Make sure that your Ethernet
interfaces, virtual routers, and zones are configured properly.
For more information, see Configure
Interfaces and Zones.
Create your tunnel interfaces. Ideally, put the tunnel interfaces
in a separate zone, so that tunneled traffic can use different policies.
Set up static routes or assign routing protocols to redirect
traffic to the VPN tunnels. To support dynamic routing (OSPF, BGP,
RIP are supported), you must assign an IP address to the tunnel
interface.
Define IKE gateways for establishing communication between
the peers across each end of the VPN tunnel; also define the cryptographic
profile that specifies the protocols and algorithms for identification,
authentication, and encryption to be used for setting up VPN tunnels
in IKEv1 Phase 1. See Set
Up an IKE Gateway and Define
IKE Crypto Profiles.
Define security policies to filter and inspect the traffic.
If
there is a deny rule at the end of the security rulebase, intra-zone
traffic is blocked unless otherwise allowed. Rules to allow IKE
and IPSec applications must be explicitly included above the deny
rule.
If your VPN traffic is passing
through (not originating or terminating on) a PA-7000 Series or PA-5200
Series firewall, configure bi-directional Security policy rules
to allow the ESP or AH traffic in both directions.
When these tasks are complete, the tunnel is ready for use. Traffic
destined for the zones/addresses defined in policy is automatically
routed properly based on the destination route in the routing table,
and handled as VPN traffic. For a few examples on site-to-site VPN,
see Site-to-Site
VPN Quick Configs.