i'm trying to get this constellation running:
Two PA 200 behind a DSL-Home-Router and a firewall with a fixed public IP at the passive site.
This image is just an example how it looks like....
First i want to get the active site ("PA-Active"; PA 200; Version 5.0.6) running...
I configured the IKE Gateway, Tunnel interface and also the IPSec Tunnel, but the PA doesn't want to establish/initialize the connection at all...I cannot see any log files in "traffic" either in "system"...Firewall policies should allow the traffic...
Here are the settings i made:
Can someone help? Did i missed a config?
Hi...You need to add a static route for the IP network that is found across the tunnel. Let's say the remote LAN has IP subnet 10.11.12.0/24. You would add static route dest=10.11.12.0.24 use interface=tunnel.2. Then you need to generate traffic like pinging a host at 10.11.12.x to force traffic to the tunnel & bring the tunnel up. Thanks.
Also I would suggesting building a tunnel monitoring profile on both sides... I have Palo Alto to Palo Alto IPSec tunnels in production, and I noticed that the tunnels wouldn't come back up if I rebooted one side of the tunnel without tunnel monitoring in place (which kind of makes sense.. the IPSec SA was never being torn down on one side, I had to clear it manually to get the tunnel back up).
I will say that my PA to PA tunnels have been rock solid though, after that one little gotcha.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!