We are not using 10.10.10.10 internally nor it is used externally. Our extenal IP ,for example : 192.168.1.2.
The 10.10.10.10/32 is the IP configured at customer site and they need us to use that IP, as it is set as an encryption domain( at Palo Alto side they have configured the remote IP in Proxy ID side as 10.10.10.10/32). So during IKE phase 2 the subnet will fail if I use my subnet ie, 172.31.1.0/24.
The error is ,
": IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 220.127.116.11/8 type IPv4_subnet protocol 0 port 0, received remote id: 192.168.1.2/32 type IPv4_address protocol 0 port 0. "
Let us say for the Primary GW(customer side) : the remote IP is 10.10.10.10/32 and for the secondary GW(cust side) : the remote IP is 10.10.11.10/32
May be they choose these IPs to segregrate the network as for both the Gateways, the domain is 18.104.22.168/8
What will be the best way to accomodate the requirement.