07-15-2010 08:11 AM
Hello,
I tried to make a VPN between a Palo Alto (static IP) and a Netscreen 5 (dynamic IP).
I succeeded when I declared Netscreen's IP as static, so phase I and phase II, proxies and so are correct.
When I change peer address to dynamic, VPN doesn't work. I tried declaring peer id, local id, every combination, but no success.
I always get this log message:
Jul 15 10:58:45 1,2010/07/15 10:58:45,xxxxxxxxxxx,SYSTEM,vpn,0,2010/07/15 10:58:45,,unknown,192.168.0.107[500],0,0,general,informational,IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP 192.168.0.107[500].
(I've obfuscated the real IP addresses)
Does anybody have a how-to to configure VPNs with parties with dynamic IP?
Thank you so much
07-16-2010 01:28 PM
When you change the VPN to dynamic for the peer, did you clear the keys (phase1 and phase2) on the Netscreen? I suspect the PAN is expecting a new key negotiation but the Netscreen is trying to use the old keys.
12-23-2011 09:45 AM
So there is no other way? What if the remote end triggers the VPN? With Cisco ASA it was easy task. Remote sites with DHCP addresses were configured with normal crypto map. The hub termination site matched them against DefaultL2L entry and it worked beautiful. I am changing one of my customers from Cisco ASA to PA and they are expecting similar functionality.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
