I was migrating configuration from Juniper to PA, everything worked as expected except IPSEC VPN.
Customer has two sites and both sites have ADSL connection with Dynamic IP address, however on one end Dyn DNS is used. In the below example Site-A has Dyn DNS and www.vpn.com gets updated as soon as IP gets changed on Site-A. But on PA there is no option to configure FQDN for static peer only IP address. However on Juniper you can select peer as Static and you can configured IP/FQDN, even though peer is dynamic you can select it as static and configure the FQDN "www.vpn.com" and Site-B fires IPSEC VPN traffic and works like a charm.
Below is the example, where you can configure FQDN on Juniper, I was wondering that does PA has any plan to allow both IP and FQDN if you select peer type as Static like Juniper.
IN Palto firewall if you are using dynamic ip .. please select as below.. the you can established site to site vpn
That could work. But you need to make sure the other side uses FQDN for phase 1 identification. From that Juniper screenshot FQDN is used only for getting the IP for transport while peer ID is left empty.
Agreed with the comments above. Make sure PA can resolve FQDN of the peer (bi-directional). DDNS has to be configured for the both peers
I configured peer identification as FQDN, but PA does not fire IPSEC VPN. Enabled debug for ikemgr.log and could see that "can't initiate IPSEC VPN for Dynamic peer".
Post the IKE Gateway config and logs from the both devices if possible.
Can you resolve the FQDN for the remote peer? Can peer resolve yours? Can you reach the peer with simple ping? How about your security policies. Do you have IPSEC traffic permitted on the untrust interface (same zone traffic untrust>untrust)? (you can enable management profile for outside interface for the test)
You likely have a configuration error on the IKE gateway, I assume that the security policy to allow the traffic has already been generated on both devices. To clarify this connection is between two Palo Alto devices right, it isn't a Palo Alto to something else?
Yes I can resolve the FQDN of peer. I can reach to peer (ping source X.X.X.X host www.xyz.com).
I don't see any traffic reaching on remote peer.
A security policy has been configured on both end to allow IPSEC traffic.
What is on the remote side (device)? Logs will help. Also, who is an initiator of the tunnel? Best to check responder side logs.
Can you provide the logs?
Got the confirmation from PA TAC that tunnel can't be stablished if both peer is DYNAMIC, one end has to be static.
But it is supported on Juniper, henec I will raise a feature request for this.
Thank you for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!