IPSec VPN Tunnel with Peer Having Dynamic IP Address

IPSec VPN Tunnel with Peer Having Dynamic IP Address

188836
Created On 09/25/18 17:41 PM - Last Modified 06/05/23 20:39 PM


Resolution


Topology

 

PA-Firewall A (10.129.70.38)  -----  Router (DHCP server) -------  (DHCP IP) PA-Firewall B

 

 

Configuration on PA-Firewall B

 

Interface on Firewall B gets the IP address dynamically from the DHCP server (interface on Router configured as DHCP server).

 

Inter-Dyn.png

 

IKE Gateway

 

 

IKE-Dyn-1.png

 

Note: In this example, Local ID is mentioned as FQDN (email address). However, we can use any of the available qualifiers, making sure it is the same on the peer end as well. It could be anything as long as it is same on the other end. This is an important configuration since it is the only way for the peer to identify the dynamic gateway.

 

 

IKE-Dyn-2.png

 

Note: Since Firewall B has the dynamic IP address, it needs to be the initiator for the VPN tunnel each time. Hence, do not select "Enable Passive Mode."

 

 

IPSec Configuration

 

IPSEC-Dyn-1.png

IPSEC_Dyn-2.png

 

 

Configuration on PA-Firewall A

 

IKE gateway

 

Ike-Static-1.png

 

Note: Peer Identification on the static peer needs to be the same as Local Identification configured on the dynamic peer. Also, "Peer IP Type" is dynamic here since we are not sure of the IP on the other end.

 

 

IKE-static-2.png

 

Note: Since this is the static peer and does not know the IP address of the dynamic end, it would not be able to initiate the VPN. Hence, we selected the option  "Enable Passive Mode."

 

 

IPSec Configuration

 

IPSEC-static-1.png

IPSEC_static-2.png

 

Initially, when the tunnel is down, we see an ipsec-esp session with destination as 0.0.0.0, since we are not sure of the peer IP.

 

admin@PA-Firewall-A> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1 ipsec-esp ACTIVE TUNN 10.129.72.38[0]/L3-Trust/50 (10.129.72.38[0])
vsys1 0.0.0.0[0]/L3-Untrust (0.0.0.0[0])

 

 

Note: L3-Trust is the zone of the tunnel interface and L3-Untrust is the external interface.

 

As soon as the tunnel comes up, this is replaced with the actual IP address of the dynamic peer:

 

admin@PA-Firewall-A> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
11 ipsec-esp ACTIVE TUNN 10.129.72.38[53613]/L3-Trust/50 (10.129.72.38[61655])
vsys1 1.1.1.5[12024]/L3-Untrust (1.1.1.5[43745])

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language