IPSec Tunnel Works with Static Peer, but not with Dynamic FQDN Peer

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec Tunnel Works with Static Peer, but not with Dynamic FQDN Peer

L1 Bithead

Hi, 

 

I have an IPSec tunnel up and running with no issues using a staic IP for the peer in the IKE gateway, but it won't work when  I set it to Dynamic and use the FQDN (hostname).

 

When I ping from the command line it translates to the correct IP, and replies with no issue, but the tunnel will not come up.  

 

Are there some FQDN or DNS settings I need to change or is there a way to verify it works? Or am I putting the FQDN in using an incorrect format? ( name.domain.com )

 

Thanks. 

1 accepted solution

Accepted Solutions

@StephenJennings,

The peer device needs to have it's local identification set as FQDN as Name.Domain.Com. 

View solution in original post

10 REPLIES 10

L5 Sessionator

Hi Stephen,

 

Has "local/peer identification" been configured on the peer device with the matching confgiuration?

 

What error messages do you see in the system logs when attempting to use FQDN?

 

Thanks,

Luke.

 

 

 

Hi, thanks for helping.

 

The other side is configured and working when I use the staic IP, but not when I use FQDN. That's the only change.

 

And the logs say "ikev2 ike sa negotiation is failed as initiator non-rekey"

Hi,

 

When you say you "use FQDN" please confirm if you you have an FQDN in the "local/peer identifdication"? of the IKE gateway? If yes: local/peer identification will need to be configured on peer end.

 

If it does not work after configuring this, could you ascertain detailed logs from:

 

>tail follow yes mp-log ikemgr.log

 

Thanks,

Luke.

 

L4 Transporter

You do not mention it specifically in your question, but take note - only one side of an IPSEC tunnel can be dynamic.

@StephenJennings,

I think your issue is what @LukeBullimore is getting at. When you configure the initiator or the responder to use FQDN in the peer identification it really doesn't matter what you put here as long as it matches. I can configure the Peer Identification as FQDN with the value 'SEN19' on my responder as long as my initiator has the local identification as FQDN and matches 'SEN19'. If these values don't match this will fail. The FQDN you enter doesn't matter at all, as long as the configured FQDN value matches on either end it doesn't need to resolve to anything or be the actual hostname of the device. 

 

Hey, thanks.

 

On the IKE Gateway I've selcted Peer Type Dynamic, and the Peer Identification as FQDN (Houstname) Name.Domain.Com.

 

Is there somewhere else I need to enter the FQDN on the Palo Alto, or do I need to make a change on the peer device?

@StephenJennings,

The peer device needs to have it's local identification set as FQDN as Name.Domain.Com. 

@StephenJennings,

Essentially how it works is one will have the Local Identification set as FQDN with whatever FQDN value you are setting, then the peer to that would need the Peer Identification set as FQDN with whatever FQDN value you setup above. These values must match. 

Thanks, that was it.

hi, is fqdn must be in format Name.Domain.Com or i can put IP address ?? 

  • 1 accepted solution
  • 8412 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!