04-24-2019 01:52 PM
We have IPSEC tunnel working fine with vendor device.
Vendor Lan subnet is 192.168.80.x
Our lan subnet is 10.10.x.x
Proxy ID on PA is
Also Vendor has another Lan subnet 192.168.81.x that need to talk to internet IP say 23.x.x.x
This traffic needs to come to PA and then go to internet.
So what proxy id should i put for this in PA?
04-25-2019 05:55 AM
Having a tunnel does not automatically require you specify Proxy-IDs. Unless you are dealing with a policy-based peer it doesn't actually make sense to specify Proxy-IDs at all.
policy-based VPNs would be like Cisco ASAs as an example. Policy-Based VPNs negotiate between the peers what traffic will actually attempt to be sent through the tunnel as part of the phase 2 negotiation and they have to match for the tunnel to form up properly.
Route-Based VPNs (like the Palo-Alto) will send by default IDs of 0.0.0.0/0, 0.0.0.0/0, and any protocol when they negotiate phase 2. This is because you simply utilize the route table to tell the firewall what traffic you actually want to send through the tunnel interface, and then just need a security policy allowing the traffic.
The following KB article is a good place to start with knowing when you should be specifying Proxy-IDs and going through the actual negotiation process. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
04-25-2019 07:43 AM
Seems in our case Vendor device is a Modem that supports Ikev2
Will check with Vendor if there modem supports policy-based VPN or not?
04-27-2019 07:11 AM
Many thanks for answering the question
04-27-2019 12:10 PM
Good article about the question of "why use a VPN proxy ID?":
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!