https://live.paloaltonetworks.com/t5/general-topics/configuring-site-to-site-vpn-between-two-pas/m-p/259652#M73610 <P>There ended up being two issues. We had the static routes configured wrong (the next hop for the default 0.0.0.0/0 route was incorrect). We found the correct one by using the command "show arp all", or by doing a traceroute to the peer IP.</P><P>&nbsp;</P><P>The other issue was that we still have an existing firewall on the network that was blocking IPSec VPN traffic. I corrected the routes and disabled the filters in our firewall and the tunnel now works as expected.</P> Thu, 02 May 2019 17:14:37 GMT CoreyS 2019-05-02T17:14:37Z https://live.paloaltonetworks.com/t5/general-topics/configuring-site-to-site-vpn-between-two-pas/m-p/259441#M73571 <P>We recently purchased a PA850 and PA220 to use at two different locations and want to set up a tunnel between the two devices. I am unable to successfully get connectivity between them. I am trying to follow this guide (<A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/site-to-site-vpn-quick-configs/site-to-site-vpn-with-static-routing.html#" target="_blank" rel="noopener">Site-to-Site VPN with Static Routing</A> ), but I'm not sure if the problem is in my configuration or the physical hardware connections I have set up.</P><P>&nbsp;</P><P>Both devices are on stock 9.0.1 with completely fresh/out-of-box defaults aside from the MGT interface and admin login.</P><P>&nbsp;</P><P>Physically, the PA850 has an ethernet cable connected from ethernet1/3 to a switch and is configured with the IP 198.X.Y.5.</P><P>The PA220 has an ethernet cable connected from ethernet1/3 to an ISP router that is completely separate from the network of the 850. It is configured with the IP 97.X.Y.34. I can ping both interfaces from anywhere, so I know they are reachable over the internet.</P> Thu, 02 May 2019 17:10:50 GMT https://live.paloaltonetworks.com/t5/general-topics/configuring-site-to-site-vpn-between-two-pas/m-p/259441#M73571 CoreyS 2019-05-02T17:10:50Z https://live.paloaltonetworks.com/t5/general-topics/configuring-site-to-site-vpn-between-two-pas/m-p/259480#M73574 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/110891">@CoreyS</a>&nbsp;</P><P>&nbsp;</P><P>Do you have networks behind the firewalls, where you want to have them connected over the VPN tunnel?</P><P>The problem in your configuration is that you route the peer IPs to the tunnel interfaces. This way the firewalls try to reach these IPs over an interface which has no connection at that time (the VPN connection is not established). The firewalls need to connect to the peer IPs over the internet and not over the tunnel. When the tunnel is established then you can have connections between the internal networks over the tunnel.</P><P>&nbsp;</P><P>Hope this helps,</P><P>Remo</P> Wed, 01 May 2019 20:32:23 GMT https://live.paloaltonetworks.com/t5/general-topics/configuring-site-to-site-vpn-between-two-pas/m-p/259480#M73574 Remo 2019-05-01T20:32:23Z https://live.paloaltonetworks.com/t5/general-topics/configuring-site-to-site-vpn-between-two-pas/m-p/259652#M73610 <P>There ended up being two issues. We had the static routes configured wrong (the next hop for the default 0.0.0.0/0 route was incorrect). We found the correct one by using the command "show arp all", or by doing a traceroute to the peer IP.</P><P>&nbsp;</P><P>The other issue was that we still have an existing firewall on the network that was blocking IPSec VPN traffic. I corrected the routes and disabled the filters in our firewall and the tunnel now works as expected.</P> Thu, 02 May 2019 17:14:37 GMT https://live.paloaltonetworks.com/t5/general-topics/configuring-site-to-site-vpn-between-two-pas/m-p/259652#M73610 CoreyS 2019-05-02T17:14:37Z