We have a branch office connected via site to site vpn, plao alto firewalls at both locations.
Due to buiding works the office has been relocated to a shared building and we're having to use a third party's network connection. We've been provided with a public IP address which is then NAT to a 192.x.x.x address which they then route to our fw. We would like to reinstate the site to site vpn.
The fw at the new location has the external interface set on the private 192.x.x.x range. Phase 1 negotioation from our main site is failing as it detects the private address as an invalid peer as we have the public address configured as the remote peer on the IKE Gateway.
Is there a way around this?
Thanks in advance.
Yes. You can use different IP address for transport and for phase 1 identification. Put the public IP address on IKE gateway as "Peer IP Address" and private IP address under "Peer Identification -> IP address".
Firstly turn on the NAT travesal Network> IKE gateway> Advance options> Enble NAT traversal.
Use Local identificaiton and remote identification on both firewall. In these fields you can select IP address configured on the interface.
PA1(Public) PA2 (private)
The firewall which have public IP address PA1 set the peer ip address under the IKE gateway as Public IP address of the other firewall. Initiate the tunnel negotiation from PA2
Use these command:
test vpn ike-sa
test vpn ipsec-sa
Let us know if it helps or not.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!