Site to Site IKE Gateway Setup on 5250

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
vnt90
L2 Linker

Site to Site IKE Gateway Setup on 5250

Trying to set up ptp vpn between PA200 and corporate 5250.  I haven't found a "How to set up if the PA200 is behind home modem" article as of yet.   Is it my understanding that  when I select the 5250  "Peer IP Address Type"  = Dynamic  it means that the peer address (home ip) is unknown. The PEER would be the 200 nat'd to the home public ip.   I selected NONE as PEER Identification. Not sure how to configure this.

Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation.
Operation
Validate
Status
Completed
Result
Failed
Details
  • Partial changes to validate: changes to configuration by administrators: xxxxx
  • Changes to configuration in device and network
  • IKE gateway remotework-1_Jeff peer gateway ID must be defined when peer address is dynamic.(Module: ikemgr)
  • Configuration is invalid
Tags (1)
BPry
Cyber Elite

@vnt90,

On the IKE Gateway, you'll want to ensure that you've set the Peer IP Address Type to Dynamic and that you've configured a Local Identification and Peer Identification option. I'd generally set the PA-5250 local identification to be it's IP Address, and then specify the PA-220 to utilize FQDN. Then you'll set the PA-5250 to be Passive since it won't be able to initiate the connection, and make sure that the PA-200 is setup to initiate the connection instead. 

BPry
Cyber Elite

@vnt90,

Just to expand on the Peer Identification and Local Identification a bit. This just tells the firewall what tunnel you're actually attempting to establish.

So on your PA-5250 you would set the following:

Local Identification (IP Address) Whatever IP

Peer Identification (FQDN hostname) Whatever

 

On the PA-200 you would just flip it around:

Local Identification (FQDN hostname) Whatever

Peer Identification (IP Address) Whatever IP

 

Fun fact, the FQDN (hostname) that you specify can literally be anything as long as it matches on each node. You could specify the actual hostname of the PA-200, or you could simply enter JEFF. As long as the entered value matches on both, the tunnel will negotiate without issue. 

OtakarKlier
Cyber Elite

Hello,

The PEER IP should be a public IP address. The local identification IP can be any IP address. Also check the logs to make sure the traffic is allowed on both sides. The Router that is in front of the PA-200 should just forward everything to the PA-200, make sure it has its firewall off and is just a router.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!