- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-09-2021 04:03 PM - edited 02-09-2021 08:27 PM
We are trying to setup a IPSec VPN from our VM-300 Palo Alto Firewall running in AWS. Using PANOS 9.0.11.
I’m having issues with the configuration of the IKE Gateway as the Interface IP address is set via AWS DHCP and does not reflect the public (elastic) IP.
PAN OS will not allow me to set an address in the Local IP address field the only option allowed is 'none'.
The address for the interface is set by DHCP (VIA AWS) and my guess is that this is why the PAN won’t let me set the local IP value for the gateway.
I tried using the local and peer identification fields
The system logs show:
02-10-2021 02:37 AM
Hi there,
In AWS why don't you create an ENI and specify a private IP address, then assign this ENI to Eth1/1 on your palo alto. You can then statically assign the IP address under Network -> Interfaces -> Eth1/1. This will allow you to select it in the IKE Gateway setup.
cheers,
Seb.
02-10-2021 02:37 AM
Hi there,
In AWS why don't you create an ENI and specify a private IP address, then assign this ENI to Eth1/1 on your palo alto. You can then statically assign the IP address under Network -> Interfaces -> Eth1/1. This will allow you to select it in the IKE Gateway setup.
cheers,
Seb.
02-10-2021 02:36 PM
@SebRupik gave you the best answer. You could also just spin up the AWS side like you would any other DHCP peer and use one of the other identification methods available to you outside of IP Address like FQDN, KEYID, or Email Address. You don't absolutely need to utilize the IP address for Identification, even though that's the most secure option if available.
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

