A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection?
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection?
When configuring a site-to-site VPN tunnel with an unknown peer address and the peer device acting as the initiator, it is essential to use the Dynamic IP address type. This setting allows the local device to accept connections from any IP address, thereby facilitating the initiation process by the peer device. Since the local end does not have any information about the peer addresses, using the Dynamic IP address type is the appropriate choice for establishing the VPN connection.
A & B are both correct: Since the other end is initiating, you need to set passive mode on the local fw, and you also need to set dynamic for the peer-IP-type.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
A is correct given the question mentions that local end doesnt know about any addresses (IP or FQDN) at the remote end. Enable Passive mode is an optional setting which forces the gateway to only respond and not initiate, even if it is not configured on the local end and the understanding is that the remote end will always initiate the connection as otherwise the VPN will not establish anyways since the local gateway doesnt know the IP or FQDN of the remote gateway to initiate the connection, the most appropriate choice here is A.
The answer is B. When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name. Therefore, the correct answer is B.
"using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address" -- No, on the local firewall, when you select "dynamic", there is no field to enter the ip address of the peer, that's the whole point. The local fw allows the peer to connect from any IP. BTW I prefer this as the answer. But it's also true that we would select "passive mode" on the local fw since it can't initiate the connection. BTW, this question seems to have had its answer letters rearranged since some of these comments.
A is correct
This question seems to have had its answers rearranged, since some of the explanations below discuss different letters than what is assigned. Both A and B are correct IMHO, but my first choice would be "Dynamic IP" since the tunnel wouldn't work w/o it, and second choice would be "passive mode" because without that you'd get error messages generated in the logs when the local side tried to initiate the tunnel to an IP it doesn't know.
In my opinion both A and B are correct. From the question description, they mention that peer device will act as an initiator and that on the peer device none of the addresses are known. Then question ask what needs to be configured... Since they say peer device (on the other end) is initiator and none address on it is known, that they ask about configuration that needs to be set on local device (which must NOT initiate VPN connection since it doesn't know remote peer's addresses). Therefore, on local device, we need to set peer IP type to dynamic and check the enable passive mode.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0#:~:text=Note%3A%20Since%20Firewall%20B%20has%20the%20dynamic%20IP%20address%2C%20it%20needs%20to%20be%20the%20initiator%20for%20the%20VPN%20tunnel%20each%20time.%20Hence%2C%20do%20not%20select%20%22Enable%20Passive%20Mode.%22
From the Help Menü in WebUI od a PanOS 10.2: "Select one of the following settings and enter the corresponding information for the peer: • Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation." and "Enable Passive Mode Click to have the firewall only respond to IKE connections and never initiate them." I think the "never initiates IKE connection" is the crucial point. Would go for A
A according to this link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0 Note: Since Firewall B has the dynamic IP address, it needs to be the initiator for the VPN tunnel each time. Hence, do not select "Enable Passive Mode."
But for the MAIN firewall, "Note: Since this is the static peer and does not know the IP address of the dynamic end, it would not be able to initiate the VPN. Hence, we selected the option "Enable Passive Mode.""
This question comes down to are we talking about configuring the MAIN firewall, or the remote Dynamic IP firewall.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0
The question did not state which FW (Local or Remote) they are referring to. For local ike settings (enable passive mode) For Remote (assuming using DHCP) ike settings (no passive mode) i would assume they are asking for local FW ike config which should enable passive mode
A TAKUM1y link explains