Site-to-Site VPN with Dynamic Peer IP address not forming

Reply
Highlighted
L3 Networker

Site-to-Site VPN with Dynamic Peer IP address not forming

In this set up, I'm trying to configure a site-to-site VPN between a PA and a Cisco 3G router (whose IP address will be dynamic). I'm unable to get the tunnel working. When I run the command 'show vpn ike-sa gateway <gatewayname>', I get no information about the tunnel. It doesn't even seem to know about the tunnel.

 

Any ideas please?

Highlighted
L7 Applicator

Initiate traffic towards Palo.

Go to system log.

What error do you see there?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L3 Networker

Hi,

I've tried initiating traffic to the Palo. In the system logs, I get: 'IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP '

 

I've not configured a static peer IP as this is a 3G router so I'm not sure of what the problem here would be

Highlighted
L5 Sessionator

I think your problem is ID for phase 1 for remote peer. Instead of IP address being used as ID select for example User FQDN as peer identification, then configure same settings on Cisco as well. I also set PA in such case to be in 'passive mode' as it cannot be initiator anyway (as the remote peer has dynamic IP). 

Highlighted
L3 Networker

Hi Santonic,

Thanks for your contribution. As it is a 3G router, can a User FQDN be configured? And what would it resolve to?

Highlighted
L5 Sessionator

Don't know anything about the router you have there. You have to check what it supports as IPSec ID.

 

User FQDN can be an email address. Basicaly it doesn't check anything, just the strings on both sides have to match. So think of it as a second password of sorts.

 

 

Highlighted
L3 Networker

I have now been able to get Phase 1 of the VPN working. Instead of using a Policy-based VPN, i have configured a Route-based VPN using Tunnel interfaces at both sides.

I am still having a problem with Phase 2. I get the below error when pinging from one side to the other:

 

'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID'

 

I've defined the address ranges I expect to communicate between both sides in the Proxy ID but still get this error.

 

Any thoughts anyone?

Highlighted
L7 Applicator

Is this full error you get?

Proxy id error in system log should tell exactly what other end sends.

So you can configure your Phase 2 accordingly.

Can you paste full proxy id error here?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!