SRX

Expand all | Collapse all

Why to Use of Proxy-identity in VPN?

Jump to Best Answer
  • 1.  Why to Use of Proxy-identity in VPN?

    Posted 02-19-2018 09:12

    Hello everyone,

    I just want to know why we use Proxy-identity ( Local/remote) in VPN? At our design, earlier we were configuring VPN's without Proxy-identities, but after using NAT in our environment, the vendor has configured all the VPN's with Proxy-identities whether using NAT or not. Is this something related or necessary with NAT or has nothing to do with it? now i have a habit of configuring every VPN with proxy-identity but i can't explain to someone why i did this. 


    #IPSECVPN
    #proxy-identity


  • 2.  RE: Why to Use of Proxy-identity in VPN?

     
    Posted 02-19-2018 09:29

    Hi,

     

    Please refer to this KB for couple of known use cases:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=METADATA

     

     

     

     



  • 3.  RE: Why to Use of Proxy-identity in VPN?

     
    Posted 02-19-2018 09:40

     

     

    With proxy-ID, single VPN (tunnel interface) can have a single local and remote subnet. 

    Also, please refer to this thread:

    https://forums.juniper.net/t5/SRX-Services-Gateway/Proxy-ID/td-p/305951

     

     

     

     

     

     

     



  • 4.  RE: Why to Use of Proxy-identity in VPN?
    Best Answer

     
    Posted 02-20-2018 03:10

    With IPSEC vpn there is always a proxy-id pair sent.  This is part of the standard.

     

    When you don't explicitly configure one on the SRX it will us 0.0.0.0/0 to 0.0.0.0/0 meaning any subnet can be sent or recieved on the tunnel.

    This is the recommended and simpliest path.

     

    But most other vendors do not allow this open proxy pair.  So we must configure explict pair(s) for compatibility and for the tunnel to come up.

     

    Traffic selectors allow more that one pair.

    proxy id configuration item allows only one pair

     



  • 5.  RE: Why to Use of Proxy-identity in VPN?

    Posted 02-20-2018 09:45

    Thanks alot for the clear explanation of the Proxy-identity. I have also confirmed this by the following command 

    " >show security ipsec security-associations detail "

    Further i just want to know what's the way around to configure mutiple proxy-identities on the following firewalls

    SRX1500 with 17.3R1.10

    SRX320 with 15.1X49-D45

    We are going to access Multiple LAN's at the Datacentre(SRX1500)  with branch-end LAN (SRX320) by using Proxy-identities.

    We have redundant Service providers and our vendor have told us that traffic-selectors dont work in the auto-shifting of traffic in the event of failure of either ISP Link. So we have configured IPSec VPN with proxy-identites but now our management have asked us to access another LAN from the Datacentre. So now what's the solution to cater this scenario? 

    We have configured Multi Proxy-identities on NetSceen devices SSG20 (after updating OS)  and ISG2000. Now we want to achieve the same goal on SRX too.



  • 6.  RE: Why to Use of Proxy-identity in VPN?

     
    Posted 02-21-2018 02:29

    Traffic selectors is the way to configure multiple proxy-id on the SRX similar to ScreenOS 6.3.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

     

     



  • 7.  RE: Why to Use of Proxy-identity in VPN?

    Posted 07-24-2018 00:47

    I think We could achieve the same result by configuring multiple IPSec (Proxy-identity) against same IKE as we did with Traffic Selectors and in this way we could also have a redundant link autoshifting enable. 

    What's your stance on this? 


    @spuluka

    @spuluka


  • 8.  RE: Why to Use of Proxy-identity in VPN?

     
    Posted 07-24-2018 02:44

    If I understand you correctly, yes you can also configure multiple policy based vpn to generate the multiple proxy-id pair on a VPN tunnel.  This is an alternative to using route based VPN and works under the security policy stanza instead.

     

    I am not sure what you mean by redundant link auto shifting.  But there are vpn failover options if that is what you are getting at.

     



  • 9.  RE: Why to Use of Proxy-identity in VPN?

    Posted 08-15-2018 11:42

    No, i am talking about Route-based VPN's with dual or triple ISP's links. If i use traffic-selectors then route is auto injected to the routing table and vanishes whenever either VPN is de-activated or Link gows down (Fiber-break issue from ISP side). But is I use Proxy-id then route is statically entered and stays there eben i deactivate VPN. 

    Second question is Whether we could implement Multple Local-Remote IP pairs with Proxy ID over same tunnel and IKE as we do with Traffic-Selector?



  • 10.  RE: Why to Use of Proxy-identity in VPN?

     
    Posted 08-16-2018 02:36

    Unfortunately, the proxy id method only supports a single pair.  If you have multiple pairs your only option is either policy vpn or traffic selectors.

     

    I assume the other side is not SRX or otherwise does not support the open proxy id.

     

    How are you doing the vpn failover.  I wonder if the PBF method will work with traffic selectors on the vpn.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227