02-21-2012 01:50 AM
Hello,
I hope you may be able to help. I am a little confused regarding the site-to-site VPN tunnel configuration (remote end will be a Cisco PIX).
Best regards
Stephen
I get the following error when attempting to commit using PANOS 4.0
Details · · · Commit failed (Module: device) Error: tunnel configuration error :· Error: tunnel VPN-tunnel-BVB: invalid peer IP address |
The local gateway IP is 199.55.55.1. The remote network is 172.31.31.0/24. Why I am getting the above ?
Configuration.
Define the IKE crypto profile (step 1)
Network>network profiles>IKE Crypto
Name: name of profile
VPN-Crypto-BVB
DH group: Diff-Hellman group
Group 2
Encryption: Encryption
aes-256
Authentication: Authentication
sha256
Lifetime: VPN keepalive 1 day/24 hours/1440 minutes/86400 seconds :
hours 24
Define the IPSEC crypto profile (step 2)
Network>network profiles>IPSEC Crypto
Name: name of profile
VPN-IPSECCrypto-BVB
IPSEC protocol: ESP/AH
ESP
Encryption: Encryption
aes-256
DH group: Diff-Hellman group
Group 2
Lifetime: VPN keepalive 1 day/24 hours/1440 minutes/86400 seconds :
hours 24
Authentication: Authentication
sha256
Lifesize: VPN capacity bytes/kb/mb :
KB 4500
Define the IKE gateway (step 3)
Network>network profiles>IKE gateways
Name: name of gateway
VPN-GW-BVB 199.55.55.1/32 (ip address of Palo-Alto ae3.400 outside interface) 172.31.31.1/32 (test address of the PIX)
Define the IPSEC tunnel (step 4)
Network>IPSEC tunnels
Name: Name of tunnel
VPN-tunnel-BVB tunnel.1 auto-key VPN-GW-BVB (from step 3)
Define the remote network (step 5)
Objects>addresses
Name: VPN-net-BVB
SHARED
Description: VPN BVB destination network
IP netmask: 172.31.31.0/24
Define the remote peer (step 6)
Objects>addresses
Name: VPN-peer-BVB
SHARED
Description: VPN BVB destination peer
IP netmask: 172.31.31.1/32
Define the static route for LDMZ to external (step 7)
Network>Virtual routers
Name: Name of router
RTVTLOUT test network behind test PIX) RTVTOUT
Define the static route for external to internet (step 😎
Network>Virtual routers
Name: Name of router
RTVTOUT test network behind test PIX)
Policies>security (step 9)
Virtual system: FWOUTLDMZ
Name: VPN-rule1-BVB
Desc: Test rule for BVB configuration
Source: source zone
LDMZ
Destination: destination zone
LOUT
Address : VPN-net-BVB (from step 5)
Statics routes: ADD
Name: VPN-route-BVB
Destination: 172.31.31.0/24
Interface: tunnel.1
Next hop: ip address > 172.31.31.1/32
Statics routes: ADD
Name: VPN-route2-BVB
Destination: 172.31.31.0/24
Interface: ae3.400
Next hop: Next VR
Tunnel interface: ascending unique number of tunnel interface
Type: automatic of manual key
IKE gateway: Name of gateway
IPSEC crypto profile: VPN-IPSECCrypto-BVB (from step 2)
Click Ok
Virtual router: RTVOUT01
Virtual system: FWOUTDMZ
Security zone: LOUT
Local ip: the local ip address of the VPN tunnel
Peer ip: the remote peer ip address of the VPN tunnel
Presharedkey: vpntestkey
CLICK SHOW ADVANCED PHASE 1 OPTIONS
Exchange mode: aggressive
IKE crypto profile: VPN-Crypto-BVB (from step 1)
02-22-2012 08:38 AM
Hi Stephen,
It's a bit tough to read your configuration in this format. Could you please paste in the CLI output? I think the issue is that you're using 172.31.31.0/24 as an IP address. .0 isn't a legal address so the commit is failing. I'll be able to confirm if you can paste in the IKE gateway configuration and the IPSec tunnel configuration.
Thanks,
Nick Campagna
Product Management
06-21-2012 09:32 AM
Stephen,
Were you able to resolve this issue?
Thanks,
Nick
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
