https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12881#M9442 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>What is proxy-id in ipsec-vpn configuration??</P><P>Why does it need??</P><P></P><P>I will use ipsec-vpn on PA-2020 &amp; PA-500.</P><P>Each devices have 15 proxy-id(remote-networks).</P><P>I know one tunnel interface has 10 proxy-ids.</P><P>So I have tested without proxy-id that traffics are processed routing-table(next-hop tunnel interface) to 15 remote-networks.</P><P>It is normal. Do I configure proxy-id in ipsec-vpn certainly??</P><P>What problem does it has if I configure ipsec-vpn without proxy-id???</P><P>Or please let me know if you know other good way.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 23 Apr 2013 08:56:05 GMT KiCheon.Lee 2013-04-23T08:56:05Z https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12881#M9442 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>What is proxy-id in ipsec-vpn configuration??</P><P>Why does it need??</P><P></P><P>I will use ipsec-vpn on PA-2020 &amp; PA-500.</P><P>Each devices have 15 proxy-id(remote-networks).</P><P>I know one tunnel interface has 10 proxy-ids.</P><P>So I have tested without proxy-id that traffics are processed routing-table(next-hop tunnel interface) to 15 remote-networks.</P><P>It is normal. Do I configure proxy-id in ipsec-vpn certainly??</P><P>What problem does it has if I configure ipsec-vpn without proxy-id???</P><P>Or please let me know if you know other good way.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 23 Apr 2013 08:56:05 GMT https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12881#M9442 KiCheon.Lee 2013-04-23T08:56:05Z https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12882#M9443 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="color: #000000;">What is proxy-id in ipsec-vpn configuration??<SPAN style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Why does it need??</SPAN></SPAN></P><UL><LI><SPAN style="color: #000000; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">A proxy-IDs&nbsp; are negotiated during&nbsp; Phase II tunnel establishment and define the Traffic that needs to be Encrypted or the Interested Traffic for an IPSEC tunnel.</SPAN></LI><LI><SPAN style="color: #000000; font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">Policy Based VPN define this using a <SPAN style="font-family: arial, sans-serif; font-size: 12px; background-color: #ffffff;">combination of SRC IP, DST&nbsp; IP, and SERVICES&nbsp; in a tunnel policy.</SPAN> (Eg : Security Rules in Juniper for Policy Based VPNs or ACLs in Cisco).</SPAN></LI><LI><SPAN style="color: #000000; font-family: arial, sans-serif; line-height: 1.5em;">Route Based VPN use a logical L3&nbsp; tunnel interface ,traffic destined for the Tunnel is Encrypted and use 0.0.0.0/0 as Proxy IDs by default.</SPAN></LI></UL><P><SPAN style="color: #000000; font-family: arial, sans-serif; line-height: 1.5em;"><BR /></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">PA firewalls use Route Based approach hence Proxy-IDs are manually configured&nbsp; On PA firewalls only while connecting with Policy Based VPNs to match the ones configured on the Peer.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="text-decoration: underline; color: #000000;"><STRONG><BR /></STRONG></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="text-decoration: underline; color: #000000;"><STRONG>Terminology</STRONG></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="color: #000000;">(ACL :: CISCO&nbsp;&nbsp; ||&nbsp;&nbsp;&nbsp;&nbsp; PROXY IDs :: Juniper&nbsp;&nbsp;&nbsp;&nbsp; ||&nbsp;&nbsp;&nbsp;&nbsp; Encryption Domains :: CHKPOINT)</SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">So the behavior observed is NORMAL and You do not need to configure Proxy IDs for Establishing IPSEC between&nbsp; PA firewalls.</P></BODY></HTML> Tue, 23 Apr 2013 10:27:54 GMT https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12882#M9443 UhMayYeah 2013-04-23T10:27:54Z https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12883#M9444 <HTML><HEAD></HEAD><BODY><P>Wow, Thanks a million for your detail answer.</P><P></P><P>Must not between PA devices be configured proxy-ids?</P><P>And must PA device be configured proxy-id when connect policy based vpn such as Cisco , Juniper , CHKPOINT by ipsec-vpn????</P><P>Is it right???</P></BODY></HTML> Tue, 23 Apr 2013 11:44:55 GMT https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12883#M9444 KiCheon.Lee 2013-04-23T11:44:55Z https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12884#M9445 <HTML><HEAD></HEAD><BODY><P>Yes thts Right.</P><P>No Proxy Ids between 2 PA s</P><P>But only for Policy Based VPN using Peer ,in short for Cross Vendor VPNs</P><P></P><P>Ameya</P></BODY></HTML> Tue, 23 Apr 2013 11:49:04 GMT https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12884#M9445 UhMayYeah 2013-04-23T11:49:04Z https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12885#M9446 <HTML><HEAD></HEAD><BODY><P>Thank you very much, Ameya.</P><P>I am helpful for you answer.</P></BODY></HTML> Tue, 23 Apr 2013 12:02:48 GMT https://live.paloaltonetworks.com/t5/general-topics/do-i-configure-proxy-id-in-ipsec-vpn-certainly/m-p/12885#M9446 KiCheon.Lee 2013-04-23T12:02:48Z