IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Reply
L3 Networker

IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Hi There,

 

I was migrating configuration from Juniper to PA, everything worked as expected except IPSEC VPN.

 

Customer has two sites and both sites have ADSL connection with Dynamic IP address, however on one end Dyn DNS is used. In the below example Site-A has Dyn DNS and www.vpn.com gets updated as soon as IP gets changed on Site-A. But on PA there is no option to configure FQDN for static peer only IP address. However on Juniper you can select peer as Static and you can configured IP/FQDN, even though peer is dynamic you can select it as static and configure the FQDN "www.vpn.com" and Site-B fires IPSEC VPN traffic and works like a charm.

 

IPSEC VPN.PNG

 

Below is the example, where you can configure FQDN on Juniper, I was wondering that does PA has any plan to allow both IP and FQDN if you select peer type as Static like Juniper.

 

IPSEC VPN2.PNG

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

IN Palto firewall if you are using dynamic ip .. please select as below.. the you can established site to site vpn

vpn.PNG

 

L5 Sessionator

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

That could work. But you need to make sure the other side uses FQDN for phase 1 identification. From that Juniper screenshot FQDN is used only for getting the IP for transport while peer ID is left empty.

L6 Presenter

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Hi,

 

Agreed with the comments above. Make sure PA can resolve FQDN of the peer (bi-directional). DDNS has to be configured for the both peers 

L3 Networker

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Hi,

 

I configured peer identification as FQDN, but PA does not fire IPSEC VPN. Enabled debug for ikemgr.log and could see that "can't initiate IPSEC VPN for Dynamic peer".

 

 

L6 Presenter

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Hi,

 

Post the IKE Gateway config and logs from the both devices if possible.

Can you resolve the FQDN for the remote peer? Can peer resolve yours? Can you reach the peer with simple ping? How about your security policies. Do you have IPSEC traffic permitted on the untrust interface (same zone traffic untrust>untrust)? (you can enable management profile for outside interface for the test)

 

Thx,

Myky

L7 Applicator

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

You likely have a configuration error on the IKE gateway, I assume that the security policy to allow the traffic has already been generated on both devices. To clarify this connection is between two Palo Alto devices right, it isn't a Palo Alto to something else? 

L3 Networker

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Hi,

 

Yes I can resolve the FQDN of peer. I can reach to peer (ping source X.X.X.X host www.xyz.com).

 

I don't see any traffic reaching on remote peer.

 

A security policy has been configured on both end to allow IPSEC traffic.

L6 Presenter

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Hi,

 

What is on the remote side (device)? Logs will help. Also, who is an initiator of the tunnel? Best to check responder side logs.

Can you provide the logs?

 

Thx,

Myky

L3 Networker

Re: IPSEC VPN support for both side as Dynamic, Supported on Juniper but not on PA

Hi All,

 

Got the confirmation from PA TAC that tunnel can't be stablished if both peer is DYNAMIC, one end has to be static.

 

But it is supported on Juniper, henec I will raise a feature request for this.

 

Thank you for your help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!