This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to adil.bgz

‎02-06-2019 01:43 AM

Hi @adil.bgz,

 

If I understand your setup correctly you are trying to separate the encryption domain. But the only logical reason for doing this if you plan to use tunnel monitor

 

{Tunnel monitor feature will send ping packets to defined destination through the tunnel (encrypted) in order to detect if the IPsec tunnel is fully functional and if the ping fail it will mark the tunnel as down - even if phase1 and phase2 are still up. The source IP of this pings will be the ip assigned on your tunnel interface, so if you have multiple proxy-IDs defined for this tunnel, PAN FW will try to send the ping using all proxy-IDs, but if the local prefix for only one of the proxy-id is no matching your tunnel interface IP the whole tunnel will be marked as down}

 

If I understand your requirements you just want to limit the traffic through the tunnel so :

- Only X can talk to Y
- Only A can talk to B
- X cannot talk to B, and A cannot talk to Y

 

First of all you don't have to split the proxy-IDs into to different tunnel configurations. You just needs to configure only two proxy-IDs:
1. proxy-id-01: local prefix: X with remote prefix: Y
2. proxy-id-02: local prefix: A with remote prefix: B
That it is. However you can still use the suggestion by @OtakarKlier to use the security policy and configure rules allowing only X to Y and A to B. So the traffic will be dropped during the policy lookup.

But even if you don't do configure two rules and the firewall policy is actually allowing A to Y. The conenction between A to Y and X to B wouldn't be possible because you don't have configured proxy-ID for it. The actuall traffic will fail to match the encryption domain and traffic will be dropped from the tunnel.

 

 

On other hand if you still want to separate the encryption domains into two different tunnel configurations (using different proxy-ids) you need to assign same tunnel interface for both.

- Configure IPsec tunnel "A-to-B" with peer 1.1.1.1, assign tunnel.1, configure proxy-id local prefix: A with remote prefix: B

- Configure IPsec Tunnel "X-to-Y" with peer 1.1.1.1, assign tunnel.1, configure proxy id local prefix: X with remote prefix: Y

- configure static routes for B and Y with tunnel.1

- Configure policy to allow A to B and X to Y

 

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks