site to site vpn between paloalto pa‐500 and juniper · pdf filesite to site vpn between...
TRANSCRIPT
1 http://www.danyweb.it
SitetoSiteVPNbetweenPaloaltoPA‐500andJuniperSRX100
Daniele Longhi
2 http://www.danyweb.it
SummaryIntroduction ....................................................................................................................................................... 3
Configuration on Juniper SRX100 ...................................................................................................................... 3
Select VPN Type ............................................................................................................................................. 3
Local ............................................................................................................................................................... 3
Remote .......................................................................................................................................................... 4
VPN ................................................................................................................................................................ 6
Traffic Profile ................................................................................................................................................. 6
Review & Commit .......................................................................................................................................... 7
Configuration on Paloalto PA‐500 ..................................................................................................................... 9
Network IKE Gateway .................................................................................................................................... 9
Tunnel interface ............................................................................................................................................ 9
Network IPSec Tunnel ................................................................................................................................. 10
Virtual Routers ............................................................................................................................................. 11
Policies ......................................................................................................................................................... 12
http://www
IntroducThis docum(PAN‐500) aThe firmwa
PAN
Jun
Configur
SelectVPNavigate to
LocalEnter the N
Under Secu
better beca
w.danyweb.it
ctionent outlines and a Junipere versions u
N‐OS version
iper 10.4R3.
rationon
PNTypeo the wizard c
Name, Local P
ure Tunnel In
use in the fu
t
the basic ster SRX100. used in this d
n 4.0.2
4
nJuniper
configuation
Private Netw
nterface we c
uture we can
eps involved
document ar
rSRX100
n tool Wizard
work, Secure t
can use the T
n set up rules
d in establish
re:
0
ds ‐> VPN Wi
tunnel Interf
Trust Zone o
s for better i
ing a tunnel
izard and se
face and Pub
or a custom I
ntrazone tra
between a P
lect Site‐to‐s
blic Network.
nterface Zon
ffic.
Palo Alto Net
site VPN (Ro
.
ne. The secon
3
tworks
oute based)
nd choice is
3
http://www
RemoteEnter the Re
w.danyweb.it
emote Site p
t
parameters (tthe public IPP and the remmote network).
44
http://wwww.danyweb.itt 55
http://www
VPNEnter the IK
parameters
TrafficPEnter the VP
permitted o
w.danyweb.it
KE settings fo
s are good fo
rofileVPN traffic pr
on VPN chan
t
or authentica
or our examp
rofile for Inbo
nel.
ation (remem
ple configura
ound and Ou
mber the pre
tion.
utbound traff
eshared key)
fic. We can d
and the IPse
decide what
ec settings.
applications
6
Default
s are
6
http://www
Review&Review the
w.danyweb.it
&Commitconfiguratio
t
ton and commmit.
77
http://wwww.danyweb.itt 88
http://www
Configur
NetworkNavigate toIP, remote G
TunnelinNavigate tonew Tunnel
w.danyweb.it
rationon
kIKEGateo the NetworGateway IP and
nterfaceo the Networl Interface:
t
nPaloalto
ewayrk tab > IKE Gd the Pre-Sha
rk tab > Interf
oPA‐500
Gateways (clired Key.
rfaces and at
0
ick “New”). E
t the bottom
Enter Remote
of the page
IKE Gateway
choose to cr
y name, Local
reate a
9
interface and
9
http://www
NetworkNavigate toEnter a namfields are po
w.danyweb.it
kIPSecTuo the Networme, choose thopulated aut
t
unnelrk tab > IPSeche tunnel inttomatically.
c Tunnels andterface and c
d select Newchoose the IK
w. KE gateway ppreviously cr
reated. All ot
10
ther
0
http://www
VirtualRNavigate tothe networknext hop is
w.danyweb.it
Routerso the Network (private Ju“None”.
t
rk tab > Virtuniper netwo
ual Routers ark). Be sure t
nd open thethat the inte
e appropriateerface is the t
e VR. Add a stunnel interf
static route tface from ab
11
o bove and
1
http://www
PoliciesNavigate todesired traf Commit all t
w.danyweb.it
o the Policies ffic inside the
the changes
t
tab > Securie tunnel.
ant test the
ity. Add new
VPN connec
w rules to allo
ction!
ow IKE/IPSec traffic betwween the gate
12
eways and
2