SRX

Expand all | Collapse all

vpn proxy-id

  • 1.  vpn proxy-id

    Posted 06-12-2021 00:16
    Hi, anyone knows if the prefix in the proxy-id matters in route-based vpn in Juniper SRX? I suppose the local and remote proxy-id  can be random and do not need to match the source and destination subnets? given both sides are matching the same set of proxy-ids.
    e,g,
    local enc domain            remote encryption domain
    10.0.0.1/24 >----------> 192.168.1.0/24 and 192.168.11.0/24
                                
    if I set the following in the vpn config, the partner side set the same in reverse in their proxy-id setting, and have a static route going to the destination 192.168.1.0/24 & 192.168.11.0/24  next-hop  st0.1 which  binds to the vpn, will vpn traffic still go to both subnets? 
    set security ipsec vpn IPSEC-PROD-VPN ike proxy-identity local 1.1.1.1
    set security ipsec vpn IPSEC-PROD-VPN ike proxy-identity remote 2.2.2.2

    or do the proxy-identity have to match the local can remote encryption domains ?
    would using 0.0.0.0/0 as proxy-id instead of 2 TS on both sides will also make it work?

    ------------------------------
    Thanks
    Calvin
    ------------------------------


  • 2.  RE: vpn proxy-id

     
    Posted 06-12-2021 05:57
    Proxy id is part of the remote local config negotiation process and they do have to match.  By default Junos is using 0.0.0.0/0 so that any traffic can be directed to the vpn on either side.  This does not need to be configured explicitly in route vpn but is happening automatically.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: vpn proxy-id

    Posted 06-12-2021 08:08
    Thanks for answering. I know both sides have to match but in what sense, source subnet and remote subnet has to match on both side ? or  can be just  an arbitrary proxy-id pair agreed on both sides ?

    ------------------------------
    Thanks
    Calvin
    ------------------------------



  • 4.  RE: vpn proxy-id

     
    Posted 06-12-2021 09:26
    The must match meaning the the source list on side A must be the same as the destination list on side B.  These are used to create the phase two tunnels for each declared pair.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: vpn proxy-id

    Posted 06-12-2021 10:48
    I understand that bit ie. partner A source list has to match partner B destination list;  partner A destination list has to match partner B source.
    Does that means the source & destination list can be some arbitrary subnet which doesn't have to reflect the real source and destination for route-based vpn as long as both ends have  route to the real  subnet to the other side via tunnel interface?

    e.g. for vpn between A & B with  A:10.0.0.1/24 <----------> B:192.168.1.0/24, can I use , proxy-id for A -- local 1.1.1.1, remote 2.2.2.2,   proxy-id for B -- local 2.2.2.2, remote 1.1.1.1, instead of proxy-id for A -- local 10.0.0.1/24., remote 192.168.1.0/24,   proxy-id for B -- local 192.168.1.0/24, remote 10.0.0.1/24, 


    ------------------------------
    Thanks
    Calvin
    ------------------------------



  • 6.  RE: vpn proxy-id

     
    Posted 06-13-2021 05:55
    They do need to have a match for the traffic itself.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: vpn proxy-id

    Posted 06-13-2021 23:31
    Thanks for answering &Thanks to vLab that I set up the scenario to prove that the proxy-id is just a label can be arbitrary in route-based vpn..


    For route-based vpn, the proxy-id local and remote prefix can be arbitrary and don't need to match the real subnets as long as the other side mirrors the reverse. Though I think this is not a good practice, but that means if you have multiple different subnets on the partner that route via the same remote gateway, you either leave the proxy-id as default or some arbitrary values without using TS.
    traffic still encrypted and pass through to the other side as long as the required traffic route through the VPN st0.x interface.

    ------------------------------
    Thanks
    Calvin
    ------------------------------