Site to Site VPN from PA 200 to Juniper 5GT

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Not applicable

Site to Site VPN from PA 200 to Juniper 5GT

Hi all,

Anyone have a guide on how to set site to site vpn between PA200 and Juniper 5GT?. I tried a luck but now enable  to establish a connection. In Juniper the tunnel i created the status is ready.

A little help please.

thanks,

Jun

Highlighted
L5 Sessionator

IPSEC on PAN-OS firewalls is Route Based .

For the ease of config and co-relation , configure Route-Based on the Juniper-5GT (Screen-OS ) firewall.

Proxy-IDs can be left blank (not-configured) at both ends as both Screen-OS  and PA firewall in route-based mode use defaults (local  0.0.0.0/0 remote :  0.0.0.0/0 , service any)

Use security level of standard for both  for the proposals on  5GT.

Config Guides :

PA-200 

Juniper 5GT- Juniper Networks - [ScreenOS] Juniper Firewall LAN-to-LAN Route Based VPN articles - Knowledge Base

Addtional Ref :

Re: Juniper ScreenOS VPN to PANOS

Highlighted
Not applicable

Hi Nadir,

Thank you for help and i managed to up the link between the two sites half-way. Looking on my PA200 side the Ipesec Tunnel are up for both Phase 1 and Phase 2. But on my 5GT Juniper side the link status of the Tunnel is Down but its Active.

I can not ping any internal ip addresses  from each from Firewall. But for the public IP addresses  for each firewall  i am able to reach them thru ping.

I have few attachment and hope it can guide you to give some advices that i miss out. I am not so sure if this is something to do on the PA200 policy.

5GTJuniperVPNStatus.pngPA200 IPSec Tunnel Status.PNGpacket.PNGshow vpn flow.PNG

regards,

Jun

Highlighted
L5 Sessionator

On PA-200's end  Make sure

1>You have configured a static route with tunnel.2 as an Interface and next-hop = None

2>Security rules (bidirectional if needed) between tunnel-zone and Inside zone.

# decap bytes are incrementing while encap=0 which suggests that PA firewall is receiving traffic for tunnel from Juniper's End but not sending any traffic for the tunnel.

Juniper Link Down -Could be related to Tunnel Monitoring.

Try to allow  PING on the Tunnel Interface (PA-200) using Interface-Managment profile .

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!