topic Re: I can reach a subnet trough a tunnel without proxy ID in General Topics

I can reach a subnet trough a tunnel without proxy ID

Carracido — Thu, 10 Aug 2017 10:58:56 GMT

Hello Community,

I´m having a strange behavior after configuring an IPSec tunnel, the situation is that I can ping a subnet trough the tunnel which hasn´t a proxy ID. This subnet has an entry in the virtual router and the tunnel interface points to it, there´s also a
security policy which allows this traffic but as far as I know if this subnet has no proxy ID the communication trough the tunnel wouldn´t be possible. In summary:

To reach the subnet A.B.C.X trough an IPSec tunnel I configured:
- IPSec tunnel (IKE Gateway, IPSec Crypto Profile, tunnel interface, ---> Proxy ID)
- Security rule
- virtual router

The strange behavior is that I can ping a subnet A.B.C.Y trough the same tunnel, but there isnt ProxyID for this subnet in the tunnel, only a route in the virtual router with the tunnel interface pointing to the subnet A.B.C.Y

Any ideas about why this may be happening??

Thank you in advance,

Marcos.

Re: I can reach a subnet trough a tunnel without proxy ID

Remo — Thu, 10 Aug 2017 11:37:16 GMT

Hi @Carracido

PAN-OS version?
IKEv1 or v2?

So you already have one proxy ID configured and traffic is also flowing between subnets without proxy ID? Did you check the tunnel status and the IPSec SAs on the cli to see what phase 2 tunnel is established?

Re: I can reach a subnet trough a tunnel without proxy ID

TranceforLife — Thu, 10 Aug 2017 11:41:37 GMT

Hi,

PA uses interface (route-based) to encrypt all traffic or going into the tunnel. Proxy IDs are needed to establish P2 and if peer side is policy-based VPN FW/Router. Is your peer configured for policy or route based VPN?

You still have an option to deny that traffic with the security policy

Re: I can reach a subnet trough a tunnel without proxy ID

BPry — Thu, 10 Aug 2017 13:42:09 GMT

@Carracido,

Whatever your peer is appears to also be a route based system, which means you don't really need proxy IDs. My current list of route-based is Firewalls that support route-based Firewalls: Palo Alto Firewalls, Juniper SRX, Juniper Netscreen, and Checkpoint but there could be more that I simply haven't come across yet.

Re: I can reach a subnet trough a tunnel without proxy ID

Remo — Thu, 10 Aug 2017 14:35:28 GMT

Yes, with route based VPN Proxy IDs aren't needed but if you do have one configured, there shouldn't be an SA in addition to the configured proxy ID. Of course route based with 0.0.0.0/0 is the best way to configure it, but thats, as I understood, not the point.

And because of the described situation I assume @Carracido uses IKEv2

Re: I can reach a subnet trough a tunnel without proxy ID

Raido_Rattameister — Thu, 10 Aug 2017 15:55:25 GMT

As mentioned you don't need Proxy ID with Palo.

If you leave it blank it will still send it over but in form of 0.0.0.0/0

If you want to seperate different subnet traffic into different tunnels you can still use Proxy ID with between 2 route based VPN devices also as it might give some performance advantages 🙂

Re: I can reach a subnet trough a tunnel without proxy ID

Carracido — Thu, 10 Aug 2017 15:56:48 GMT

Hi guys,

I thank you all for answering.

I´m using IKEv1 with route-based peers, thank to your answers I can confirm that I don´t need Proxy IDs for this scenario.

Thanks and Regards,
Marcos.

Re: I can reach a subnet trough a tunnel without proxy ID

Remo — Thu, 10 Aug 2017 16:02:17 GMT

@Raido_Rattameister

Could you explain the point with the performance advantages with proxy IDs?

Re: I can reach a subnet trough a tunnel without proxy ID

Raido_Rattameister — Thu, 10 Aug 2017 16:03:24 GMT

Different SA associations can be processed by different CPUs in the firewall.

Re: I can reach a subnet trough a tunnel without proxy ID

Remo — Thu, 10 Aug 2017 16:06:32 GMT

Ah ok, so only something to consider with the bigger PA series 😉

Re: I can reach a subnet trough a tunnel without proxy ID

Raido_Rattameister — Thu, 10 Aug 2017 16:12:36 GMT

I would not worry about it yes.

With PA200 and single core does not have any reason.

Also low vpn volume is not worth effort to play with ProxyID.

Re: I can reach a subnet trough a tunnel without proxy ID

Remo — Thu, 10 Aug 2017 16:29:57 GMT

@Raido_Rattameister

Am I right that this only matters starting with the 5000 series and for example on a 5050 is you have more than 2 Gbps of IPsec traffic (-> more than half of the platform max IPsec throughput of 4 Gbps) and all this in one VPN connection