- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-10-2017 03:58 AM
Hello Community,
I´m having a strange behavior after configuring an IPSec tunnel, the situation is that I can ping a subnet trough the tunnel which hasn´t a proxy ID. This subnet has an entry in the virtual router and the tunnel interface points to it, there´s also a
security policy which allows this traffic but as far as I know if this subnet has no proxy ID the communication trough the tunnel wouldn´t be possible. In summary:
To reach the subnet A.B.C.X trough an IPSec tunnel I configured:
- IPSec tunnel (IKE Gateway, IPSec Crypto Profile, tunnel interface, ---> Proxy ID)
- Security rule
- virtual router
The strange behavior is that I can ping a subnet A.B.C.Y trough the same tunnel, but there isnt ProxyID for this subnet in the tunnel, only a route in the virtual router with the tunnel interface pointing to the subnet A.B.C.Y
Any ideas about why this may be happening??
Thank you in advance,
Marcos.
08-10-2017 04:37 AM
Hi @Carracido
So you already have one proxy ID configured and traffic is also flowing between subnets without proxy ID? Did you check the tunnel status and the IPSec SAs on the cli to see what phase 2 tunnel is established?
08-10-2017 04:41 AM
Hi,
PA uses interface (route-based) to encrypt all traffic or going into the tunnel. Proxy IDs are needed to establish P2 and if peer side is policy-based VPN FW/Router. Is your peer configured for policy or route based VPN?
You still have an option to deny that traffic with the security policy
08-10-2017 06:42 AM
Whatever your peer is appears to also be a route based system, which means you don't really need proxy IDs. My current list of route-based is Firewalls that support route-based Firewalls: Palo Alto Firewalls, Juniper SRX, Juniper Netscreen, and Checkpoint but there could be more that I simply haven't come across yet.
08-10-2017 07:35 AM
Yes, with route based VPN Proxy IDs aren't needed but if you do have one configured, there shouldn't be an SA in addition to the configured proxy ID. Of course route based with 0.0.0.0/0 is the best way to configure it, but thats, as I understood, not the point.
And because of the described situation I assume @Carracido uses IKEv2
08-10-2017 08:54 AM - edited 08-10-2017 08:55 AM
As mentioned you don't need Proxy ID with Palo.
If you leave it blank it will still send it over but in form of 0.0.0.0/0
If you want to seperate different subnet traffic into different tunnels you can still use Proxy ID with between 2 route based VPN devices also as it might give some performance advantages 🙂
08-10-2017 08:56 AM
Hi guys,
I thank you all for answering.
I´m using IKEv1 with route-based peers, thank to your answers I can confirm that I don´t need Proxy IDs for this scenario.
Thanks and Regards,
Marcos.
08-10-2017 09:02 AM
Could you explain the point with the performance advantages with proxy IDs?
08-10-2017 09:03 AM
Different SA associations can be processed by different CPUs in the firewall.
08-10-2017 09:06 AM
Ah ok, so only something to consider with the bigger PA series 😉
08-10-2017 09:12 AM
I would not worry about it yes.
With PA200 and single core does not have any reason.
Also low vpn volume is not worth effort to play with ProxyID.
08-10-2017 09:17 AM - edited 08-10-2017 09:29 AM
Am I right that this only matters starting with the 5000 series and for example on a 5050 is you have more than 2 Gbps of IPsec traffic (-> more than half of the platform max IPsec throughput of 4 Gbps) and all this in one VPN connection
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!