Proxy ID's question

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Proxy ID's question

Not applicable

Can someone clarify Proxy ID's for me? From what I see they're the same thing as encryption domains? What is the syntax, does it have to be one to one: ie SIP DIP

                                                                                                                                                                                                                                    SIP DIP


L7 Applicator

Hello Dvlacic,

Here is the KB doc which might help you to understand Proxy-ID concept for IPSec VPN tunnel.

Why is a Proxy-ID Required for VPNs between PAN and Firewalls that Support Policy Based VPNs?

For example:

admin@40-PA-4020> show vpn flow name test-tunnel

tunnel  test-tunnel

        id:                     2

        type:                   IPSec

        gateway id:             1

        local ip:     

        peer ip:      

        inner interface:        tunnel.101

        outer interface:        ethernet1/3

        state:                  init

        session:                49166

        tunnel mtu:             1448

        lifetime remain:        N/A

        monitor:                off

        monitor packets seen:   0

        monitor packets reply:  0

        en/decap context:       5

        local spi:              00000000

        remote spi:             00000000

        key type:               auto key

        protocol:               ESP

        auth algorithm:         NOT ESTABLISHED

        enc  algorithm:         NOT ESTABLISHED

        proxy-id local ip:     >>>>>>>>>>>>>>>>>>>>>>>>>>>> Source subnet, where from you are expecting to initiate traffic

        proxy-id remote ip: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination private subnet

        proxy-id protocol:      0  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Protocol allowed through the tunnel

        proxy-id local port:    0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source port

        proxy-id remote port:   0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination

For each proxy-ID, the firewall will create different SPI value (different IPsec tunnel) between source and destination.  PAN and Juniper firewall's uses as default proxy ID, but for CISCO devices, you have to define the proxy-ID ( access-list) in order to pass traffic through tunnel.

Hope this helps.


L5 Sessionator

Hi Dvlacic,

Proxy ID basically means what ip address each local and remote address is expecting to pass through the tunnel. If you have local address of network and remote network of, and you define both of these subnets as proxy id, ie.

local remote <----- local site

local remote <------ remote site

then if you initiate a traffic from say  to destination from remote site to local, that will not go through as the local device is expecting traffic from only subnet. It can be both 1 to 1 or a subnet just described. These has to be mirror on local and remote site for phase 2 to come up. Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!