https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256380#M72738 <P>Whatever firewall is the dynamic peer&nbsp;<STRONG><EM>needs</EM></STRONG> to be the initiator of the VPN tunnel and not the responder. Ensure that you don't have the "Enable Passive Mode" option checked.&nbsp;</P> Fri, 05 Apr 2019 20:07:06 GMT BPry 2019-04-05T20:07:06Z https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256167#M72677 <P>Hi all,&nbsp;<BR />I've just installed a PA 3220 and there're dynamics VPNs tunnel. IKEs are up. However,&nbsp; phase 2 (tunnel) aren't coming up.&nbsp;</P><P>&nbsp;</P><P>Looking at the logs I see the following logs for all VPNs .<BR />"initiate negotiation to dynamic peer from IKE gateway is not allowed"</P><P>&nbsp;</P><P>&nbsp;My outside interface is allowing IKE and IPSec, I don't see packets being dropped.</P> Thu, 04 Apr 2019 20:10:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256167#M72677 WRibeiro 2019-04-04T20:10:20Z https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256193#M72682 <P>Do you have any other logs?</P> Thu, 04 Apr 2019 21:10:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256193#M72682 Raido_Rattameister 2019-04-04T21:10:10Z https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256281#M72705 <P>&nbsp;</P><P>That's what I can see on the logs</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IKE Down.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19422iCB06487B5B00705F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="IKE Down.JPG" alt="IKE Down.JPG" /></span></P> Fri, 05 Apr 2019 10:35:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256281#M72705 WRibeiro 2019-04-05T10:35:03Z https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256380#M72738 <P>Whatever firewall is the dynamic peer&nbsp;<STRONG><EM>needs</EM></STRONG> to be the initiator of the VPN tunnel and not the responder. Ensure that you don't have the "Enable Passive Mode" option checked.&nbsp;</P> Fri, 05 Apr 2019 20:07:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/256380#M72738 BPry 2019-04-05T20:07:06Z https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/306646#M79653 <P>The Enable Passive Mode option should be checked on the non-dynamic addressed firewall <STRONG>and not</STRONG> on the dynamic remote firewalls?</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0</A></P><P>&nbsp;</P><P>"<SPAN>With&nbsp;this option enabled, the firewall responds to incoming connection negotiations as it would normally do, <STRONG>but it will no longer initiate outgoing negotiations.</STRONG> "</SPAN></P> Tue, 14 Jan 2020 14:00:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/306646#M79653 jeremy.larsen 2020-01-14T14:00:13Z https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/306653#M79654 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/107910">@jeremy.larsen</a>,</P><P>Correct. On the non-dynamic firewall you want passive-mode enabled, and on the dynamic firewall you want to ensure that passive mode is not enabled. That will ensure that only the dynamic firewall is attempting to establish communication with the non-dynamic firewall, which works perfectly fine.&nbsp;</P> Tue, 14 Jan 2020 14:06:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-gateway-is-not-allowed/m-p/306653#M79654 BPry 2020-01-14T14:06:09Z