For a quick documentation on how to build a Site-to-Site IPsec VPN tunnel between a Palo Alto Networks firewall and a Juniper ScreenOS device I am listing the configuration screenshots here.
It is quite easy because both firewalls implement route-based VPNs. That is: The tunnel must not be configured with Proxy IDs or the like. It is simply built upon the correct parameters for IKE and IPsec. The related traffic can then be routed into the tunnel afterwards. And since the tunnel monitor from the Palo Alto firewall triggers the tunnel to be built even though no real traffic flows through it, the admin immediately sees green status bubbles in the GUI and can be sure that the tunnel establishment was successful.
The following figure shows my laboratory IP address scheme. I am using numbered tunnel interfaces:
The SSG 5 runs with firmware version 6.3.0r14.0 while the Palo Alto PA-200 has PAN-OS 5.0.8 installed. In order to use the most secure crypto algorithms, I configured both phases with AES-256, SHA-1, and Diffie-Hellman group 5 (PFS). The zones on both firewalls are already configured – in my lab they are called “vpn-s2s”.
At first, create the IKE and IPsec Crypto Profiles:
Create (add) the IKE Gateway with the outgoing interface and IP address, the pre-shared key (PSK) and the specific IKE Crypto Profile:
Tunnel Interface with its IP address, virtual router and security zone:
Create a Monitor Profile for the tunnel monitor:
And then the IPsec Tunnel. Enable the “Replay Protection” which is enabled by default on the Juniper firewall. Also add the tunnel monitor with the destination IP address of the other side of the tunnel interface:
Finally, add a new static route for the remote network with a Next Hop selection of “None”:
However, the Palo Alto firewall also needs a security policy entry on the untrust interface that permits the IKE and IPsec (ESP) packets to come in from the other tunnel endpoint and to go out from its own interface. That is, the policy rule should look like the following:
(And don’t forget to commit ;))
The steps are almost the same for the Juniper firewall. At first, add the additional P1 and P2 proposals:
Add a new Gateway with the correct IP address of the other side. Under the Advanced tab insert the PSK and the Custom Phase 1 Proposal:
A new tunnel interface with its IP address:
And the new AutoKey IKE entry which references to the gateway and to the tunnel interface (under the Advanced tab):
Finally, add the static route without a next hop IP address but with an interface of the configured tunnel:
If everything is alright, the IPsec tunnels pane on the Palo Alto firewall should show two green status bubbles:
(However, I had some situations in which the first status bubble was green (IPsec) while the second was red (IKE) after a while. Though I thought this would be impossible because IPsec always needs IKE, the VPN still worked.)
Of course, there are no configured policies yet. No traffic from the remote networks will flow through the tunnel unless some vpn-s2s policies are installed. However, the installation of these should be obvious.