I have a Juniper firewall with ScreenOS 6.2 that I am attempting to build a LAN to LAN VPN tunnel to a PAN firewall with 4.1.10.
A quick overview of my setup. We have to frequently setup networks that are "mobile" for company meetings or whatever. We essentially take a network in a box and plug the Juniper into the internet. Because of this the Juniper's untrust interface is setup to pull an IP from a private IP DHCP scope. It will most likely always be behind another firewall. It will connect to a PAN firewall which has a static public IP address.
My problem is that the tunnel won't come up. The logs on the Juniper are less than useful. The PAN firewall the Juniper is connecting to is showing the peer ID is incorrect in the system logs. I have checked and rechecked the configuration. I have it setup to use "keyID" but the description is showing i'm using type "fqdn" which is not the case.
The other odd thing is that this system logs seem to be including an object from another VPN tunnel in the description. I first thought that that specific log was not from the Juniper but I don't have the mentioned peer identifier configured for the tunnel mentioned in the log. In fact, I only have a peer identifier configured for this specific tunnel. I hope that made sense.
If there is anybody that has experience setting up tunnels between these two firewalls and could help out I would greatly appreciate it. I need to pull this one off without any problems. Thanks!!
As debug it would be great if you can connect the device directly to your PA to rule out any firewall settings in between.
I guess you have already read through these docs/posts (some are more or less related to your topic)?
Thanks for the reply.
I've looked through many of these already and tweaked many settings without any luck. Unfortunately, I don't have a way to test the two devices side by side.
I wonder if the issue is related to NAT. The Juniper is sitting behind a PAN firewall, which I have access to. That PAN firewall has a VPN tunnel built to the same remote office I am building the Juniper Test VPN to.
PA500 <---VPN---> PA200
Juniper-----PA500 <---VPN---> PA200
When my traffic leaves the Juniper it's getting translated. Is it possible the Juniper traffic is being sent over the already existing/working PA500 VPN?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!