This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Site to Site IKE Gateway Setup on 5250

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site to Site IKE Gateway Setup on 5250

vnt90
L2 Linker

‎10-06-2020 09:23 AM

Trying to set up ptp vpn between PA200 and corporate 5250.  I haven't found a "How to set up if the PA200 is behind home modem" article as of yet.   Is it my understanding that  when I select the 5250  "Peer IP Address Type"  = Dynamic  it means that the peer address (home ip) is unknown. The PEER would be the 200 nat'd to the home public ip.   I selected NONE as PEER Identification. Not sure how to configure this.

Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation.
Operation
Validate
Status
Completed
Result
Failed
Details
  • Partial changes to validate: changes to configuration by administrators: xxxxx
  • Changes to configuration in device and network
  • IKE gateway remotework-1_Jeff peer gateway ID must be defined when peer address is dynamic.(Module: ikemgr)
  • Configuration is invalid
0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎10-07-2020 02:38 PM

@vnt90,

On the IKE Gateway, you'll want to ensure that you've set the Peer IP Address Type to Dynamic and that you've configured a Local Identification and Peer Identification option. I'd generally set the PA-5250 local identification to be it's IP Address, and then specify the PA-220 to utilize FQDN. Then you'll set the PA-5250 to be Passive since it won't be able to initiate the connection, and make sure that the PA-200 is setup to initiate the connection instead. 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎10-07-2020 02:43 PM

@vnt90,

Just to expand on the Peer Identification and Local Identification a bit. This just tells the firewall what tunnel you're actually attempting to establish.

So on your PA-5250 you would set the following:

Local Identification (IP Address) Whatever IP

Peer Identification (FQDN hostname) Whatever

 

On the PA-200 you would just flip it around:

Local Identification (FQDN hostname) Whatever

Peer Identification (IP Address) Whatever IP

 

Fun fact, the FQDN (hostname) that you specify can literally be anything as long as it matches on each node. You could specify the actual hostname of the PA-200, or you could simply enter JEFF. As long as the entered value matches on both, the tunnel will negotiate without issue. 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to BPry

‎10-07-2020 02:56 PM

Hello,

The PEER IP should be a public IP address. The local identification IP can be any IP address. Also check the logs to make sure the traffic is allowed on both sides. The Router that is in front of the PA-200 should just forward everything to the PA-200, make sure it has its firewall off and is just a router.

 

Regards,

0 Likes Likes
  • 2646 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks