Do I configure proxy-id in ipsec-vpn certainly?

cancel
Showing results for 
Search instead for 
Did you mean: 

Do I configure proxy-id in ipsec-vpn certainly?

L4 Transporter

Hello all,

What is proxy-id in ipsec-vpn configuration??

Why does it need??

I will use ipsec-vpn on PA-2020 & PA-500.

Each devices have 15 proxy-id(remote-networks).

I know one tunnel interface has 10 proxy-ids.

So I have tested without proxy-id that traffics are processed routing-table(next-hop tunnel interface) to 15 remote-networks.

It is normal. Do I configure proxy-id in ipsec-vpn certainly??

What problem does it has if I configure ipsec-vpn without proxy-id???

Or please let me know if you know other good way.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

L5 Sessionator

What is proxy-id in ipsec-vpn configuration??Why does it need??

  • A proxy-IDs  are negotiated during  Phase II tunnel establishment and define the Traffic that needs to be Encrypted or the Interested Traffic for an IPSEC tunnel.
  • Policy Based VPN define this using a combination of SRC IP, DST  IP, and SERVICES  in a tunnel policy. (Eg : Security Rules in Juniper for Policy Based VPNs or ACLs in Cisco).
  • Route Based VPN use a logical L3  tunnel interface ,traffic destined for the Tunnel is Encrypted and use 0.0.0.0/0 as Proxy IDs by default.


PA firewalls use Route Based approach hence Proxy-IDs are manually configured  On PA firewalls only while connecting with Policy Based VPNs to match the ones configured on the Peer.


Terminology

(ACL :: CISCO   ||     PROXY IDs :: Juniper     ||     Encryption Domains :: CHKPOINT)

So the behavior observed is NORMAL and You do not need to configure Proxy IDs for Establishing IPSEC between  PA firewalls.

View solution in original post

4 REPLIES 4

L5 Sessionator

What is proxy-id in ipsec-vpn configuration??Why does it need??

  • A proxy-IDs  are negotiated during  Phase II tunnel establishment and define the Traffic that needs to be Encrypted or the Interested Traffic for an IPSEC tunnel.
  • Policy Based VPN define this using a combination of SRC IP, DST  IP, and SERVICES  in a tunnel policy. (Eg : Security Rules in Juniper for Policy Based VPNs or ACLs in Cisco).
  • Route Based VPN use a logical L3  tunnel interface ,traffic destined for the Tunnel is Encrypted and use 0.0.0.0/0 as Proxy IDs by default.


PA firewalls use Route Based approach hence Proxy-IDs are manually configured  On PA firewalls only while connecting with Policy Based VPNs to match the ones configured on the Peer.


Terminology

(ACL :: CISCO   ||     PROXY IDs :: Juniper     ||     Encryption Domains :: CHKPOINT)

So the behavior observed is NORMAL and You do not need to configure Proxy IDs for Establishing IPSEC between  PA firewalls.

View solution in original post

Wow, Thanks a million for your detail answer.

Must not between PA devices be configured proxy-ids?

And must PA device be configured proxy-id when connect policy based vpn such as Cisco , Juniper , CHKPOINT by ipsec-vpn????

Is it right???

Yes thts Right.

No Proxy Ids between 2 PA s

But only for Policy Based VPN using Peer ,in short for Cross Vendor VPNs

Ameya

Thank you very much, Ameya.

I am helpful for you answer.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!