VPN Site to Site traffic - ALLOWED even if there is defined A SPECIFIC proxy id

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN Site to Site traffic - ALLOWED even if there is defined A SPECIFIC proxy id

L4 Transporter

Hi All,

 

First of all enviroment's specific:

panOS 7.1.7

PA 3050

 

The "strange behavior description":

 

1. VPN S2S between PA and third party vendor

2. Usual configuration

3. Proxy id:

VTI: Tunnel.103

Local: 10.48.0.0/13

Remote: 10.64.22.176/28

 

4. Strange behavior --> Remote network 10.64.22.176/28 is able to reach 10.64.29.0/24 that is NOT defined as our local proxy id

 

**Note: 10.64.29.0/24 is a network that is related with ANOTHER IPsec tunnel behind tunnel.65

 

How this is possible? I never seen a similar behavior before.

I miss something or do you agree that is NOT a normal behavior?

 

Thanks in advance,

Luca

1 accepted solution

Accepted Solutions

The proxy ID's are implemented for compatibility with policy based vpn peers as they can only setup phase2 if you provide specific subnets

 

The PANW firewalls are route based, so they set up a tunnel as if it is a normal (zone based) interface and then you route traffic to it and set security policies to control which applications are allowed to traverse the tunnel

 

If both ends of the tunnel are route based, the proxyIDs are obsolete

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

14 REPLIES 14

L6 Presenter

I guess you are not filtering much with firewall rules? 

 

PA is not too fussed about proxy-IDs, it just uses them to establish phase 2. After that it receives anything that comes through tunnel I think. And also sends anything into tunnel (per routing table, regardless of source IP). There is no CheckPoint like behavior 'this packet should (not) be encrypted and therefore is dropped'

Assuming this ... How can make sense to configure proxy id?!

So IPsec SA generated for specific network allows everything you want? Well done...

@santonic very valid point. PA is a route (interface) based vpn, so all traffic routed to the tunnel interface gets encrypted. Where policy based one (as the name says) traffic gets encrypted according to a defined policy (an access list). Which device is on the other end? 

Nope, PA uses firewall rules to filter traffic. Not SAs. Or enforcing policy by routing.

The best way l think to put tunnel interface to the separate zone and then control the traffic flow by policy as @santonic mentioned

On the other end probably Fortinet.

 

If it's like you both told me @TranceforLife @santonic, I'm a little bit disappointed.

I don't care about Checkpoint, Fortinet etc.

Also I don't care about routing:

You have to configure a specific "tunnel interface". So each VPN tunnel as a dedicated "tunnel interface" and a dedicated route.

 

On my side it's a simple a concept:

Define encryption domain between two firewalls = define IPsec security association for specific networks

 

You told me that:

Define encryption domain between two firewalls = define IPsec proxy ids. Then if there is a route for a network which is NOT included in the proxy id defined, and obviuosly a security policy that allows the traffic flow.. Well go everywhere you want

 

Sorry but from the bottom of my experience.. I'm like 😮

The proxy ID's are implemented for compatibility with policy based vpn peers as they can only setup phase2 if you provide specific subnets

 

The PANW firewalls are route based, so they set up a tunnel as if it is a normal (zone based) interface and then you route traffic to it and set security policies to control which applications are allowed to traverse the tunnel

 

If both ends of the tunnel are route based, the proxyIDs are obsolete

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper and everybody else pretty much somed this up for you already; but essentially since PA is route based the only reason to include proxy ids is so policy based appliances can actually connect. Generally I like to put my tunnels into there very own zone, then most security policies built for remote offices will include most if not all of the zones, but it allows me to easily filter out traffic if a remote office doesn't need access to something else, like say certain file servers. 

Thx all of you for the explanation @reaper @BPry @TranceforLife @santonic.

 

I know that is a route based (zone based) firewall but everytime I have configured proxy ids, I suppose (wrongly) PA would do something implicitly that denies traffic which is not included in the proxy ids defined. I suppose that was a "complete integration" with a VPN policy based firewall.

 

"The proxy ID's are implemented (ONLY) for compatibility with policy based vpn peers" --> Is there something  explicitly written inside documentation? Or just starting from the fact that is route based, PA doesn't take care about "proxy ids"?

 

Many many thanks again to all of you 🙂

D!Z

yes excellent explanation by @reaper

Cyber Elite
Cyber Elite

i cant take credit for that article as it was written by @jperry1 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

So according to the 7.1 guide the only place that it actually mentions this is in the following paragraph. Everywhere else that a curosry glance at it just kinda indicates that you only need it for policy based peers. 

 

If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy‐based VPN,
you must define Proxy IDs. Devices that support policy‐based VPN use specific security rules/policies or
access‐lists (source addresses, destination addresses and ports) for permitting interesting traffic through an
IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as
Proxy‐IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks
firewall to work with a policy‐based VPN peer, for a successful phase 2 negotiation you must define the
Proxy‐ID so that the setting on both peers is identical. If the Proxy‐ID is not configured, because the Palo
Alto Networks firewall supports route‐based VPN, the default values used as Proxy‐ID are source ip:
0.0.0.0/0, destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged with the peer,
it results in a failure to set up the VPN connection.

Interestingly enough now I'm wondering if setting the info on the Cisco path to make the proxy-ids match routing 0.0.0.0/0 would allow the tunnel to form up properly; I'll have to haul out my 5506-x and give it a test. 

 

 

P.S: If you think this is a bad insight the 5506-X currently can't create a BVI (major new feature added in the latest release for 5505 feature parity) and actually route IPSec traffic to the BVI, it creates a VPN-Handle-Error and until the last update forced the device to run out of memory and crash. Makes me want use it to hit my Cisco rep across the head. 

  • 1 accepted solution
  • 5702 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!