Tunnel between PaloAlto and PaloAlto
cancel
Showing results for 
Search instead for 
Did you mean: 

Tunnel between PaloAlto and PaloAlto

L4 Transporter

Hello,

i'm trying to get this constellation running:

Two PA 200 behind a DSL-Home-Router and a firewall with a fixed public IP at the passive site.

overview.jpg

This image is just an example how it looks like....

First i want to get the active site ("PA-Active"; PA 200; Version 5.0.6) running...

I configured the IKE Gateway, Tunnel interface and also the IPSec Tunnel, but the PA doesn't want to establish/initialize the connection at all...I cannot see any log files in "traffic" either in "system"...Firewall policies should allow the traffic...

Here are the settings i made:

router.jpg

tunnel.jpg

interface.jpg

ipsec.jpg

ike.jpg

Can someone help? Did i missed a config?

16 REPLIES 16

L5 Sessionator

Hi Hithead,

Do you have a policy to permit ike and ipsec application from the untrust zone to the untrust zone, if at all there is a clean up rule at the bottom of the firewalls ?

What are the IKE identities that you are using on the remote  PA firewalls?

Are you also permitting ike and ipsec traffic on the firewall 2?

To rephrase my earlier question, may I know what local and remote peer IDs have been configured on each of the PA 200s?

L6 Presenter

Hi...You need to add a static route for the IP network that is found across the tunnel.  Let's say the remote LAN has IP subnet 10.11.12.0/24.  You would add static route dest=10.11.12.0.24 use interface=tunnel.2.  Then you need to generate traffic like pinging a host at 10.11.12.x to force traffic to the tunnel & bring the tunnel up.  Thanks.

L4 Transporter

The static route is the thing that's needed as said.

Also I would suggesting building a tunnel monitoring profile on both sides... I have Palo Alto to Palo Alto IPSec tunnels in production, and I noticed that the tunnels wouldn't come back up if I rebooted one side of the tunnel without tunnel monitoring in place (which kind of makes sense.. the IPSec SA was never being torn down on one side, I had to clear it manually to get the tunnel back up).

I will say that my PA to PA tunnels have been rock solid though, after that one little gotcha.

L4 Transporter

Hi,

i added 10.0.0.0/8 (because all traffic should go through the tunnel)...And also make a ping from the interface 1/1... and still no reaction or something else to initialize a tunnel...

router2.jpg

ping.jpg

traffic.jpg

Do you have a catch all NAT policy configured on your PA? If you do, you need to set up a noNAT for the traffic you're trying to send over the tunnel. That's usually the culprit when I can't figure out why a tunnel isn't seeing interesting traffic and coming up

L4 Transporter

Hi..

no there is no NAT configured for this traffic.

Can you please do me a favour and provide some screenshots of your configuration?

Because i'm really confused why my PA didn't try to establish a VPN tunnel...

Your traffic log shows the ping are being dropped so the tunnel will not come up.  Make sure you have a security rule allowing the traffic to the tunnel zone.  Thanks.

Hi HIthead,

I am still wondering if the Phase-1 is getting established or not. Are the phase 1 and the phase 2 up?

>show vpn ike-sa

>show vpn ipsec-sa

I have an apprehension that we are failing in the negotiation itself.

BR,

Karthik

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!