IPSec Tunnel Works with Static Peer, but not with Dynamic FQDN Peer

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

IPSec Tunnel Works with Static Peer, but not with Dynamic FQDN Peer

Hi, 

 

I have an IPSec tunnel up and running with no issues using a staic IP for the peer in the IKE gateway, but it won't work when  I set it to Dynamic and use the FQDN (hostname).

 

When I ping from the command line it translates to the correct IP, and replies with no issue, but the tunnel will not come up.  

 

Are there some FQDN or DNS settings I need to change or is there a way to verify it works? Or am I putting the FQDN in using an incorrect format? ( name.domain.com )

 

Thanks. 

Tags (4)

Accepted Solutions
Highlighted
Cyber Elite

@StephenJennings,

The peer device needs to have it's local identification set as FQDN as Name.Domain.Com. 

View solution in original post


All Replies
Highlighted
L5 Sessionator

Hi Stephen,

 

Has "local/peer identification" been configured on the peer device with the matching confgiuration?

 

What error messages do you see in the system logs when attempting to use FQDN?

 

Thanks,

Luke.

 

 

 

Highlighted
L1 Bithead

Hi, thanks for helping.

 

The other side is configured and working when I use the staic IP, but not when I use FQDN. That's the only change.

 

And the logs say "ikev2 ike sa negotiation is failed as initiator non-rekey"

Highlighted
L5 Sessionator

Hi,

 

When you say you "use FQDN" please confirm if you you have an FQDN in the "local/peer identifdication"? of the IKE gateway? If yes: local/peer identification will need to be configured on peer end.

 

If it does not work after configuring this, could you ascertain detailed logs from:

 

>tail follow yes mp-log ikemgr.log

 

Thanks,

Luke.

 

Highlighted
L4 Transporter

You do not mention it specifically in your question, but take note - only one side of an IPSEC tunnel can be dynamic.

Highlighted
Cyber Elite

@StephenJennings,

I think your issue is what @LukeBullimore is getting at. When you configure the initiator or the responder to use FQDN in the peer identification it really doesn't matter what you put here as long as it matches. I can configure the Peer Identification as FQDN with the value 'SEN19' on my responder as long as my initiator has the local identification as FQDN and matches 'SEN19'. If these values don't match this will fail. The FQDN you enter doesn't matter at all, as long as the configured FQDN value matches on either end it doesn't need to resolve to anything or be the actual hostname of the device. 

 

Highlighted
L1 Bithead

Hey, thanks.

 

On the IKE Gateway I've selcted Peer Type Dynamic, and the Peer Identification as FQDN (Houstname) Name.Domain.Com.

 

Is there somewhere else I need to enter the FQDN on the Palo Alto, or do I need to make a change on the peer device?

Highlighted
Cyber Elite

@StephenJennings,

The peer device needs to have it's local identification set as FQDN as Name.Domain.Com. 

View solution in original post

Highlighted
Cyber Elite

@StephenJennings,

Essentially how it works is one will have the Local Identification set as FQDN with whatever FQDN value you are setting, then the peer to that would need the Peer Identification set as FQDN with whatever FQDN value you setup above. These values must match. 

Highlighted
L1 Bithead

Thanks, that was it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!