https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1732#M1282 <HTML><HEAD></HEAD><BODY><P>There is a project,that Paloalto and checkpoint vpn.Paloalto is static address ,checkpoint is pppoe ,dynamic address.who had do this , can you give me some document ?</P></BODY></HTML> Fri, 07 Mar 2014 09:52:40 GMT ChuanhouLei 2014-03-07T09:52:40Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1732#M1282 <HTML><HEAD></HEAD><BODY><P>There is a project,that Paloalto and checkpoint vpn.Paloalto is static address ,checkpoint is pppoe ,dynamic address.who had do this , can you give me some document ?</P></BODY></HTML> Fri, 07 Mar 2014 09:52:40 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1732#M1282 ChuanhouLei 2014-03-07T09:52:40Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1733#M1283 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>Here is an example of IPSec VPN between PAN and CISCO, where Palo Alto FW is having a static IP address and other side is having a dynamic IP address.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4791">VPN Tunnel Down Between Palo Alto Networks Firewall Static IP Address and Cisco VTI on Dynamic IP Address</A></P><P></P><P>You have to configure the IPSec tunnel in aggressive mode, and the dynamic-side (checkpoint) should be the initiator always. <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>PAN should be enable for passive mode-responder). In aggressive mode, the peer will be identified by its hostname/email-address/common IP address etc. </P><P></P><P>Example:</P><P></P><P><IMG alt="Dynamic-vpn.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/12027_Dynamic-vpn.JPG.jpg" /></P><P>Thanks</P></BODY></HTML> Fri, 07 Mar 2014 17:10:10 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1733#M1283 HULK 2014-03-07T17:10:10Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1734#M1284 <HTML><HEAD></HEAD><BODY><P>Thanks</P><P>The cisco router can use this command "self-identity user-fqdn " ,is it must to set ?</P><P>the checkpoint utm-1 edge can't set this .I use hostname but doesn't work.</P></BODY></HTML> Fri, 14 Mar 2014 03:54:18 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1734#M1284 ChuanhouLei 2014-03-14T03:54:18Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1735#M1285 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can select as "IP address" and put the local and remote interface IP address. This is just to verify the identity, hence you can put any IP address. Only keep in mind, the Local address here will the remote address for peer and vice versa. </P><P></P><P>Thanks</P></BODY></HTML> Fri, 14 Mar 2014 04:21:33 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1735#M1285 HULK 2014-03-14T04:21:33Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1736#M1286 <HTML><HEAD></HEAD><BODY><P>this is my configuration . what's wrong with this ? When I change it to "static",and input peer ip ,it's ok.</P><P>The peer device is checkpoint utm-1 edge ,&nbsp; The UTM-1 Edge does not support Aggressive mode in Phase 1. </P><P><IMG alt="phase1_1.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/12141_phase1_1.JPG.jpg" style="width: 620px; height: 399px;" /></P><P><IMG alt="phaes1_2.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/12142_phaes1_2.JPG.jpg" /></P><P><IMG alt="log.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/12146_log.JPG.jpg" /></P></BODY></HTML> Sat, 15 Mar 2014 09:54:23 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1736#M1286 ChuanhouLei 2014-03-15T09:54:23Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1737#M1287 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Are You sure that cp-test (as a FQDN)&nbsp; is a really FQDN address and resolvable by PA and Chekpoint?</P><P>Try to ping that address from CLI</P><P></P><P>Regards</P><P>SLawek</P></BODY></HTML> Sat, 15 Mar 2014 10:24:05 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1737#M1287 _slv_ 2014-03-15T10:24:05Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1738#M1288 <HTML><HEAD></HEAD><BODY><DIV><P>I can't resolve the hostname(cp-test) via dns.</P><P>is there have some method without dns?the peer is dynamic address</P><P>thanks!</P></DIV></BODY></HTML> Sat, 15 Mar 2014 10:33:20 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1738#M1288 ChuanhouLei 2014-03-15T10:33:20Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1739#M1289 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Hulk give You document, please follow it but use public IP (not 192.168.x.x) and some kind of service like DynDNS to map dynamic IP to constant FQDN address.</P><P></P><P>Hope this help</P><P></P><P>SLawek</P></BODY></HTML> Sat, 15 Mar 2014 10:44:32 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1739#M1289 _slv_ 2014-03-15T10:44:32Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1740#M1290 <HTML><HEAD></HEAD><BODY><DIV><P>192.168 is my test ip. if the paloalto and checkpoint use static ip address,i can do that, and vpn connect is ok.but now the checkpoint use dynamic ip address ,i can't do it.the checkpoint edge firewall not support aggressive mode vpn,fqdn need dynamic dns support.</P></DIV></BODY></HTML> Sat, 15 Mar 2014 14:00:47 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1740#M1290 ChuanhouLei 2014-03-15T14:00:47Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1741#M1291 <HTML><HEAD></HEAD><BODY><P>As per my understanding, once you will select Peer type: dynamic, the firewall will prepare a negotiation in Aggressive mode. As you said before, t<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">he UTM-1 Edge does not support Aggressive mode, it could be a problem here.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Could you please check "ikemgr.log" for detail information. </SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Thanks<BR /></SPAN></P></BODY></HTML> Sat, 15 Mar 2014 17:37:57 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1741#M1291 HULK 2014-03-15T17:37:57Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1742#M1292 <HTML><HEAD></HEAD><BODY><P>2014-03-17 19:24:39 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:24:41 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:24:43 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:24:46 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:24:48 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:24:51 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:24:56 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:24:59 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:25:03 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P><P>2014-03-17 19:25:07 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].</P></BODY></HTML> Mon, 17 Mar 2014 11:49:14 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-checkpoint-dynamic-address-vpn/m-p/1742#M1292 ChuanhouLei 2014-03-17T11:49:14Z