SRX

Hi there, I've searched the Junos security config guide and this forum too but it's still unclear on how to manually set proxy-id for route-based VPN. The manuals just said it has to match on both ends but it didn't mention how to set it up to match the other end especially the other end is a 3rd party device. And also is there a way to use "ip unnumbered" like SSG for the st0 interface? If SRX is connecting to 3rd party VPN endpoint, they don't care about st0 interface IP at all. So does it matter which IP to use? I just tested in our lab to connect SRX to SSG and I didn't set any IP address in st0.0 at all. The VPN tunnel seems to be working too. So I wonder what's the point of st0 IP? Rgds, Lawrence

root@SRX5800# set ike proxy-identity local 10.0.0.0/8 remote 192.168.1.0/24

 

... correction

 

set security ipsec vpn vpn-name ike proxy-identity local 10.0.0.0/8 remote 192.168.1.0/24 service any

Guess it is important to provide the configuration stanza. Sorry about that!

 

[edit security ipsec vpn vpn-name]

root@SRX5800# set ike proxy-identity local 10.0.0.0/8 remote 192.168.1.0/24

 

 Thanks for catching that oldtimer. Appreciate it

Thanks all. I'll test it in lab later on.

sorry but i need to ask this question ...

 

what is the purpose of specifying proxy-id ?

I have a customer with two networks, how do I add a second network to the remote proxy id?

 

KL_Dane

KL_Dane,

 

You can simply add more pairs of proxy-id one pair for each set of networks that need to communicate with each other.  

 

Note that these must match on to pairs on the other side of the VPN tunnel.

 

I dont have 2 networks in my end, only in the other end.

What i need is something like this, but this command does not exist, i can't find the correct syntax to use:

set ike proxy-identity local 192.168.0.0/24 remote 192.168.1.0/24 remote2 192.168.2.0/24

Proxy-id are done in pairs with local and remote network so in your case the two pari would be.

 

set ike proxy-identity local 192.168.0.0/24 remote 192.168.1.0/24

set ike proxy-identity local 192.168.0.0/24 remote 192.168.2.0/24

 

This connects the local network to both remote networks.  If there were two local and two remote you would need 4 pairs.  

 

Did you actually try your configuration on a live SRX?! there is only one proxy-ID defination is allowed, to get around the limitation, you use traffic-selectors.

Thanks Old Creek, I was confusing proxy-id with traffic selectors.  I saw the main question as how to have only one subnet on local with two on remote.  You need to configure each set as separate pairs.

 

But as you note the proxy-id stanza only allows one, while the traffic selector can have the mulitple.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820