This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Do I configure proxy-id in ipsec-vpn certainly?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Do I configure proxy-id in ipsec-vpn certainly?

Go to solution
KiCheon.Lee
L4 Transporter

‎04-23-2013 01:56 AM

Hello all,

What is proxy-id in ipsec-vpn configuration??

Why does it need??

I will use ipsec-vpn on PA-2020 & PA-500.

Each devices have 15 proxy-id(remote-networks).

I know one tunnel interface has 10 proxy-ids.

So I have tested without proxy-id that traffics are processed routing-table(next-hop tunnel interface) to 15 remote-networks.

It is normal. Do I configure proxy-id in ipsec-vpn certainly??

What problem does it has if I configure ipsec-vpn without proxy-id???

Or please let me know if you know other good way.

Thanks.

Labels:
1 accepted solution

Accepted Solutions

Go to solution
UhMayYeah
L5 Sessionator

‎04-23-2013 03:27 AM

What is proxy-id in ipsec-vpn configuration??Why does it need??

  • A proxy-IDs  are negotiated during  Phase II tunnel establishment and define the Traffic that needs to be Encrypted or the Interested Traffic for an IPSEC tunnel.
  • Policy Based VPN define this using a combination of SRC IP, DST  IP, and SERVICES  in a tunnel policy. (Eg : Security Rules in Juniper for Policy Based VPNs or ACLs in Cisco).
  • Route Based VPN use a logical L3  tunnel interface ,traffic destined for the Tunnel is Encrypted and use 0.0.0.0/0 as Proxy IDs by default.


PA firewalls use Route Based approach hence Proxy-IDs are manually configured  On PA firewalls only while connecting with Policy Based VPNs to match the ones configured on the Peer.


Terminology

(ACL :: CISCO   ||     PROXY IDs :: Juniper     ||     Encryption Domains :: CHKPOINT)

So the behavior observed is NORMAL and You do not need to configure Proxy IDs for Establishing IPSEC between  PA firewalls.

View solution in original post

4 REPLIES 4

Go to solution
UhMayYeah
L5 Sessionator

‎04-23-2013 03:27 AM

What is proxy-id in ipsec-vpn configuration??Why does it need??

  • A proxy-IDs  are negotiated during  Phase II tunnel establishment and define the Traffic that needs to be Encrypted or the Interested Traffic for an IPSEC tunnel.
  • Policy Based VPN define this using a combination of SRC IP, DST  IP, and SERVICES  in a tunnel policy. (Eg : Security Rules in Juniper for Policy Based VPNs or ACLs in Cisco).
  • Route Based VPN use a logical L3  tunnel interface ,traffic destined for the Tunnel is Encrypted and use 0.0.0.0/0 as Proxy IDs by default.


PA firewalls use Route Based approach hence Proxy-IDs are manually configured  On PA firewalls only while connecting with Policy Based VPNs to match the ones configured on the Peer.


Terminology

(ACL :: CISCO   ||     PROXY IDs :: Juniper     ||     Encryption Domains :: CHKPOINT)

So the behavior observed is NORMAL and You do not need to configure Proxy IDs for Establishing IPSEC between  PA firewalls.

Go to solution
KiCheon.Lee
L4 Transporter
In response to UhMayYeah

‎04-23-2013 04:44 AM

Wow, Thanks a million for your detail answer.

Must not between PA devices be configured proxy-ids?

And must PA device be configured proxy-id when connect policy based vpn such as Cisco , Juniper , CHKPOINT by ipsec-vpn????

Is it right???

0 Likes Likes

Go to solution
UhMayYeah
L5 Sessionator
In response to KiCheon.Lee

‎04-23-2013 04:49 AM

Yes thts Right.

No Proxy Ids between 2 PA s

But only for Policy Based VPN using Peer ,in short for Cross Vendor VPNs

Ameya

0 Likes Likes

Go to solution
KiCheon.Lee
L4 Transporter
In response to UhMayYeah

‎04-23-2013 05:02 AM

Thank you very much, Ameya.

I am helpful for you answer.

0 Likes Likes
  • 1 accepted solution
  • 4096 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks