Site-to-Site IP Sec - PAN 220 [Static IP] to CradlePoint [Dynamic IP]

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Site-to-Site IP Sec - PAN 220 [Static IP] to CradlePoint [Dynamic IP]

L1 Bithead

Does anyone have experience setting up an site-to-site IP Sec tunnel between a PAN firewall with a static IP address and a CradlePoint with a dynamic IP address?  I am trying to determine if there's a way to setup the IP Sec tunnel between the 2 endpoints without having to pay a 3rd party for DDNS service.

I tried setting the firewall peering to Dynamic, and the IKE Phase 1 exchange modes to Aggressive, but no luck.

Any help is appreciated.

1 accepted solution

Accepted Solutions

try these for more detailed debug logs:

 

> debug ike gateway <gw> on debug

> tail follow yes mp-log ikemgr.log

 

I noticed your local ip is 172.16x.x but you did not enable NAT-T, could you try turning that on?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

8 REPLIES 8

L6 Presenter

@acrxsupport-old  What option have you selected under local/peer identification type? You need to select proper settings here. Also what do you see under system logs?

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Cyber Elite
Cyber Elite

as long as one side is static, this shouldn't be too difficult

the PA will need to be set as 'passive' as it won't be able to connect out to the dynamic peer (without ddns) and you'll need to use set peer identification to some fictitious FQDN or email (or the local IP of the remote peer, if said peer lives behind a NAT device)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

Thanks for the responses @reaper and @SutareMayur.

I've got Local and Remote Identities set on both, and it isn't coming up.

If I enable Passive Mode on the PAN, it hasn't actually responding to the IKE Phase 1 - even if I use a Static peer address instead of Dynamic.  The system logs unfortunately also don't have anything showing up.

 

2020-08-18_06-43-25.png

 

acrxsupport-old_0-1597748127515.png

 

2020-08-18_06-43-47.png

 

2020-08-18_06-44-21.png

I realized that I flipped the peering in the PAN IKE screenshot, this is corrected, but the results are the same.

try these for more detailed debug logs:

 

> debug ike gateway <gw> on debug

> tail follow yes mp-log ikemgr.log

 

I noticed your local ip is 172.16x.x but you did not enable NAT-T, could you try turning that on?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper thanks for your patience. This was very helpful for troubleshooting.  It is working now with Responder Mode and NAT-T enabled, and using the matching identities.

@acrxsupport-old  that's great!

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

When using 'user FQDN (email address)' identity, is it a real email that the system checks? Or is it just a text string?

  • 1 accepted solution
  • 8893 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!