I apologize if this is posted in the wrong message board. It is unclear to me where I should specifically be asking this type of question.
I configured a site-to-site IPSec VPN between two Palo Alto's and they are both failing on Phase 1 and Phase 2. The local addresses are in the same IP address range and I am not able to change them. A test VPN was setup with different internal IP ranges works, but to try and make the internal ranges work, we are NATing the internal ranges to a unique NAT range.
I had followed the directions from this article and double checked the configuration: https://faatech.be/palo-alto-networks-ipsec-site-to-site-with-overlapping-subnets-networks/. We will also need to configure both network with additional zones traversing the tunnel, but have not done anything with that yet as we cannot get the first zone working.
I am happy to provide any error messages and configs if anyone needs them. Thanks in advance!
-Use nat on both side and enter routes for nat ip adresses.
-I know if both side is Palo Alto you do not need to enter a Proxy id. but I am entering as 0.0.0.0/0 in both side every time (My behaveior 🙂 )
-İf NAT is not an option and devices are directly connect to Firewall you can use PBR only for source and destionation ip addresses and ports. More specific is more accurate.
I hope these solutions helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!