This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Proxy ID for IPSEC traffic going to Internet
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Proxy ID for IPSEC traffic going to Internet
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-24-2019 01:52 PM
We have IPSEC tunnel working fine with vendor device.
Vendor Lan subnet is 192.168.80.x
Our lan subnet is 10.10.x.x
Proxy ID on PA is
Local Remote
10.10.x.x 192.168.80.x
Also Vendor has another Lan subnet 192.168.81.x that need to talk to internet IP say 23.x.x.x
This traffic needs to come to PA and then go to internet.
So what proxy id should i put for this in PA?
MP
8 REPLIES 8
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-25-2019 05:55 AM
Having a tunnel does not automatically require you specify Proxy-IDs. Unless you are dealing with a policy-based peer it doesn't actually make sense to specify Proxy-IDs at all.
policy-based VPNs would be like Cisco ASAs as an example. Policy-Based VPNs negotiate between the peers what traffic will actually attempt to be sent through the tunnel as part of the phase 2 negotiation and they have to match for the tunnel to form up properly.
Route-Based VPNs (like the Palo-Alto) will send by default IDs of 0.0.0.0/0, 0.0.0.0/0, and any protocol when they negotiate phase 2. This is because you simply utilize the route table to tell the firewall what traffic you actually want to send through the tunnel interface, and then just need a security policy allowing the traffic.
The following KB article is a good place to start with knowing when you should be specifying Proxy-IDs and going through the actual negotiation process. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-25-2019 07:43 AM
Seems in our case Vendor device is a Modem that supports Ikev2
Will check with Vendor if there modem supports policy-based VPN or not?
MP
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-27-2019 07:11 AM
Many thanks for answering the question
MP
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-27-2019 12:10 PM
Good article about the question of "why use a VPN proxy ID?":
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
Related Content
- Is it possible to specify a source address for certain destinations when using Prisma Access? in Prisma Access Discussions
- Can you configure multiple prisma access tunnel end points? in Prisma Access Discussions
- PA-300 induced high latency for GP clients with just 200Mbps troubput in GlobalProtect Discussions
- Threat 576037320 in Threat & Vulnerability Discussions
- Inline Cloud Analyzed Unknown-TCP Command and Control Traffic Detection in Threat & Vulnerability Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks