I have an IPSec tunnel up and running with no issues using a staic IP for the peer in the IKE gateway, but it won't work when I set it to Dynamic and use the FQDN (hostname).
When I ping from the command line it translates to the correct IP, and replies with no issue, but the tunnel will not come up.
Are there some FQDN or DNS settings I need to change or is there a way to verify it works? Or am I putting the FQDN in using an incorrect format? ( name.domain.com )
Solved! Go to Solution.
Has "local/peer identification" been configured on the peer device with the matching confgiuration?
What error messages do you see in the system logs when attempting to use FQDN?
Hi, thanks for helping.
The other side is configured and working when I use the staic IP, but not when I use FQDN. That's the only change.
And the logs say "ikev2 ike sa negotiation is failed as initiator non-rekey"
When you say you "use FQDN" please confirm if you you have an FQDN in the "local/peer identifdication"? of the IKE gateway? If yes: local/peer identification will need to be configured on peer end.
If it does not work after configuring this, could you ascertain detailed logs from:
>tail follow yes mp-log ikemgr.log
You do not mention it specifically in your question, but take note - only one side of an IPSEC tunnel can be dynamic.
I think your issue is what @LukeBullimore is getting at. When you configure the initiator or the responder to use FQDN in the peer identification it really doesn't matter what you put here as long as it matches. I can configure the Peer Identification as FQDN with the value 'SEN19' on my responder as long as my initiator has the local identification as FQDN and matches 'SEN19'. If these values don't match this will fail. The FQDN you enter doesn't matter at all, as long as the configured FQDN value matches on either end it doesn't need to resolve to anything or be the actual hostname of the device.
On the IKE Gateway I've selcted Peer Type Dynamic, and the Peer Identification as FQDN (Houstname) Name.Domain.Com.
Is there somewhere else I need to enter the FQDN on the Palo Alto, or do I need to make a change on the peer device?
The peer device needs to have it's local identification set as FQDN as Name.Domain.Com.
Essentially how it works is one will have the Local Identification set as FQDN with whatever FQDN value you are setting, then the peer to that would need the Peer Identification set as FQDN with whatever FQDN value you setup above. These values must match.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!