Paloalto and Checkpoint dynamic address vpn

Reply
Highlighted
Not applicable

Paloalto and Checkpoint dynamic address vpn

There is a project,that Paloalto and checkpoint vpn.Paloalto is static address ,checkpoint is pppoe ,dynamic address.who had do this , can you give me some document ?

Tags (3)
L7 Applicator

Re: Paloalto and Checkpoint dynamic address vpn

Hello Sir,

Here is an example of IPSec VPN between PAN and CISCO, where Palo Alto FW is having a static IP address and other side is having a dynamic IP address.

VPN Tunnel Down Between Palo Alto Networks Firewall Static IP Address and Cisco VTI on Dynamic IP Ad...

You have to configure the IPSec tunnel in aggressive mode, and the dynamic-side (checkpoint) should be the initiator always. ( PAN should be enable for passive mode-responder). In aggressive mode, the peer will be identified by its hostname/email-address/common IP address etc.

Example:

Dynamic-vpn.JPG.jpg

Thanks

Not applicable

Re: Paloalto and Checkpoint dynamic address vpn

Thanks

The cisco router can use this command "self-identity user-fqdn " ,is it must to set ?

the checkpoint utm-1 edge can't set this .I use hostname but doesn't work.

L7 Applicator

Re: Paloalto and Checkpoint dynamic address vpn

Hello,

You can select as "IP address" and put the local and remote interface IP address. This is just to verify the identity, hence you can put any IP address. Only keep in mind, the Local address here will the remote address for peer and vice versa.

Thanks

Not applicable

Re: Paloalto and Checkpoint dynamic address vpn

this is my configuration . what's wrong with this ? When I change it to "static",and input peer ip ,it's ok.

The peer device is checkpoint utm-1 edge ,  The UTM-1 Edge does not support Aggressive mode in Phase 1.

phase1_1.JPG.jpg

phaes1_2.JPG.jpg

log.JPG.jpg

L4 Transporter

Re: Paloalto and Checkpoint dynamic address vpn

Hi

Are You sure that cp-test (as a FQDN)  is a really FQDN address and resolvable by PA and Chekpoint?

Try to ping that address from CLI

Regards

SLawek

Not applicable

Re: Paloalto and Checkpoint dynamic address vpn

I can't resolve the hostname(cp-test) via dns.

is there have some method without dns?the peer is dynamic address

thanks!

L4 Transporter

Re: Paloalto and Checkpoint dynamic address vpn

Hi

Hulk give You document, please follow it but use public IP (not 192.168.x.x) and some kind of service like DynDNS to map dynamic IP to constant FQDN address.

Hope this help

SLawek

Not applicable

Re: Paloalto and Checkpoint dynamic address vpn

192.168 is my test ip. if the paloalto and checkpoint use static ip address,i can do that, and vpn connect is ok.but now the checkpoint use dynamic ip address ,i can't do it.the checkpoint edge firewall not support aggressive mode vpn,fqdn need dynamic dns support.

L7 Applicator

Re: Paloalto and Checkpoint dynamic address vpn

As per my understanding, once you will select Peer type: dynamic, the firewall will prepare a negotiation in Aggressive mode. As you said before, the UTM-1 Edge does not support Aggressive mode, it could be a problem here.


Could you please check "ikemgr.log" for detail information.


Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!