![]() ID Application State Type Flag Src/Zone/Proto (translated IP) Initially, when the tunnel is down, we see an ipsec-esp session with destination as 0.0.0.0, since we are not sure of the peer show session all Hence, we selected the option "Enable Passive Mode." Note: Since this is the static peer and does not know the IP address of the dynamic end, it would not be able to initiate the VPN. ![]() Also, "Peer IP Type" is dynamic here since we are not sure of the IP on the other end. ![]() Note: Peer Identification on the static peer needs to be the same as Local Identification configured on the dynamic peer. Hence, do not select "Enable Passive Mode." Note: Since Firewall B has the dynamic IP address, it needs to be the initiator for the VPN tunnel each time. This is an important configuration since it is the only way for the peer to identify the dynamic gateway. ![]() It could be anything as long as it is same on the other end. However, we can use any of the available qualifiers, making sure it is the same on the peer end as well. Note: In this example, Local ID is mentioned as FQDN (email address). Interface on Firewall B gets the IP address dynamically from the DHCP server (interface on Router configured as DHCP server). PA-Firewall A (10.129.70.38) - Router (DHCP server) - (DHCP IP) PA-Firewall B
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |