Hello all.
I recently built an IPSec VPN between two sites.
It works great, but I have to bring it up manually every time the firewall restarts.
I usually accomplish this by running “test vpn ike-sa gateway <gateway_name> and “test vpn ipsec-sa tunnel <tunnel_name>, which brings up each phase and works well.
How am I supposed to set this up so that the tunnel is built automatically without my intervention?
Thanks!
Set up a tunnel monitor on the IPSec tunnel, it’ll send traffic to the remote side which will keep the tunnel up.
it’s normal that the tunnel won’t go UP until there is traffic routed into it, that doesn’t mean it is faulty.
If you are trying to pass packets through it and it still won’t come UP that’s a problem that you should consider looking into instead of setting up a workaround.
Unless you have your side of the tunnel set to passive mode, the PAN should attempt to bring a tunnel up as soon as it sees interesting traffic.
Never had that issue, the vpn has alway built as soon as traffic goes down the tunnel.
I use a routing protocol so the tunnel builds straight away.
Nailed up parameter usually helps.
I assume the monitor IP should be something only reachable through the tunnel itself?
Good point. Provided you don’t have both sides in passive mode it should automatically rebuild the tunnel if the connection bounces for some reason.
What is the “Nailed up parameter” called and where is it located?
Yeah an IP that is routed over the tunnel, or the IP on the inside of the tunnel on the other side.
Then I need to know what gear you are using.
This is /r/paloaltonetworks … OP never mentioned 3rd party gear so I assumed you talking about a setting on the PA.
Wow. I completely missed that replied via customized home screen never looked at the actual group. DUH!
If that’s the worst thing you do all day I think we’ll all be OK. HAH.