Site-to-Site VPN with Dynamic Peer IP address not forming

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Site-to-Site VPN with Dynamic Peer IP address not forming

L3 Networker

In this set up, I'm trying to configure a site-to-site VPN between a PA and a Cisco 3G router (whose IP address will be dynamic). I'm unable to get the tunnel working. When I run the command 'show vpn ike-sa gateway <gatewayname>', I get no information about the tunnel. It doesn't even seem to know about the tunnel.

 

Any ideas please?

7 REPLIES 7

Cyber Elite
Cyber Elite

Initiate traffic towards Palo.

Go to system log.

What error do you see there?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi,

I've tried initiating traffic to the Palo. In the system logs, I get: 'IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP '

 

I've not configured a static peer IP as this is a 3G router so I'm not sure of what the problem here would be

I think your problem is ID for phase 1 for remote peer. Instead of IP address being used as ID select for example User FQDN as peer identification, then configure same settings on Cisco as well. I also set PA in such case to be in 'passive mode' as it cannot be initiator anyway (as the remote peer has dynamic IP). 

Hi Santonic,

Thanks for your contribution. As it is a 3G router, can a User FQDN be configured? And what would it resolve to?

Don't know anything about the router you have there. You have to check what it supports as IPSec ID.

 

User FQDN can be an email address. Basicaly it doesn't check anything, just the strings on both sides have to match. So think of it as a second password of sorts.

 

 

L3 Networker

I have now been able to get Phase 1 of the VPN working. Instead of using a Policy-based VPN, i have configured a Route-based VPN using Tunnel interfaces at both sides.

I am still having a problem with Phase 2. I get the below error when pinging from one side to the other:

 

'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID'

 

I've defined the address ranges I expect to communicate between both sides in the Proxy ID but still get this error.

 

Any thoughts anyone?

Is this full error you get?

Proxy id error in system log should tell exactly what other end sends.

So you can configure your Phase 2 accordingly.

Can you paste full proxy id error here?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 3839 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!