Encyrption domains / proxy ID

Reply
Highlighted
L0 Member

Encyrption domains / proxy ID

Hi,

 

I am new to setting up VPN tunnels from Palo Alto to a 3rd party firewall and I'm unsure how to setup the proxy IDs for the tunnel config. On the local side I have 9 x /32 addresses and on the remote side there are 7 x /25 subnet addresses. Do I need to setup a proxy ID for each individual transaction between local and remote subnets? That would be a lot of Proxy ID's and doesn't seem right, somehow?


Accepted Solutions
Highlighted
L5 Sessionator

Re: Encyrption domains / proxy ID

@Sharpierrr,

 

Normally Proxy ID configuration should be identical with peer settings. This should match at both ends. If at peer end, separate subnets are defined as a encryption domain, and you're defining super netted subnet under Proxy ID then there will be mismatch  and this may result in connection failure.

 

So if you want to use Super netted subnet under Proxy IDs to avoid multiple entries, you need to have identical settings at peer end as well.

 

Hope it helps!

Mayur

 



Mayur Sutare

View solution in original post


All Replies
Highlighted
L5 Sessionator

Re: Encyrption domains / proxy ID

@Sharpierrr,

 

Normally Proxy ID configuration should be identical with peer settings. This should match at both ends. If at peer end, separate subnets are defined as a encryption domain, and you're defining super netted subnet under Proxy ID then there will be mismatch  and this may result in connection failure.

 

So if you want to use Super netted subnet under Proxy IDs to avoid multiple entries, you need to have identical settings at peer end as well.

 

Hope it helps!

Mayur

 



Mayur Sutare

View solution in original post

Highlighted
L2 Linker

Re: Encyrption domains / proxy ID

Yes, whatever you are planning to configure, at both ends it should be identical. I had faced issues due to mismatch in proxy Id configuration.

Highlighted
L0 Member

Re: Encyrption domains / proxy ID

Thank you for your reply.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!