VPN peer with dynamic IP

Showing results for 
Search instead for 
Did you mean: 

VPN peer with dynamic IP

Not applicable


I tried to make a VPN between a Palo Alto (static IP)  and a Netscreen 5 (dynamic IP).

I succeeded when I declared Netscreen's IP as static, so phase I and phase II, proxies and so are correct.

When I change peer address to dynamic, VPN doesn't work. I tried declaring peer id, local id, every combination, but no success.

I always get this log message:

Jul 15 10:58:45 1,2010/07/15 10:58:45,xxxxxxxxxxx,SYSTEM,vpn,0,2010/07/15 10:58:45,,unknown,[500],0,0,general,informational,IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP[500].

(I've obfuscated the real IP addresses)

Does anybody have a how-to to configure VPNs with parties with dynamic IP?

Thank you so much


L3 Networker

When you change the VPN to dynamic for the peer, did you clear the keys (phase1 and phase2) on the Netscreen?  I suspect the PAN is expecting a new key negotiation but the Netscreen is trying to use the old keys.

L3 Networker

Also, when using Dynamic, did you configure the Peer Identification?  When using Dynamic VPN we need some other way to identify the VPN request.  Usually FQDN.

So there is no other way? What if the remote end triggers the VPN? With Cisco ASA it was easy task. Remote sites with DHCP addresses were configured with normal crypto map. The hub termination site matched them against DefaultL2L entry and it worked beautiful. I am changing one of my customers from Cisco ASA to PA and they are expecting similar functionality.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!