Tips for Configuring a Juniper SRX IPSEC VPN Tunnel to a Palo Alto Networks Firewall

• Palo Alto Firewalls.
• PAN-OS 9.1.
• IPsec Tunnel.

Tips

IPSEC Proxy IDs

• The VPN will work as long as the Proxy IDs match on both sides. 
• If both the Palo Alto and the Juniper SRX are configured for route-based VPNs, there is no need to define specific Proxy IDs as they will both default to 0.0.0.0/0. 
• You can still configure specific IDs if your design requires them.

SRX Secure Tunnel Interface Configuration:

• VPN will come up with or without an IP address on tunnel interface (st0). Its not mandatory to not have an IP on tunnel interface.
• Reducing the MTU on both devices has been found to help connectivity. Reduce the MTU until it is stable. Testing shows a value 1350 is still large enough, but small enough not to be dropped along the way.

SRX IPSEC VPN Configuration:

• “PFS group2” on the SRX is synonymous with the” IPSEC Crypto “ DH group 2” policy  on the PAN.
• “df-bit clear” on the SRX works well with the PAN and allows packets larger than 1350 to be fragmented and sent over the tunnel.
• To simplify the configuration, disable tunnel monitoring on the SRX and PA.
• Customers can configure “Establish Tunnels immediately” or “Establish Tunnels on-traffic” on SRX to bring their VPN up. With the second option configured, SRX will start VPN negotiations ONLY if it receives traffic that matches the configured proxy ID's. The first option ensures that SRX starts VPN negotiations as soon as a commit is performed.

SRX Security Policy Configuration:

• If the VPN tunnel terminates to the trust interface on the SRX, you must still have a security policy which permits trust to trust traffic (inside interface to tunnel interface).