https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564572#M114239 <P><SPAN>Does&nbsp;</SPAN><SPAN>Branch Site have static IP?</SPAN></P> <P>-Yes, branch office have static IP but with internal IP.</P> <P>&nbsp;</P> <P><SPAN>Do you have capability to configure port forwarding on ISP router?</SPAN></P> <P>-I have done configure port forward in my ISP router. (udp500,4500,4510,4511)</P> <P>&nbsp;</P> <P>I'm new to PaloAlto, so I not sure the details setting in PaloAlto. I had see some discussion about the setting needed in IPsec when one of the site using an internal IP as wan IP. After trying the step mentioned, but failed. So may share to me the detail setting at both site? we need enable&nbsp;NAT-Traversal at both site? we need usingaggresive mode at both site? what need to configure in local &amp; peer identification at both site?</P> <P>&nbsp;</P> <P>Thank you.</P> Tue, 07 Nov 2023 00:44:55 GMT zlling 2023-11-07T00:44:55Z https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564510#M114228 <P>I want build IPsec connection bwtween HQ and Branch Office.</P> <P>&nbsp;</P> <P>HQ using Public IP with fixed.</P> <P>Branch Office using Internal IP with fixed. (have one ISP router above firewall)</P> <P>&nbsp;</P> <P>May know the details setting?</P> <P>&nbsp;</P> <P>and i need create port forward udp500,4500 on my ISP router?</P> <P>&nbsp;</P> Mon, 06 Nov 2023 13:46:54 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564510#M114228 zlling 2023-11-06T13:46:54Z https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564524#M114231 <P>Does&nbsp;<SPAN>Branch Site have static IP?</SPAN></P> <P><SPAN>Do you have capability to configure port forwarding on ISP router?</SPAN></P> <P>&nbsp;</P> Mon, 06 Nov 2023 15:18:27 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564524#M114231 Raido_Rattameister 2023-11-06T15:18:27Z https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564572#M114239 <P><SPAN>Does&nbsp;</SPAN><SPAN>Branch Site have static IP?</SPAN></P> <P>-Yes, branch office have static IP but with internal IP.</P> <P>&nbsp;</P> <P><SPAN>Do you have capability to configure port forwarding on ISP router?</SPAN></P> <P>-I have done configure port forward in my ISP router. (udp500,4500,4510,4511)</P> <P>&nbsp;</P> <P>I'm new to PaloAlto, so I not sure the details setting in PaloAlto. I had see some discussion about the setting needed in IPsec when one of the site using an internal IP as wan IP. After trying the step mentioned, but failed. So may share to me the detail setting at both site? we need enable&nbsp;NAT-Traversal at both site? we need usingaggresive mode at both site? what need to configure in local &amp; peer identification at both site?</P> <P>&nbsp;</P> <P>Thank you.</P> Tue, 07 Nov 2023 00:44:55 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564572#M114239 zlling 2023-11-07T00:44:55Z https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564574#M114240 <P>You need to NAT only udp/500 and udp/4500.</P> <P>&nbsp;</P> <P>On "Advanced Options" tab check "Enable NAT Traversal" checkbox and you are done.</P> <P>You do not need aggressive mode.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1699321537581.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54999i76D55658F33B077F/image-size/medium?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1699321537581.png" alt="Raido_Rattameister_0-1699321537581.png" /></span></P> <P>&nbsp;</P> Tue, 07 Nov 2023 01:48:50 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564574#M114240 Raido_Rattameister 2023-11-07T01:48:50Z https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564576#M114241 <P>Hi,</P> <P>&nbsp;</P> <P>I had try this way. IPsec connection still failed to build.&nbsp;</P> <P>Does IPsec function need license?</P> <P>&nbsp;</P> <P>Thank you.</P> <P>&nbsp;</P> Tue, 07 Nov 2023 03:13:43 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564576#M114241 zlling 2023-11-07T03:13:43Z https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564577#M114242 <P>No license needed.</P> <P>How do you identify that tunnel fails to build?</P> <P>Do you see anything in system log?</P> <P>&nbsp;</P> <P>If you enter command below and check System logs on other side what do you see?</P> <P>test vpn ipsec-sa tunnel name-of-the-ipsec-tunnel</P> Tue, 07 Nov 2023 03:23:09 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-build-ipsec-connection-without-using-public-ip-at-branch/m-p/564577#M114242 Raido_Rattameister 2023-11-07T03:23:09Z