Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Paloalto and Checkpoint dynamic address vpn

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Paloalto and Checkpoint dynamic address vpn

Not applicable

There is a project,that Paloalto and checkpoint vpn.Paloalto is static address ,checkpoint is pppoe ,dynamic address.who had do this , can you give me some document ?

10 REPLIES 10

L7 Applicator

Hello Sir,

Here is an example of IPSec VPN between PAN and CISCO, where Palo Alto FW is having a static IP address and other side is having a dynamic IP address.

VPN Tunnel Down Between Palo Alto Networks Firewall Static IP Address and Cisco VTI on Dynamic IP Ad...

You have to configure the IPSec tunnel in aggressive mode, and the dynamic-side (checkpoint) should be the initiator always. ( PAN should be enable for passive mode-responder). In aggressive mode, the peer will be identified by its hostname/email-address/common IP address etc.

Example:

Dynamic-vpn.JPG.jpg

Thanks

Thanks

The cisco router can use this command "self-identity user-fqdn " ,is it must to set ?

the checkpoint utm-1 edge can't set this .I use hostname but doesn't work.

Hello,

You can select as "IP address" and put the local and remote interface IP address. This is just to verify the identity, hence you can put any IP address. Only keep in mind, the Local address here will the remote address for peer and vice versa.

Thanks

this is my configuration . what's wrong with this ? When I change it to "static",and input peer ip ,it's ok.

The peer device is checkpoint utm-1 edge ,  The UTM-1 Edge does not support Aggressive mode in Phase 1.

phase1_1.JPG.jpg

phaes1_2.JPG.jpg

log.JPG.jpg

Hi

Are You sure that cp-test (as a FQDN)  is a really FQDN address and resolvable by PA and Chekpoint?

Try to ping that address from CLI

Regards

SLawek

I can't resolve the hostname(cp-test) via dns.

is there have some method without dns?the peer is dynamic address

thanks!

Hi

Hulk give You document, please follow it but use public IP (not 192.168.x.x) and some kind of service like DynDNS to map dynamic IP to constant FQDN address.

Hope this help

SLawek

192.168 is my test ip. if the paloalto and checkpoint use static ip address,i can do that, and vpn connect is ok.but now the checkpoint use dynamic ip address ,i can't do it.the checkpoint edge firewall not support aggressive mode vpn,fqdn need dynamic dns support.

As per my understanding, once you will select Peer type: dynamic, the firewall will prepare a negotiation in Aggressive mode. As you said before, the UTM-1 Edge does not support Aggressive mode, it could be a problem here.


Could you please check "ikemgr.log" for detail information.


Thanks

2014-03-17 19:24:39 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:24:41 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:24:43 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:24:46 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:24:48 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:24:51 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:24:56 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:24:59 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:25:03 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

2014-03-17 19:25:07 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.30.250[500].

  • 5962 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!