topic Re: Proxy ID's question in General Topics

Proxy ID's question

dvlacic — Mon, 12 May 2014 19:43:52 GMT

Can someone clarify Proxy ID's for me? From what I see they're the same thing as encryption domains? What is the syntax, does it have to be one to one: ie SIP 1.1.1.1 DIP 2.2.2.2

SIP 1.1.1.1 DIP 3.3.3.3

Re: Proxy ID's question

HULK — Mon, 12 May 2014 21:07:04 GMT

Hello Dvlacic,

Here is the KB doc which might help you to understand Proxy-ID concept for IPSec VPN tunnel.

Why is a Proxy-ID Required for VPNs between PAN and Firewalls that Support Policy Based VPNs?

For example:

admin@40-PA-4020> show vpn flow name test-tunnel

tunnel test-tunnel

id: 2

type: IPSec

gateway id: 1

local ip: 10.66.24.40

peer ip: 1.1.1.1

inner interface: tunnel.101

outer interface: ethernet1/3

state: init

session: 49166

tunnel mtu: 1448

lifetime remain: N/A

monitor: off

monitor packets seen: 0

monitor packets reply: 0

en/decap context: 5

local spi: 00000000

remote spi: 00000000

key type: auto key

protocol: ESP

auth algorithm: NOT ESTABLISHED

enc algorithm: NOT ESTABLISHED

proxy-id local ip: 0.0.0.0/0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Source subnet, where from you are expecting to initiate traffic

proxy-id remote ip: 0.0.0.0/0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination private subnet

proxy-id protocol: 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Protocol allowed through the tunnel

proxy-id local port: 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source port

proxy-id remote port: 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination

For each proxy-ID, the firewall will create different SPI value (different IPsec tunnel) between source and destination. PAN and Juniper firewall's uses 0.0.0.0/0 as default proxy ID, but for CISCO devices, you have to define the proxy-ID ( access-list) in order to pass traffic through tunnel.

Hope this helps.

Thanks

Re: Proxy ID's question

ssharma — Tue, 13 May 2014 16:29:58 GMT

Hi Dvlacic,

Proxy ID basically means what ip address each local and remote address is expecting to pass through the tunnel. If you have local address of 10.0.0.0/8 network and remote network of 192.168.1.0/24, and you define both of these subnets as proxy id, ie.

local 10.0.0.0/8 remote 192.168.1.0/24 <----- local site

local 192.168.1.0/24 remote 10.0.0.0/8 <------ remote site

then if you initiate a traffic from say 172.16.1.1 to destination 10.0.0.1 from remote site to local, that will not go through as the local device is expecting traffic from only 192.168.1.0/24 subnet. It can be both 1 to 1 or a subnet just described. These has to be mirror on local and remote site for phase 2 to come up. Thanks