https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/1230184#M124406 <P>Hi, Have you tried with ikev2?</P> Tue, 27 May 2025 14:21:49 GMT JosipMartinic 2025-05-27T14:21:49Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344255#M86135 <P>Does anyone have experience setting up an site-to-site IP Sec tunnel between a PAN firewall with a static IP address and a CradlePoint with a dynamic IP address? &nbsp;I am trying to determine if there's a way to setup the IP Sec tunnel between the 2 endpoints without having to pay a 3rd party for DDNS service.</P><P>I tried setting the firewall peering to Dynamic, and the IKE Phase 1 exchange modes to Aggressive, but no luck.</P><P>Any help is appreciated.</P> Tue, 18 Aug 2020 03:00:39 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344255#M86135 acrxsupport-old 2020-08-18T03:00:39Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344272#M86138 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118857">@acrxsupport-old</a>&nbsp; What option have you selected under local/peer identification type? You need to select proper settings here. Also what do you see under system logs?</P><P>&nbsp;</P><P>Mayur</P> Tue, 18 Aug 2020 05:58:35 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344272#M86138 SutareMayur 2020-08-18T05:58:35Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344332#M86157 <P>as long as one side is static, this shouldn't be too difficult</P><P>the PA will need to be set as 'passive' as it won't be able to connect out to the dynamic peer (without ddns) and you'll need to use set peer identification to some fictitious FQDN or email (or the local IP of the remote peer, if said peer lives behind a NAT device)</P> Tue, 18 Aug 2020 09:41:58 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344332#M86157 reaper 2020-08-18T09:41:58Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344343#M86158 <P>Thanks for the responses&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>.</P><P>I've got Local and Remote Identities set on both, and it isn't coming up.</P><P>If I enable Passive Mode on the PAN, it hasn't actually responding to the IKE Phase 1 - even if I use a Static peer address instead of Dynamic. &nbsp;The system logs unfortunately also don't have anything showing up.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-08-18_06-43-25.png" style="width: 449px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27414iD1CCFFC0FDC3890B/image-dimensions/449x285/is-moderation-mode/true?v=v2" width="449" height="285" role="button" title="2020-08-18_06-43-25.png" alt="2020-08-18_06-43-25.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="acrxsupport-old_0-1597748127515.png" style="width: 405px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27417iB791C40FD531A219/image-dimensions/405x434/is-moderation-mode/true?v=v2" width="405" height="434" role="button" title="acrxsupport-old_0-1597748127515.png" alt="acrxsupport-old_0-1597748127515.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-08-18_06-43-47.png" style="width: 447px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27415iD656D72EF9B1D893/image-dimensions/447x335/is-moderation-mode/true?v=v2" width="447" height="335" role="button" title="2020-08-18_06-43-47.png" alt="2020-08-18_06-43-47.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-08-18_06-44-21.png" style="width: 438px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27416iA740B9EF300A57CA/image-dimensions/438x293/is-moderation-mode/true?v=v2" width="438" height="293" role="button" title="2020-08-18_06-44-21.png" alt="2020-08-18_06-44-21.png" /></span></P><P> </P> Tue, 18 Aug 2020 11:00:04 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344343#M86158 acrxsupport-old 2020-08-18T11:00:04Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344344#M86159 <P>I realized that I flipped the peering in the PAN IKE screenshot, this is corrected, but the results are the same.</P> Tue, 18 Aug 2020 11:07:13 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344344#M86159 acrxsupport-old 2020-08-18T11:07:13Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344351#M86165 <P>try these for more detailed debug logs:</P><P>&nbsp;</P><P>&gt; debug ike gateway &lt;gw&gt; on debug</P><P>&gt; tail follow yes mp-log ikemgr.log</P><P>&nbsp;</P><P>I noticed your local ip is 172.16x.x but you did not enable NAT-T, could you try turning that on?</P> Tue, 18 Aug 2020 14:31:04 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344351#M86165 reaper 2020-08-18T14:31:04Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344859#M86249 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;thanks for your patience. This was very helpful for troubleshooting. &nbsp;It is working now with Responder Mode and NAT-T enabled, and using the matching identities.</P> Thu, 20 Aug 2020 20:54:05 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344859#M86249 acrxsupport-old 2020-08-20T20:54:05Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344860#M86250 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118857">@acrxsupport-old</a>&nbsp; that's great!</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 20 Aug 2020 20:59:44 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/344860#M86250 reaper 2020-08-20T20:59:44Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/530823#M109510 <P>When using 'user FQDN (email address)' identity, is it a real email that the system checks? Or is it just a text string?</P> Mon, 13 Feb 2023 05:30:07 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/530823#M109510 JimMcGrady 2023-02-13T05:30:07Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/1230184#M124406 <P>Hi, Have you tried with ikev2?</P> Tue, 27 May 2025 14:21:49 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ip-sec-pan-220-static-ip-to-cradlepoint-dynamic-ip/m-p/1230184#M124406 JosipMartinic 2025-05-27T14:21:49Z