Proxy ID for IPSEC traffic going to Internet

Reply
Highlighted
Cyber Elite

Proxy ID for IPSEC traffic going to Internet

 

We have IPSEC tunnel working fine with vendor device.

 

Vendor Lan subnet is 192.168.80.x

Our lan subnet is 10.10.x.x

 

Proxy ID on PA is 

 

Local                                     Remote

 

10.10.x.x                              192.168.80.x

 

Also Vendor has another Lan subnet 192.168.81.x  that need to talk to internet IP  say 23.x.x.x

This traffic needs to come to PA and then go to internet.

 

So what proxy id should i put for this in PA?

MP

Accepted Solutions
Highlighted
Cyber Elite

@MP18,

I was asking about the need of the tunnel, I was asking if you actually needed to utilize Proxy IDs or not. You only need to utilize Proxy-IDs if the peer device is policy-based instead of route-based. 

Trying to direct certain websites through your firewall could be tricky from a routing standpoint depending on the website and all of the calls that the site makes. You'll essentially need the peer device to have route statements in place that direct all traffic from their network to 24.x.x.x to actually have a next-hop network of your firewall. You'll then need the proper security policies and routing statements in place to actually process the traffic. 

View solution in original post

Highlighted
Cyber Elite

@MP18 

Having a tunnel does not automatically require you specify Proxy-IDs. Unless you are dealing with a policy-based peer it doesn't actually make sense to specify Proxy-IDs at all. 

 

policy-based VPNs would be like Cisco ASAs as an example. Policy-Based VPNs negotiate between the peers what traffic will actually attempt to be sent through the tunnel as part of the phase 2 negotiation and they have to match for the tunnel to form up properly. 

 

Route-Based VPNs (like the Palo-Alto) will send by default IDs of 0.0.0.0/0, 0.0.0.0/0, and any protocol when they negotiate phase 2. This is because you simply utilize the route table to tell the firewall what traffic you actually want to send through the tunnel interface, and then just need a security policy allowing the traffic. 

 

The following KB article is a good place to start with knowing when you should be specifying Proxy-IDs and going through the actual negotiation process. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0

View solution in original post


All Replies
Highlighted
Cyber Elite

@MP18,

I have to ask just to be sure, are you positive that you actually need to utilize proxy IDs for this deployment?

 

The proxy IDs need to match what the other end is sending you. When working with Proxy IDs you really need to know how both ends are configured and the actual device in question; different vendors will do things extremely different in how the tunnel is actually negotiated. 

For the other subnet, you would need the other admins to configure a route statement that actually sends the traffic through the tunnel, and then create an associated security policy allowing access along with the correct routing statements on your firewall. 

Highlighted
Cyber Elite

We have LAN subnets on both ends and they have private IP address.

Yes we need tunnel for that.

 

Also we want for security purposes if they access specfic Internet sites it should goi via PA.

 

So Vendor will put  the Route for that if they need to access specfic Internet IP they will come via Tunnel.

 

So for this traffic I just need security Policy right if traffic coming from say 192.168.x.x to 24.x.x.x go via PA outside Interface.

 

So for this traffic I do not need any PRoxy ID right?

 

Thanks for help

MP
Highlighted
Cyber Elite

@MP18,

I was asking about the need of the tunnel, I was asking if you actually needed to utilize Proxy IDs or not. You only need to utilize Proxy-IDs if the peer device is policy-based instead of route-based. 

Trying to direct certain websites through your firewall could be tricky from a routing standpoint depending on the website and all of the calls that the site makes. You'll essentially need the peer device to have route statements in place that direct all traffic from their network to 24.x.x.x to actually have a next-hop network of your firewall. You'll then need the proper security policies and routing statements in place to actually process the traffic. 

View solution in original post

Highlighted
Cyber Elite

To be honest we need tunnel from security point of view as this is requirement from our info security.

When you say that other device is policy based you mean 

 

if it supports security rules or not?

 

 

MP
Highlighted
Cyber Elite

@MP18 

Having a tunnel does not automatically require you specify Proxy-IDs. Unless you are dealing with a policy-based peer it doesn't actually make sense to specify Proxy-IDs at all. 

 

policy-based VPNs would be like Cisco ASAs as an example. Policy-Based VPNs negotiate between the peers what traffic will actually attempt to be sent through the tunnel as part of the phase 2 negotiation and they have to match for the tunnel to form up properly. 

 

Route-Based VPNs (like the Palo-Alto) will send by default IDs of 0.0.0.0/0, 0.0.0.0/0, and any protocol when they negotiate phase 2. This is because you simply utilize the route table to tell the firewall what traffic you actually want to send through the tunnel interface, and then just need a security policy allowing the traffic. 

 

The following KB article is a good place to start with knowing when you should be specifying Proxy-IDs and going through the actual negotiation process. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0

View solution in original post

Highlighted
Cyber Elite

Seems in our case Vendor device is a Modem that supports Ikev2

Will check with Vendor if there modem supports  policy-based VPN or not?

MP
Highlighted
Cyber Elite

Many thanks for answering the question

MP
Highlighted
Cyber Elite

Good article about the question of "why use a VPN proxy ID?":

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!