03-26-2019 01:41 PM
I need to create a VPN tunnel between my PA firewall with a regular external IP address and a remote non-PA peer that is behind some equipment (no details) and only has a local 172.17.x.x address. Is this possible?
If it is possible, do I use the external IP of the remote site even though the VPN connection will not be with that IP address?
I'm assuming the non-PA peer on the remote LAN will always need to initiate the connection, correct?
04-05-2019 02:38 PM
Couldn't get this working. The other end of the tunnel is on a LAN sitting behind gear I don't have access to so I can't configure or confirm NAT settings or port forwarding. Tried to get the device to initiate a connection, but it has limited configuration options and couldn't set an email address or other option for auth. Will have to figure out another way.
03-26-2019 04:58 PM - edited 03-26-2019 04:59 PM
If this is going over the internet, it won't be possible. RFC 1918 address space doesn't get routed over the internet.
Whatever sits in front of the other peer needs to do NAT for it to work.
03-27-2019 07:59 AM
Right. I understand public/private address spaces.
I also understand I will need NAT configured properly on the unknown router/firewall for this to work.
What I don't know is what value to use for the peer IP address, and then for authentication I'm assuming psk and email address or something like that will do the trick. AFAIK this can be done, I just haven't done it before.
03-27-2019 10:35 AM - edited 03-27-2019 10:38 AM
How can you create a VPN tunnel to a device you have no information on? It sounds like what you're really trying to do is "tunnel through" that FW to that end host.
So you'd need the host to have some vpn/tunnel software that would actually create the VPN tunnel with your FW...(I would think this would be something the host network wouldn't allow.) --edit-- seems like a perfect setup for some "haxorz" to go on ./
04-05-2019 02:38 PM
Couldn't get this working. The other end of the tunnel is on a LAN sitting behind gear I don't have access to so I can't configure or confirm NAT settings or port forwarding. Tried to get the device to initiate a connection, but it has limited configuration options and couldn't set an email address or other option for auth. Will have to figure out another way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
