- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-06-2020 09:23 AM
Trying to set up ptp vpn between PA200 and corporate 5250. I haven't found a "How to set up if the PA200 is behind home modem" article as of yet. Is it my understanding that when I select the 5250 "Peer IP Address Type" = Dynamic it means that the peer address (home ip) is unknown. The PEER would be the 200 nat'd to the home public ip. I selected NONE as PEER Identification. Not sure how to configure this.
Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation. |
10-07-2020 02:38 PM
On the IKE Gateway, you'll want to ensure that you've set the Peer IP Address Type to Dynamic and that you've configured a Local Identification and Peer Identification option. I'd generally set the PA-5250 local identification to be it's IP Address, and then specify the PA-220 to utilize FQDN. Then you'll set the PA-5250 to be Passive since it won't be able to initiate the connection, and make sure that the PA-200 is setup to initiate the connection instead.
10-07-2020 02:43 PM
Just to expand on the Peer Identification and Local Identification a bit. This just tells the firewall what tunnel you're actually attempting to establish.
So on your PA-5250 you would set the following:
Local Identification (IP Address) Whatever IP
Peer Identification (FQDN hostname) Whatever
On the PA-200 you would just flip it around:
Local Identification (FQDN hostname) Whatever
Peer Identification (IP Address) Whatever IP
Fun fact, the FQDN (hostname) that you specify can literally be anything as long as it matches on each node. You could specify the actual hostname of the PA-200, or you could simply enter JEFF. As long as the entered value matches on both, the tunnel will negotiate without issue.
10-07-2020 02:56 PM
Hello,
The PEER IP should be a public IP address. The local identification IP can be any IP address. Also check the logs to make sure the traffic is allowed on both sides. The Router that is in front of the PA-200 should just forward everything to the PA-200, make sure it has its firewall off and is just a router.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!