Proxy ID's question

Reply
Highlighted
Not applicable

Proxy ID's question

Can someone clarify Proxy ID's for me? From what I see they're the same thing as encryption domains? What is the syntax, does it have to be one to one: ie SIP 1.1.1.1 DIP 2.2.2.2

                                                                                                                                                                                                                                    SIP 1.1.1.1 DIP 3.3.3.3

Tags (2)
Highlighted
L7 Applicator

Hello Dvlacic,

Here is the KB doc which might help you to understand Proxy-ID concept for IPSec VPN tunnel.

Why is a Proxy-ID Required for VPNs between PAN and Firewalls that Support Policy Based VPNs?

For example:

admin@40-PA-4020> show vpn flow name test-tunnel

tunnel  test-tunnel

        id:                     2

        type:                   IPSec

        gateway id:             1

        local ip:               10.66.24.40

        peer ip:                1.1.1.1

        inner interface:        tunnel.101

        outer interface:        ethernet1/3

        state:                  init

        session:                49166

        tunnel mtu:             1448

        lifetime remain:        N/A

        monitor:                off

        monitor packets seen:   0

        monitor packets reply:  0

        en/decap context:       5

        local spi:              00000000

        remote spi:             00000000

        key type:               auto key

        protocol:               ESP

        auth algorithm:         NOT ESTABLISHED

        enc  algorithm:         NOT ESTABLISHED

        proxy-id local ip:      0.0.0.0/0     >>>>>>>>>>>>>>>>>>>>>>>>>>>> Source subnet, where from you are expecting to initiate traffic

        proxy-id remote ip:     0.0.0.0/0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination private subnet

        proxy-id protocol:      0  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Protocol allowed through the tunnel

        proxy-id local port:    0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source port

        proxy-id remote port:   0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination

For each proxy-ID, the firewall will create different SPI value (different IPsec tunnel) between source and destination.  PAN and Juniper firewall's uses 0.0.0.0/0 as default proxy ID, but for CISCO devices, you have to define the proxy-ID ( access-list) in order to pass traffic through tunnel.

Hope this helps.

Thanks

Highlighted
L5 Sessionator

Hi Dvlacic,

Proxy ID basically means what ip address each local and remote address is expecting to pass through the tunnel. If you have local address of 10.0.0.0/8 network and remote network of 192.168.1.0/24, and you define both of these subnets as proxy id, ie.

local 10.0.0.0/8 remote 192.168.1.0/24 <----- local site

local 192.168.1.0/24 remote 10.0.0.0/8 <------ remote site

then if you initiate a traffic from say 172.16.1.1  to destination 10.0.0.1 from remote site to local, that will not go through as the local device is expecting traffic from only 192.168.1.0/24 subnet. It can be both 1 to 1 or a subnet just described. These has to be mirror on local and remote site for phase 2 to come up. Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!