IKE gateway is not allowed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IKE gateway is not allowed

L1 Bithead

Hi all, 
I've just installed a PA 3220 and there're dynamics VPNs tunnel. IKEs are up. However,  phase 2 (tunnel) aren't coming up. 

 

Looking at the logs I see the following logs for all VPNs .
"initiate negotiation to dynamic peer from IKE gateway is not allowed"

 

 My outside interface is allowing IKE and IPSec, I don't see packets being dropped.

5 REPLIES 5

Cyber Elite
Cyber Elite

Do you have any other logs?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

 

That's what I can see on the logs

 

IKE Down.JPG

Whatever firewall is the dynamic peer needs to be the initiator of the VPN tunnel and not the responder. Ensure that you don't have the "Enable Passive Mode" option checked. 

The Enable Passive Mode option should be checked on the non-dynamic addressed firewall and not on the dynamic remote firewalls?

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0

 

"With this option enabled, the firewall responds to incoming connection negotiations as it would normally do, but it will no longer initiate outgoing negotiations. "

@jeremy.larsen,

Correct. On the non-dynamic firewall you want passive-mode enabled, and on the dynamic firewall you want to ensure that passive mode is not enabled. That will ensure that only the dynamic firewall is attempting to establish communication with the non-dynamic firewall, which works perfectly fine. 

  • 6112 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!