What to do when IPSec VPN proxy IDs are the same?

Reply
L4 Transporter

What to do when IPSec VPN proxy IDs are the same?

Hi folks,

 

We have several IPSec VPN connections and luckily so far all with unique Proxy IDs.

I am trying to prepare when I create a new one and has the same Proxy ID as another.

I see this article and talks about creating a NAT both ways.

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlappi...

 

I wonder if there is a way to create the NAT for an entire network ID or subnet to translate to another?

Or are many NAT entries necessary?

 

Just checking if anyone may have comments or example?

 

Community Manager

Re: What to do when IPSec VPN proxy IDs are the same?

hi @OMatlock

 

if your peer is a route-based vpn capable device, you don't need proxy IDs (just fyi)

 

if you have subnet overlap with the remote peer, you can fake both source and destination network

 

eg both networks are 192.168.0.0/24, you could source nat 10.0.0.0/24 destination nat 10.0.1.0/24

then the remote end would translate inbound 10.0.1.0/24 to local 192.168.0.0/24 equivalent and leave the 'original' received 10.0.0.0/24 source IPs


Help the community: Like helpful comments and mark solutions
Reaper out
L7 Applicator

Re: What to do when IPSec VPN proxy IDs are the same?

Sounds like you are talking about having to deal with overlapping subnets between your multiple remote vendor networks.  Yes you would have to use NAT then to overcome the routing overlap.  This is the kb for overlapping subnets on vpn for PAN.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Configuring-route-based-IPSec-with-overlappi...

 

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Re: What to do when IPSec VPN proxy IDs are the same?

Thank you for that.  This document is most helpful!  I wondering if I can just configure NAT on one side (our firewall only)?

I plan to setup a test like this.

ipsecoverlapa.jpg

 

L7 Applicator

Re: What to do when IPSec VPN proxy IDs are the same?

In your situation there is not a full overlap with the same ip address on both sides of the tunnel.  Your hub site is the only one with the overlapping subnet.  So you cannot solve this without the nat occuring on one of the two remote partners.

 

Your side will configure a normally with the nat subnet range as a normal object.

 

The actual nat occurs on the partner side on their device where they configure both the nat and use the nat range for the vpn configuration for their subnet as a static network to network nat.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Re: What to do when IPSec VPN proxy IDs are the same?

Thank you again.

I need to set this up in a test.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!