topic Proxy ID in SA? in General Topics

Proxy ID in SA?

ghostrider — Wed, 26 Oct 2016 16:38:19 GMT

Hello Experts

I have site to site VPN between HQ PA and branch PA. I used the proxy id on HQ as Local: 172.16.110.0/24 remote: 10.10.10.0/24 and everything is working.

Now brach office need to access another subnet in HQ that is 172.16.111.0/24. In this case I have to create one more proxy id on both side or just allowing this new subnet in appropriate policies and proper route towards tunnel interface is enough?

My main point is proxy-id is just the parameter to match on both sides while negotiating IPSEC or its has anything to do with actual traffic passing through IPSEC?

Re: Proxy ID in SA?

Brandon_Wertz — Wed, 26 Oct 2016 18:50:12 GMT

From multiple support cases I've had with TAC on IPSec tunnels on PAs. If the tunnel exists between two PAs Proxy IDs aren't necessary.

Re: Proxy ID in SA?

TranceforLife — Wed, 26 Oct 2016 19:33:08 GMT

Ahh .. Agreed with Brandon. I thought the tunnel is between PA and third party firewall. More info here:

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Why-use-a-VPN-proxy-ID/ta-p/69524

Re: Proxy ID in SA?

ghostrider — Fri, 28 Oct 2016 10:48:13 GMT

Hello

So between PA, if proxy-id is local: 10.0.0.0/8 and remote: 172.16.1.0/24 and tunnel is established. Now I need to pass another remote subnet 172.16.2.0/24 then in this case, I do not need to add another proxy-id for 172.16.2.0/24? Just appropirate policy and route towards tunnel for 172.16.2.0/24 is enough?

Re: Proxy ID in SA?

Brandon_Wertz — Fri, 28 Oct 2016 13:20:30 GMT

It's my understanding that zero proxy-ids are necessary for a PA-PA VPN connection. the PA leverages the routing in your VR to define what traffic brings up your tunnel.