https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50520#M37194 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Anyone have a guide on how to set site to site vpn between PA200 and Juniper 5GT?. I tried a luck but now enable&nbsp; to establish a connection. In Juniper the tunnel i created the status is ready.</P><P></P><P>A little help please.</P><P></P><P>thanks,</P><P>Jun</P></BODY></HTML> Sun, 21 Jul 2013 14:10:49 GMT JunNOC 2013-07-21T14:10:49Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50520#M37194 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Anyone have a guide on how to set site to site vpn between PA200 and Juniper 5GT?. I tried a luck but now enable&nbsp; to establish a connection. In Juniper the tunnel i created the status is ready.</P><P></P><P>A little help please.</P><P></P><P>thanks,</P><P>Jun</P></BODY></HTML> Sun, 21 Jul 2013 14:10:49 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50520#M37194 JunNOC 2013-07-21T14:10:49Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50521#M37195 <HTML><HEAD></HEAD><BODY><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">IPSEC on PAN-OS firewalls is Route Based .</P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">For the ease of config and co-relation , configure Route-Based on the Juniper-5GT (Screen-OS ) firewall.</P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;"><SPAN style="line-height: 1.5em;">P</SPAN><SPAN style="line-height: 1.5em;">roxy-IDs can be left blank (not-configured) at both ends as both Screen-OS&nbsp; and PA firewall <SPAN style="color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">in route-based mode </SPAN>use defaults (local&nbsp; 0.0.0.0/0 remote :&nbsp; 0.0.0.0/0 , service any)</SPAN></P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">Use security level of standard for both&nbsp; for the proposals on&nbsp; 5GT.</P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">Config Guides :</P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">PA-200&nbsp; <A __default_attr="1163" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">Juniper 5GT- <A class="active_link" href="http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8533" title="http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8533">Juniper Networks - [ScreenOS] Juniper Firewall LAN-to-LAN Route Based VPN articles - Knowledge Base</A></P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">Addtional Ref :</P><P style="margin: 8px 0; color: #5f5f5f; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;"><A href="https://live.paloaltonetworks.com/message/25784">Re: Juniper ScreenOS VPN to PANOS</A></P></BODY></HTML> Sun, 21 Jul 2013 15:51:21 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50521#M37195 UhMayYeah 2013-07-21T15:51:21Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50522#M37196 <HTML><HEAD></HEAD><BODY><P>Hi Nadir,</P><P></P><P>Thank you for help and i managed to up the link between the two sites half-way. Looking on my PA200 side the Ipesec Tunnel are up for both Phase 1 and Phase 2. But on my 5GT Juniper side the link status of the Tunnel is Down but its Active.</P><P></P><P>I can not ping any internal ip addresses&nbsp; from each from Firewall. But for the public IP addresses&nbsp; for each firewall&nbsp; i am able to reach them thru ping.</P><P></P><P>I have few attachment and hope it can guide you to give some advices that i miss out. I am not so sure if this is something to do on the PA200 policy.</P><P><IMG alt="5GTJuniperVPNStatus.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7359_5GTJuniperVPNStatus.png" width="450" /><IMG alt="PA200 IPSec Tunnel Status.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7360_PA200 IPSec Tunnel Status.PNG" width="450" /><IMG alt="packet.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7361_packet.PNG" width="450" /><IMG alt="show vpn flow.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7362_show vpn flow.PNG" width="450" /></P><P></P><P>regards,</P><P>Jun</P></BODY></HTML> Mon, 22 Jul 2013 04:34:28 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50522#M37196 JunNOC 2013-07-22T04:34:28Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50523#M37197 <HTML><HEAD></HEAD><BODY><P>On PA-200's end&nbsp; Make sure</P><P>1&gt;You have configured a static route with tunnel.2 as an Interface and next-hop = None</P><P>2&gt;Security rules (bidirectional if needed) between tunnel-zone and Inside zone.</P><P># decap bytes are incrementing while encap=0 which suggests that PA firewall is receiving traffic for tunnel from Juniper's End but not sending any traffic for the tunnel.</P><P></P><P>Juniper Link Down -Could be related to Tunnel Monitoring.</P><P>Try to allow&nbsp; PING on the Tunnel Interface (PA-200) using Interface-Managment profile .</P></BODY></HTML> Mon, 22 Jul 2013 14:11:30 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-pa-200-to-juniper-5gt/m-p/50523#M37197 UhMayYeah 2013-07-22T14:11:30Z