set security ike policy ike-policy1 mode main set security ike policy ike-policy1 proposal-set standard set security ike policy ike-policy1 pre-shared-key ascii-text "sharedsecret" Now create the IPSEC parameters for the VPN connection. Since this is an Internet-facing interface, you will not enable any other system services for now: set security zones security-zone untrust host-inbound-traffic systemservices ike Next, configure the remote gateway IKE parameters for policy and a preshared key. You can also allow management services as needed on this interface, but the IKE services are required to establish the VPN connection. This will be the public IP address and interface from the local internet service, and placw these into the untrust zone in the primary routing instance: Configure the internet static ip address on the gateway interface: set interfaces fe-0/0/0 unit 0 family inet address /24 Now set the default route for the local internet service in the primary routing instance: set routing-options static route /0 next-hop Place the gateway interface into the untrust zone in the primary routing instance:Ĥ set security zones security-zone untrust interfaces fe-0/0/0.0 Now allow management services on this interface for the VPN IKE connections.
The configuration s basic steps are: Configure the SRX for needed services Configure tunnel interface Configure LAN interface Enable OSPF settings Configure VPN parameters Configure security policies Configure the PA200 for needed services Configure Security Zones Configure WAN interface Configure LAN interface Configure tunnel interface Enable OSPF settings Configure VPN parameters Configure security policies NOTE This recipe was tested on a PA200 using PanOS and SRX100 using Junos 11.4r5.5Ģ Figure: The Topology of this Recipe s Configuration Configure the SRX tunnel interface Create the VPN tunnel interface and assign an IP range and address: Steve Puluka 2 of 11ģ set interfaces st0 unit 0 family inet address /24 set interfaces st0 unit 0 point-to-point set security zones security-zone trust interfaces st0.0 Configure the SRX LAN interface Create a LAN interface place it in the trust zone: set interfaces fe-0/0/1 unit 0 family ethernet-switching set interfaces vlan unit 0 family inet address /24 set vlans vlan-trust vlan-id 2 set vlans vlan-trust l3-interface vlan.0 set vlans vlan-trust interface fe-0/0/1.0 set security zones security-zone trust host-inbound-traffic systemservices all set security zones security-zone trust interfaces vlan.0 Configure the SRX OSPF parameters Enable OSPF on the SRX and assign the local vlan interface and the tunnel interface to OSPF area 0: set protocols ospf area 0 interface vlan.0 set protocols ospf area 0 interface st0.0 Allow the host services for OSPF on the interfaces: set security zones security-zone trust interfaces vlan.0 host-inboundtraffic protocols ospf set security zones security-zone trust interfaces st0.0 host-inboundtraffic protocols ospf Configure vlan.0 to announce OSPF routes: set protocols ospf area 0 interface vlan.0 passive Configure the OSPF router-id set routing-options router-id Configure the SRX VPN parameters Start by configuring the local gateway interface for the VPN.
This allows a smooth integration of existing PanOS VPN infrastructure to Juniper SRX partners. Both PanOS and Junos support creating route based VPN with tunnel interfaces for creating neighbor relationships. 1 Palo Alto to Juniper SRX VPN with OSPF Problem Solution Using IPSEC VPN is the work horse for enterprise site connections allowing simple internet connections to provide secure private transport.
0 kommentar(er)
