IKE-NEGO-P1-FAIL
cancel
Showing results for 
Search instead for 
Did you mean: 

IKE-NEGO-P1-FAIL

L4 Transporter

We are trying to setup a IPSec VPN from our VM-300 Palo Alto Firewall running in AWS. Using PANOS 9.0.11.

 

I’m having issues with the configuration of the IKE Gateway as the Interface IP address is set via AWS DHCP and does not reflect the public (elastic) IP. 

 

gateway.png

 

PAN OS will not allow me to set an address in the Local IP address field the only option allowed is 'none'.

The address for the interface is set by DHCP (VIA AWS) and my guess is that this is why the PAN won’t let me set the local IP value for the gateway.

I tried using the local and peer identification fields

 

The system logs show: 

System logs.png

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

Hi there,

In AWS why don't you create an ENI and specify a private IP address, then assign this ENI to Eth1/1 on your palo alto. You can then statically assign the IP address under Network -> Interfaces -> Eth1/1. This will allow you to select  it in the IKE Gateway setup.

 

cheers,

Seb.

View solution in original post

2 REPLIES 2

L2 Linker

Hi there,

In AWS why don't you create an ENI and specify a private IP address, then assign this ENI to Eth1/1 on your palo alto. You can then statically assign the IP address under Network -> Interfaces -> Eth1/1. This will allow you to select  it in the IKE Gateway setup.

 

cheers,

Seb.

View solution in original post

@FarzanaMustafa,

@SebRupik gave you the best answer. You could also just spin up the AWS side like you would any other DHCP peer and use one of the other identification methods available to you outside of IP Address like FQDN, KEYID, or Email Address. You don't absolutely need to utilize the IP address for Identification, even though that's the most secure option if available. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!