Question regarding site to site VPN

Reply
Highlighted
Not applicable

Question regarding site to site VPN

Hello,

I hope you may be able to help. I am a little confused regarding the site-to-site VPN tunnel configuration (remote end will be a Cisco PIX).

Best regards

Stephen

I get the following error when attempting to commit using PANOS 4.0

Details

·

·

·

Commit failed
(Module: device)
Error: tunnel configuration error
:
· Error: tunnel VPN-tunnel-BVB: invalid peer IP address

The local gateway IP is 199.55.55.1. The remote network is 172.31.31.0/24. Why I am getting the above ?

Configuration.

Define the IKE crypto profile (step 1)

Network>network profiles>IKE Crypto

Name: name of profile

VPN-Crypto-BVB

DH group: Diff-Hellman group

Group 2

Encryption: Encryption

aes-256

Authentication: Authentication

sha256

Lifetime: VPN keepalive 1 day/24 hours/1440 minutes/86400 seconds :

hours 24

Define the IPSEC crypto profile (step 2)

Network>network profiles>IPSEC Crypto

Name: name of profile

VPN-IPSECCrypto-BVB

IPSEC protocol: ESP/AH

ESP

Encryption: Encryption

aes-256

DH group: Diff-Hellman group

Group 2

Lifetime: VPN keepalive 1 day/24 hours/1440 minutes/86400 seconds :

hours 24

Authentication: Authentication

sha256

Lifesize: VPN capacity bytes/kb/mb :

KB 4500

Define the IKE gateway (step 3)

Network>network profiles>IKE gateways

Name: name of gateway

VPN-GW-BVB 199.55.55.1/32 (ip address of Palo-Alto ae3.400 outside interface) 172.31.31.1/32 (test address of the PIX)

Define the IPSEC tunnel (step 4)

Network>IPSEC tunnels

Name: Name of tunnel

VPN-tunnel-BVB tunnel.1 auto-key VPN-GW-BVB (from step 3)

Define the remote network (step 5)

Objects>addresses

Name: VPN-net-BVB

SHARED

Description: VPN BVB destination network

IP netmask: 172.31.31.0/24

Define the remote peer (step 6)

Objects>addresses

Name: VPN-peer-BVB

SHARED

Description: VPN BVB destination peer

IP netmask: 172.31.31.1/32

Define the static route for LDMZ to external (step 7)

Network>Virtual routers

Name: Name of router

RTVTLOUT test network behind test PIX) RTVTOUT

Define the static route for external to internet (step 8)

Network>Virtual routers

Name: Name of router

RTVTOUT test network behind test PIX)

Policies>security (step 9)

Virtual system: FWOUTLDMZ

Name: VPN-rule1-BVB

Desc: Test rule for BVB configuration

Source: source zone

LDMZ

Destination: destination zone

LOUT

Address : VPN-net-BVB (from step 5)

Statics routes: ADD

Name: VPN-route-BVB

Destination: 172.31.31.0/24

Interface: tunnel.1

Next hop: ip address > 172.31.31.1/32

Statics routes: ADD

Name: VPN-route2-BVB

Destination: 172.31.31.0/24

Interface: ae3.400

Next hop: Next VR

Tunnel interface: ascending unique number of tunnel interface

Type: automatic of manual key

IKE gateway: Name of gateway

IPSEC crypto profile: VPN-IPSECCrypto-BVB (from step 2)

Click Ok

Virtual router: RTVOUT01

Virtual system: FWOUTDMZ

Security zone: LOUT

Local ip: the local ip address of the VPN tunnel

Peer ip: the remote peer ip address of the VPN tunnel

Presharedkey: vpntestkey

CLICK SHOW ADVANCED PHASE 1 OPTIONS

Exchange mode: aggressive

IKE crypto profile: VPN-Crypto-BVB (from step 1)

Palo Alto Networks Guru

Re: Question regarding site to site VPN

Hi Stephen,

It's a bit tough to read your configuration in this format.  Could you please paste in the CLI output?  I think the issue is that you're using 172.31.31.0/24 as an IP address.  .0 isn't a legal address so the commit is failing.  I'll be able to confirm if you can paste in the IKE gateway configuration and the IPSec tunnel configuration.

Thanks,

Nick Campagna

Product Management

Palo Alto Networks Guru

Re: Question regarding site to site VPN

Stephen,

Were you able to resolve this issue?

Thanks,

Nick

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!