SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

vpn proxy-id

  • 1.  vpn proxy-id

    Posted 06-12-2021 00:16
    Hi, anyone knows if the prefix in the proxy-id matters in route-based vpn in Juniper SRX? I suppose the local and remote proxy-id  can be random and do not need to match the source and destination subnets? given both sides are matching the same set of proxy-ids.
    e,g,
    local enc domain            remote encryption domain
    10.0.0.1/24 >----------> 192.168.1.0/24 and 192.168.11.0/24
                                
    if I set the following in the vpn config, the partner side set the same in reverse in their proxy-id setting, and have a static route going to the destination 192.168.1.0/24 & 192.168.11.0/24  next-hop  st0.1 which  binds to the vpn, will vpn traffic still go to both subnets? 
    set security ipsec vpn IPSEC-PROD-VPN ike proxy-identity local 1.1.1.1
    set security ipsec vpn IPSEC-PROD-VPN ike proxy-identity remote 2.2.2.2

    or do the proxy-identity have to match the local can remote encryption domains ?
    would using 0.0.0.0/0 as proxy-id instead of 2 TS on both sides will also make it work?

    ------------------------------
    Thanks
    Calvin
    ------------------------------


  • 2.  RE: vpn proxy-id

     
    Posted 06-12-2021 05:57
    Proxy id is part of the remote local config negotiation process and they do have to match.  By default Junos is using 0.0.0.0/0 so that any traffic can be directed to the vpn on either side.  This does not need to be configured explicitly in route vpn but is happening automatically.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: vpn proxy-id

    Posted 06-12-2021 08:08
    Thanks for answering. I know both sides have to match but in what sense, source subnet and remote subnet has to match on both side ? or  can be just  an arbitrary proxy-id pair agreed on both sides ?

    ------------------------------
    Thanks
    Calvin
    ------------------------------



  • 4.  RE: vpn proxy-id

     
    Posted 06-12-2021 09:26
    The must match meaning the the source list on side A must be the same as the destination list on side B.  These are used to create the phase two tunnels for each declared pair.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: vpn proxy-id

    Posted 06-12-2021 10:48
    I understand that bit ie. partner A source list has to match partner B destination list;  partner A destination list has to match partner B source.
    Does that means the source & destination list can be some arbitrary subnet which doesn't have to reflect the real source and destination for route-based vpn as long as both ends have  route to the real  subnet to the other side via tunnel interface?

    e.g. for vpn between A & B with  A:10.0.0.1/24 <----------> B:192.168.1.0/24, can I use , proxy-id for A -- local 1.1.1.1, remote 2.2.2.2,   proxy-id for B -- local 2.2.2.2, remote 1.1.1.1, instead of proxy-id for A -- local 10.0.0.1/24., remote 192.168.1.0/24,   proxy-id for B -- local 192.168.1.0/24, remote 10.0.0.1/24, 


    ------------------------------
    Thanks
    Calvin
    ------------------------------



  • 6.  RE: vpn proxy-id

     
    Posted 06-13-2021 05:55
    They do need to have a match for the traffic itself.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: vpn proxy-id

    Posted 06-13-2021 23:31
    Thanks for answering &Thanks to vLab that I set up the scenario to prove that the proxy-id is just a label can be arbitrary in route-based vpn..


    For route-based vpn, the proxy-id local and remote prefix can be arbitrary and don't need to match the real subnets as long as the other side mirrors the reverse. Though I think this is not a good practice, but that means if you have multiple different subnets on the partner that route via the same remote gateway, you either leave the proxy-id as default or some arbitrary values without using TS.
    traffic still encrypted and pass through to the other side as long as the required traffic route through the VPN st0.x interface.

    ------------------------------
    Thanks
    Calvin
    ------------------------------