Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-07-2014 01:52 AM
There is a project,that Paloalto and checkpoint vpn.Paloalto is static address ,checkpoint is pppoe ,dynamic address.who had do this , can you give me some document ?
03-07-2014 09:10 AM
Hello Sir,
Here is an example of IPSec VPN between PAN and CISCO, where Palo Alto FW is having a static IP address and other side is having a dynamic IP address.
You have to configure the IPSec tunnel in aggressive mode, and the dynamic-side (checkpoint) should be the initiator always. ( PAN should be enable for passive mode-responder). In aggressive mode, the peer will be identified by its hostname/email-address/common IP address etc.
Example:
Thanks
03-13-2014 08:54 PM
Thanks
The cisco router can use this command "self-identity user-fqdn " ,is it must to set ?
the checkpoint utm-1 edge can't set this .I use hostname but doesn't work.
03-13-2014 09:21 PM
Hello,
You can select as "IP address" and put the local and remote interface IP address. This is just to verify the identity, hence you can put any IP address. Only keep in mind, the Local address here will the remote address for peer and vice versa.
Thanks
03-15-2014 02:54 AM
this is my configuration . what's wrong with this ? When I change it to "static",and input peer ip ,it's ok.
The peer device is checkpoint utm-1 edge , The UTM-1 Edge does not support Aggressive mode in Phase 1.
03-15-2014 03:24 AM
Hi
Are You sure that cp-test (as a FQDN) is a really FQDN address and resolvable by PA and Chekpoint?
Try to ping that address from CLI
Regards
SLawek
03-15-2014 03:33 AM
I can't resolve the hostname(cp-test) via dns.
is there have some method without dns?the peer is dynamic address
thanks!
03-15-2014 03:44 AM
Hi
Hulk give You document, please follow it but use public IP (not 192.168.x.x) and some kind of service like DynDNS to map dynamic IP to constant FQDN address.
Hope this help
SLawek
03-15-2014 07:00 AM
192.168 is my test ip. if the paloalto and checkpoint use static ip address,i can do that, and vpn connect is ok.but now the checkpoint use dynamic ip address ,i can't do it.the checkpoint edge firewall not support aggressive mode vpn,fqdn need dynamic dns support.
03-15-2014 10:37 AM
As per my understanding, once you will select Peer type: dynamic, the firewall will prepare a negotiation in Aggressive mode. As you said before, the UTM-1 Edge does not support Aggressive mode, it could be a problem here.
Could you please check "ikemgr.log" for detail information.
Thanks
03-17-2014 04:49 AM
2014-03-17 19:24:39 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:24:41 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:24:43 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:24:46 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:24:48 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:24:51 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:24:56 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:24:59 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:25:03 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
2014-03-17 19:25:07 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
