- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-12-2014 02:07 PM
Hello Dvlacic,
Here is the KB doc which might help you to understand Proxy-ID concept for IPSec VPN tunnel.
Why is a Proxy-ID Required for VPNs between PAN and Firewalls that Support Policy Based VPNs?
For example:
admin@40-PA-4020> show vpn flow name test-tunnel
tunnel test-tunnel
id: 2
type: IPSec
gateway id: 1
local ip: 10.66.24.40
peer ip: 1.1.1.1
inner interface: tunnel.101
outer interface: ethernet1/3
state: init
session: 49166
tunnel mtu: 1448
lifetime remain: N/A
monitor: off
monitor packets seen: 0
monitor packets reply: 0
en/decap context: 5
local spi: 00000000
remote spi: 00000000
key type: auto key
protocol: ESP
auth algorithm: NOT ESTABLISHED
enc algorithm: NOT ESTABLISHED
proxy-id local ip: 0.0.0.0/0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Source subnet, where from you are expecting to initiate traffic
proxy-id remote ip: 0.0.0.0/0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination private subnet
proxy-id protocol: 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Protocol allowed through the tunnel
proxy-id local port: 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source port
proxy-id remote port: 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination
For each proxy-ID, the firewall will create different SPI value (different IPsec tunnel) between source and destination. PAN and Juniper firewall's uses 0.0.0.0/0 as default proxy ID, but for CISCO devices, you have to define the proxy-ID ( access-list) in order to pass traffic through tunnel.
Hope this helps.
Thanks
05-13-2014 09:29 AM
Hi Dvlacic,
Proxy ID basically means what ip address each local and remote address is expecting to pass through the tunnel. If you have local address of 10.0.0.0/8 network and remote network of 192.168.1.0/24, and you define both of these subnets as proxy id, ie.
local 10.0.0.0/8 remote 192.168.1.0/24 <----- local site
local 192.168.1.0/24 remote 10.0.0.0/8 <------ remote site
then if you initiate a traffic from say 172.16.1.1 to destination 10.0.0.1 from remote site to local, that will not go through as the local device is expecting traffic from only 192.168.1.0/24 subnet. It can be both 1 to 1 or a subnet just described. These has to be mirror on local and remote site for phase 2 to come up. Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!