What to do when IPSec VPN proxy IDs are the same?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What to do when IPSec VPN proxy IDs are the same?

L4 Transporter

Hi folks,

 

We have several IPSec VPN connections and luckily so far all with unique Proxy IDs.

I am trying to prepare when I create a new one and has the same Proxy ID as another.

I see this article and talks about creating a NAT both ways.

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlappi...

 

I wonder if there is a way to create the NAT for an entire network ID or subnet to translate to another?

Or are many NAT entries necessary?

 

Just checking if anyone may have comments or example?

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

hi @OMatlock

 

if your peer is a route-based vpn capable device, you don't need proxy IDs (just fyi)

 

if you have subnet overlap with the remote peer, you can fake both source and destination network

 

eg both networks are 192.168.0.0/24, you could source nat 10.0.0.0/24 destination nat 10.0.1.0/24

then the remote end would translate inbound 10.0.1.0/24 to local 192.168.0.0/24 equivalent and leave the 'original' received 10.0.0.0/24 source IPs

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

hi @OMatlock

 

if your peer is a route-based vpn capable device, you don't need proxy IDs (just fyi)

 

if you have subnet overlap with the remote peer, you can fake both source and destination network

 

eg both networks are 192.168.0.0/24, you could source nat 10.0.0.0/24 destination nat 10.0.1.0/24

then the remote end would translate inbound 10.0.1.0/24 to local 192.168.0.0/24 equivalent and leave the 'original' received 10.0.0.0/24 source IPs

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L7 Applicator

Sounds like you are talking about having to deal with overlapping subnets between your multiple remote vendor networks.  Yes you would have to use NAT then to overcome the routing overlap.  This is the kb for overlapping subnets on vpn for PAN.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Configuring-route-based-IPSec-with-overlappi...

 

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you for that.  This document is most helpful!  I wondering if I can just configure NAT on one side (our firewall only)?

I plan to setup a test like this.

ipsecoverlapa.jpg

 

In your situation there is not a full overlap with the same ip address on both sides of the tunnel.  Your hub site is the only one with the overlapping subnet.  So you cannot solve this without the nat occuring on one of the two remote partners.

 

Your side will configure a normally with the nat subnet range as a normal object.

 

The actual nat occurs on the partner side on their device where they configure both the nat and use the nat range for the vpn configuration for their subnet as a static network to network nat.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you again.

I need to set this up in a test.

  • 1 accepted solution
  • 4086 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!