Configuring Site-to-Site VPN between two PAs

Reply
Highlighted
L0 Member

Configuring Site-to-Site VPN between two PAs

We recently purchased a PA850 and PA220 to use at two different locations and want to set up a tunnel between the two devices. I am unable to successfully get connectivity between them. I am trying to follow this guide (Site-to-Site VPN with Static Routing ), but I'm not sure if the problem is in my configuration or the physical hardware connections I have set up.

 

Both devices are on stock 9.0.1 with completely fresh/out-of-box defaults aside from the MGT interface and admin login.

 

Physically, the PA850 has an ethernet cable connected from ethernet1/3 to a switch and is configured with the IP 198.X.Y.5.

The PA220 has an ethernet cable connected from ethernet1/3 to an ISP router that is completely separate from the network of the 850. It is configured with the IP 97.X.Y.34. I can ping both interfaces from anywhere, so I know they are reachable over the internet.


Accepted Solutions
Highlighted
L0 Member

There ended up being two issues. We had the static routes configured wrong (the next hop for the default 0.0.0.0/0 route was incorrect). We found the correct one by using the command "show arp all", or by doing a traceroute to the peer IP.

 

The other issue was that we still have an existing firewall on the network that was blocking IPSec VPN traffic. I corrected the routes and disabled the filters in our firewall and the tunnel now works as expected.

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @CoreyS 

 

Do you have networks behind the firewalls, where you want to have them connected over the VPN tunnel?

The problem in your configuration is that you route the peer IPs to the tunnel interfaces. This way the firewalls try to reach these IPs over an interface which has no connection at that time (the VPN connection is not established). The firewalls need to connect to the peer IPs over the internet and not over the tunnel. When the tunnel is established then you can have connections between the internal networks over the tunnel.

 

Hope this helps,

Remo

Highlighted
L0 Member

There ended up being two issues. We had the static routes configured wrong (the next hop for the default 0.0.0.0/0 route was incorrect). We found the correct one by using the command "show arp all", or by doing a traceroute to the peer IP.

 

The other issue was that we still have an existing firewall on the network that was blocking IPSec VPN traffic. I corrected the routes and disabled the filters in our firewall and the tunnel now works as expected.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!