There is a project,that Paloalto and checkpoint vpn.Paloalto is static address ,checkpoint is pppoe ,dynamic address.who had do this , can you give me some document ?
Here is an example of IPSec VPN between PAN and CISCO, where Palo Alto FW is having a static IP address and other side is having a dynamic IP address.
You have to configure the IPSec tunnel in aggressive mode, and the dynamic-side (checkpoint) should be the initiator always. ( PAN should be enable for passive mode-responder). In aggressive mode, the peer will be identified by its hostname/email-address/common IP address etc.
The cisco router can use this command "self-identity user-fqdn " ,is it must to set ?
the checkpoint utm-1 edge can't set this .I use hostname but doesn't work.
You can select as "IP address" and put the local and remote interface IP address. This is just to verify the identity, hence you can put any IP address. Only keep in mind, the Local address here will the remote address for peer and vice versa.
this is my configuration . what's wrong with this ? When I change it to "static",and input peer ip ,it's ok.
The peer device is checkpoint utm-1 edge , The UTM-1 Edge does not support Aggressive mode in Phase 1.
Are You sure that cp-test (as a FQDN) is a really FQDN address and resolvable by PA and Chekpoint?
Try to ping that address from CLI
Hulk give You document, please follow it but use public IP (not 192.168.x.x) and some kind of service like DynDNS to map dynamic IP to constant FQDN address.
Hope this help
192.168 is my test ip. if the paloalto and checkpoint use static ip address,i can do that, and vpn connect is ok.but now the checkpoint use dynamic ip address ,i can't do it.the checkpoint edge firewall not support aggressive mode vpn,fqdn need dynamic dns support.
As per my understanding, once you will select Peer type: dynamic, the firewall will prepare a negotiation in Aggressive mode. As you said before, the UTM-1 Edge does not support Aggressive mode, it could be a problem here.
Could you please check "ikemgr.log" for detail information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!