Tips for Configuring a Juniper SRX IPSEC VPN Tunnel to a Palo Alto Networks Firewall

• Palo Alto Firewalls.
• PAN-OS 9.1.
• IPsec Tunnel.

Tips

IPSEC Proxy IDs

• The VPN will come up as long as the proxy ID’s match on both sides. There is no requirement to not configure proxy ID’s if SRX is configured for route-based VPN’s.

SRX Secure Tunnel Interface Configuration:

• VPN will come up with or without an IP address on tunnel interface (st0). Its not mandatory to not have an IP on tunnel interface.
• Reducing the MTU on both devices has been found to help connectivity. Reduce the MTU until it is stable. Testing shows a value 1350 is still large enough, but small enough not to be dropped along the way.

SRX IPSEC VPN Configuration:

• “PFS group2” on the SRX is synonymous with the” IPSEC Crypto “ DH group 2” policy  on the PAN.
• “df-bit clear” on the SRX works well with the PAN and allows packets larger than 1350 to be fragmented and sent over the tunnel.
• To simplify the configuration, disable tunnel monitoring on the SRX and PA.
• Customers can configure “Establish Tunnels immediately” or “Establish Tunnels on-traffic” on SRX to bring their VPN up. With the second option configured, SRX will start VPN negotiations ONLY if it receives traffic that matches the configured proxy ID's. The first option ensures that SRX starts VPN negotiations as soon as a commit is performed.

SRX Security Policy Configuration:

• If the VPN tunnel terminates to the trust interface on the SRX, you must still have a security policy which permits trust to trust traffic (inside interface to tunnel interface).