Encyrption domains / proxy ID

cancel
Showing results for 
Search instead for 
Did you mean: 

Encyrption domains / proxy ID

L0 Member

Hi,

 

I am new to setting up VPN tunnels from Palo Alto to a 3rd party firewall and I'm unsure how to setup the proxy IDs for the tunnel config. On the local side I have 9 x /32 addresses and on the remote side there are 7 x /25 subnet addresses. Do I need to setup a proxy ID for each individual transaction between local and remote subnets? That would be a lot of Proxy ID's and doesn't seem right, somehow?

1 ACCEPTED SOLUTION

Accepted Solutions

L6 Presenter

@Sharpierrr,

 

Normally Proxy ID configuration should be identical with peer settings. This should match at both ends. If at peer end, separate subnets are defined as a encryption domain, and you're defining super netted subnet under Proxy ID then there will be mismatch  and this may result in connection failure.

 

So if you want to use Super netted subnet under Proxy IDs to avoid multiple entries, you need to have identical settings at peer end as well.

 

Hope it helps!

Mayur

 

Mayur S.

View solution in original post

3 REPLIES 3

L6 Presenter

@Sharpierrr,

 

Normally Proxy ID configuration should be identical with peer settings. This should match at both ends. If at peer end, separate subnets are defined as a encryption domain, and you're defining super netted subnet under Proxy ID then there will be mismatch  and this may result in connection failure.

 

So if you want to use Super netted subnet under Proxy IDs to avoid multiple entries, you need to have identical settings at peer end as well.

 

Hope it helps!

Mayur

 

Mayur S.

View solution in original post

Yes, whatever you are planning to configure, at both ends it should be identical. I had faced issues due to mismatch in proxy Id configuration.

L0 Member

Thank you for your reply.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!