Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-01-2019 12:47 PM - edited 05-02-2019 10:10 AM
We recently purchased a PA850 and PA220 to use at two different locations and want to set up a tunnel between the two devices. I am unable to successfully get connectivity between them. I am trying to follow this guide (Site-to-Site VPN with Static Routing ), but I'm not sure if the problem is in my configuration or the physical hardware connections I have set up.
Both devices are on stock 9.0.1 with completely fresh/out-of-box defaults aside from the MGT interface and admin login.
Physically, the PA850 has an ethernet cable connected from ethernet1/3 to a switch and is configured with the IP 198.X.Y.5.
The PA220 has an ethernet cable connected from ethernet1/3 to an ISP router that is completely separate from the network of the 850. It is configured with the IP 97.X.Y.34. I can ping both interfaces from anywhere, so I know they are reachable over the internet.
05-02-2019 10:14 AM
There ended up being two issues. We had the static routes configured wrong (the next hop for the default 0.0.0.0/0 route was incorrect). We found the correct one by using the command "show arp all", or by doing a traceroute to the peer IP.
The other issue was that we still have an existing firewall on the network that was blocking IPSec VPN traffic. I corrected the routes and disabled the filters in our firewall and the tunnel now works as expected.
05-01-2019 01:32 PM
Hi @CoreyS
Do you have networks behind the firewalls, where you want to have them connected over the VPN tunnel?
The problem in your configuration is that you route the peer IPs to the tunnel interfaces. This way the firewalls try to reach these IPs over an interface which has no connection at that time (the VPN connection is not established). The firewalls need to connect to the peer IPs over the internet and not over the tunnel. When the tunnel is established then you can have connections between the internal networks over the tunnel.
Hope this helps,
Remo
05-02-2019 10:14 AM
There ended up being two issues. We had the static routes configured wrong (the next hop for the default 0.0.0.0/0 route was incorrect). We found the correct one by using the command "show arp all", or by doing a traceroute to the peer IP.
The other issue was that we still have an existing firewall on the network that was blocking IPSec VPN traffic. I corrected the routes and disabled the filters in our firewall and the tunnel now works as expected.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
