root@SRX5800# set ike proxy-identity local 10.0.0.0/8 remote 192.168.1.0/24
set security ipsec vpn vpn-name ike proxy-identity local 10.0.0.0/8 remote 192.168.1.0/24 service any
Guess it is important to provide the configuration stanza. Sorry about that!
[edit security ipsec vpn vpn-name]
Thanks for catching that oldtimer. Appreciate it
sorry but i need to ask this question ...
what is the purpose of specifying proxy-id ?
I have a customer with two networks, how do I add a second network to the remote proxy id?
You can simply add more pairs of proxy-id one pair for each set of networks that need to communicate with each other.
Note that these must match on to pairs on the other side of the VPN tunnel.
I dont have 2 networks in my end, only in the other end.
What i need is something like this, but this command does not exist, i can't find the correct syntax to use:
set ike proxy-identity local 192.168.0.0/24 remote 192.168.1.0/24 remote2 192.168.2.0/24
Proxy-id are done in pairs with local and remote network so in your case the two pari would be.
set ike proxy-identity local 192.168.0.0/24 remote 192.168.1.0/24
set ike proxy-identity local 192.168.0.0/24 remote 192.168.2.0/24
This connects the local network to both remote networks. If there were two local and two remote you would need 4 pairs.
Did you actually try your configuration on a live SRX?! there is only one proxy-ID defination is allowed, to get around the limitation, you use traffic-selectors.
Thanks Old Creek, I was confusing proxy-id with traffic selectors. I saw the main question as how to have only one subnet on local with two on remote. You need to configure each set as separate pairs.
But as you note the proxy-id stanza only allows one, while the traffic selector can have the mulitple.