Hi @SutareMayur I made the VPN work and want to share the steps below in case someone else faces the same issue like me. The error message on Peer IP was confusing and this may lead to wasting massive amount of time to solve the matter. PA docs were extremely unhelpful and earlier posts in the forum did not help much in resolving the issue. Also, I am not sure if my setup is accepted as I have seen few articles where TAC refused Loopback Interface for VPN setup. So, below are the steps that helped. 1. 3 Zones: Untrust, Trust and VPN 2. 2 Interfaces: Ethernet 1/1 for Untrust and set the IP address as Static PRIVATE IP of WAN (even though in PA doc it says to select DHCP client otherwise VPN doesn't work!) Ethernet1/2 for Trust and IPv4 as DHCP Client enabled (untick Automatically create.....) 3. 2 Tunnel Interfaces: Tunnel.1 and Tunnel.2 with Security Zone as VPN for both. Peer has two WAN circuits. 4. Customer requirement was to access their local machine traffic from our end needs to be NATTed as 172.x.x.x So created loopback interface with IP 172.x.x.x and Security Zone as VPN. 5. For IKE GW, selected Untrust Interface Eth1/1 and Local IP address as the Static PRIVATE IP of WAN (even though PA doc says to leave it blank/none, otherwise VPN doesn't work!). I had to then select Local ID and Peer ID as Public IP address of WAN for both. Left 'Enable NAT Traversal' as unticked. There are two GWs in my config. 6. For IPSec Tunnel, in Primary Tunnel, I selected tunnel.1 and Proxy ID as 172.x.x.x (NATTed IP) and 146.x.x.x (Peer Remote network).Technically, as per PA doc, it should have been 10.x.x.x (our local Network) and 146.x.x.x (Peer Remote network). Did the same for Secondary Tunnel except I selected tunnel.2 7. For NATTing, I used SNAT by configuring Original Packet as below. Src Zone: Trust Dest Zone: VPN Src Address: 10.x.x.x (our local Network) Dest Address: 146.x.x.x (Peer Remote Network) Translated Packet as DIPP with Interface Address as loopback Interface and IP address 172.x.x.x 8. Finally, I created two security policies. One with Src Zone: Trust, VPN and Dest Zone: Untrust. Another one with Src Zone: Trust, VPN and Dest Zone: Trust, VPN This now leads me to the next part of my problem. I need to create Tunnel Monitoring for the Primary and Secondary tunnel with Failover profile. No idea what to put as Destination IP as I am using loopback Interface. Any idea?
... View more