Question regarding site to site VPN

sfisher899 — Tue, 21 Feb 2012 09:50:33 GMT

Hello,

I hope you may be able to help. I am a little confused regarding the site-to-site VPN tunnel configuration (remote end will be a Cisco PIX).

Best regards

Stephen

I get the following error when attempting to commit using PANOS 4.0

Details
·
·
·
Commit failed (Module: device) Error: tunnel configuration error :
· Error: tunnel VPN-tunnel-BVB: invalid peer IP address

The local gateway IP is 199.55.55.1. The remote network is 172.31.31.0/24. Why I am getting the above ?

Configuration.

Define the IKE crypto profile (step 1)

Network>network profiles>IKE Crypto

Name: name of profile

 VPN-Crypto-BVB

DH group: Diff-Hellman group

 Group 2

Encryption: Encryption

 aes-256

Authentication: Authentication

 sha256

Lifetime: VPN keepalive 1 day/24 hours/1440 minutes/86400 seconds :

 hours 24

Define the IPSEC crypto profile (step 2)

Network>network profiles>IPSEC Crypto

Name: name of profile

 VPN-IPSECCrypto-BVB

IPSEC protocol: ESP/AH

 ESP

Encryption: Encryption

 aes-256

DH group: Diff-Hellman group

 Group 2

Lifetime: VPN keepalive 1 day/24 hours/1440 minutes/86400 seconds :

 hours 24

Authentication: Authentication

 sha256

Lifesize: VPN capacity bytes/kb/mb :

 KB 4500

Define the IKE gateway (step 3)

Network>network profiles>IKE gateways

Name: name of gateway

 VPN-GW-BVB 199.55.55.1/32 (ip address of Palo-Alto ae3.400 outside interface) 172.31.31.1/32 (test address of the PIX)

Define the IPSEC tunnel (step 4)

Network>IPSEC tunnels

Name: Name of tunnel

 VPN-tunnel-BVB tunnel.1 auto-key VPN-GW-BVB (from step 3)

Define the remote network (step 5)

Objects>addresses

Name: VPN-net-BVB

SHARED

Description: VPN BVB destination network

IP netmask: 172.31.31.0/24

Define the remote peer (step 6)

Objects>addresses

Name: VPN-peer-BVB

SHARED

Description: VPN BVB destination peer

IP netmask: 172.31.31.1/32

Define the static route for LDMZ to external (step 7)

Network>Virtual routers

Name: Name of router

 RTVTLOUT test network behind test PIX) RTVTOUT

Define the static route for external to internet (step 😎

Network>Virtual routers

Name: Name of router

 RTVTOUT test network behind test PIX)

Policies>security (step 9)

Virtual system: FWOUTLDMZ

Name: VPN-rule1-BVB

Desc: Test rule for BVB configuration

Source: source zone

LDMZ

Destination: destination zone

LOUT

Address　: VPN-net-BVB (from step 5)

Statics routes: ADD

Name: VPN-route-BVB

Destination: 172.31.31.0/24

Interface: tunnel.1

Next hop: ip address > 172.31.31.1/32

Statics routes: ADD

Name: VPN-route2-BVB

Destination: 172.31.31.0/24

Interface: ae3.400

Next hop: Next VR

Tunnel interface: ascending unique number of tunnel interface

Type: automatic of manual key

IKE gateway: Name of gateway

IPSEC crypto profile: VPN-IPSECCrypto-BVB (from step 2)

Click Ok

Virtual router: RTVOUT01

Virtual system: FWOUTDMZ

Security zone: LOUT

Local ip: the local ip address of the VPN tunnel

Peer ip: the remote peer ip address of the VPN tunnel

Presharedkey: vpntestkey

CLICK SHOW ADVANCED PHASE 1 OPTIONS

Exchange mode: aggressive

IKE crypto profile: VPN-Crypto-BVB (from step 1)

Re: Question regarding site to site VPN

ncampagna — Wed, 22 Feb 2012 16:38:33 GMT

Hi Stephen,

It's a bit tough to read your configuration in this format. Could you please paste in the CLI output? I think the issue is that you're using 172.31.31.0/24 as an IP address. .0 isn't a legal address so the commit is failing. I'll be able to confirm if you can paste in the IKE gateway configuration and the IPSec tunnel configuration.

Thanks,

Nick Campagna

Product Management

Re: Question regarding site to site VPN

ncampagna — Thu, 21 Jun 2012 16:32:07 GMT

Stephen,

Were you able to resolve this issue?

Thanks,

Nick

topic Question regarding site to site VPN in General Topics

Question regarding site to site VPN

Re: Question regarding site to site VPN

Re: Question regarding site to site VPN