I just want to know why we use Proxy-identity ( Local/remote) in VPN? At our design, earlier we were configuring VPN's without Proxy-identities, but after using NAT in our environment, the vendor has configured all the VPN's with Proxy-identities whether using NAT or not. Is this something related or necessary with NAT or has nothing to do with it? now i have a habit of configuring every VPN with proxy-identity but i can't explain to someone why i did this.
Please refer to this KB for couple of known use cases:
With proxy-ID, single VPN (tunnel interface) can have a single local and remote subnet.
Also, please refer to this thread:
With IPSEC vpn there is always a proxy-id pair sent. This is part of the standard.
When you don't explicitly configure one on the SRX it will us 0.0.0.0/0 to 0.0.0.0/0 meaning any subnet can be sent or recieved on the tunnel.
This is the recommended and simpliest path.
But most other vendors do not allow this open proxy pair. So we must configure explict pair(s) for compatibility and for the tunnel to come up.
Traffic selectors allow more that one pair.
proxy id configuration item allows only one pair
Thanks alot for the clear explanation of the Proxy-identity. I have also confirmed this by the following command
" >show security ipsec security-associations detail "
Further i just want to know what's the way around to configure mutiple proxy-identities on the following firewalls
SRX1500 with 17.3R1.10
SRX320 with 15.1X49-D45
We are going to access Multiple LAN's at the Datacentre(SRX1500) with branch-end LAN (SRX320) by using Proxy-identities.
We have redundant Service providers and our vendor have told us that traffic-selectors dont work in the auto-shifting of traffic in the event of failure of either ISP Link. So we have configured IPSec VPN with proxy-identites but now our management have asked us to access another LAN from the Datacentre. So now what's the solution to cater this scenario?
We have configured Multi Proxy-identities on NetSceen devices SSG20 (after updating OS) and ISG2000. Now we want to achieve the same goal on SRX too.
Traffic selectors is the way to configure multiple proxy-id on the SRX similar to ScreenOS 6.3.
I think We could achieve the same result by configuring multiple IPSec (Proxy-identity) against same IKE as we did with Traffic Selectors and in this way we could also have a redundant link autoshifting enable.
What's your stance on this?
If I understand you correctly, yes you can also configure multiple policy based vpn to generate the multiple proxy-id pair on a VPN tunnel. This is an alternative to using route based VPN and works under the security policy stanza instead.
I am not sure what you mean by redundant link auto shifting. But there are vpn failover options if that is what you are getting at.
No, i am talking about Route-based VPN's with dual or triple ISP's links. If i use traffic-selectors then route is auto injected to the routing table and vanishes whenever either VPN is de-activated or Link gows down (Fiber-break issue from ISP side). But is I use Proxy-id then route is statically entered and stays there eben i deactivate VPN.
Second question is Whether we could implement Multple Local-Remote IP pairs with Proxy ID over same tunnel and IKE as we do with Traffic-Selector?
Unfortunately, the proxy id method only supports a single pair. If you have multiple pairs your only option is either policy vpn or traffic selectors.
I assume the other side is not SRX or otherwise does not support the open proxy id.
How are you doing the vpn failover. I wonder if the PBF method will work with traffic selectors on the vpn.