I configured IPSec VPN tunnel between my 2 PA FWs. The physical interfaces are up but the tunnel is not up. I am a Cisco guy and new to the PA. I am trying to see ipvpn traffic va the Monitor. But I did not see any traffic. How do I check for my ike phase 1 and ipsec phase 2 to make sure that all the parameters and the password matched on both side. Also, how do I need which side is the initiator and which side is the receiver? Thanks
have you checked this article: Getting Started: VPN ?
you can initiate from one peer by running
> test vpn ike-sa gateway <gateway>
> test vpn ipsec-sa tunnel <value>
the best place to start looking is in the 'system' log, the responder should have most information you need to fix configuration mismatches
I did the commands from my main FW. So the next step is to go to the remote FW and look at the Monitor. Correct?
5220A(active)> test vpn ike-sa gateway PHASE1-gtw2
Start time: Dec.12 10:28:45
Initiate 1 IKE SA.
5220A(active)> test vpn ipsec-sa tunnel PHASE2-tunnel
Start time: Dec.12 10:29:18
Initiate 1 IPSec SA for tunnel PHASE2-tunnel.
correct, you should now see the negotiation taking place on the remote peer and see more info regarding what is succeeding and what is failing
you can access the system logs and filter for ( subtype eq vpn )
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!