on both side and enter routes for nat ip adresses.</P><P>-I know if both side is Palo Alto you do not need to enter a Proxy id. but I am entering as 0.0.0.0/0 in both side every time (My behaveior <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> )</P><P>-Option 2;</P><P>-İf NAT is not an option and devices are directly connect to Firewall you can use PBR only for source and destionation ip addresses and ports. More specific is more accurate.</P><P>&nbsp;</P><P>I hope these solutions helps.</P><P>&nbsp;</P> Tue, 15 Mar 2022 20:32:19 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-palo-alto-vpn-is-failing/m-p/473385#M103288 upelister 2022-03-15T20:32:19Z