ScreenOS Firewalls (NOT SRX)
Reply
Juniper Employee
funoove
Posts: 9
Registered: ‎06-25-2008
0
Accepted Solution

proxy ID in route based IPSec VPN

I've 4 internal servers that will initiate connections to a remote one through an IPSEC VPN.
 
NATing the destination public IP is needed to avoid routing it in our internal network.
 
At the same time NATing the source private IP to be a public one to avoid any IP conflict at the other VPN end (PAT cannot be used as it is not applicable by the other party).
 
To do so we have to use the route based VPN which has 0.0.0.0/0 proxy id by default.
 
So I have to override it from phase two configuration.

The issue I face here is that I had to override the proxy id with /29 subnet to contain the four IPs but this wasn’t accepted by the other party which has a Cisco gateway and configures the VPN access-lists with   
 
hosts (/32) only (4 access-lists), so in order to match these proxy ids I had to configure four VPNs (or four phase 2) to overcome the proxy id issue and override it to get this VPN working.        
  
Is there any solution for this case other than creating 4 route-based VPNs?
 
Thanks for any reply in advance
Distinguished Expert
Raheel
Posts: 414
Registered: ‎06-18-2008
0

Re: proxy ID in route based IPSec VPN

i don't know if you missed this answer provided by Stefan and Jerrish on one of the aliases:

 

You can use one or multiple SA with NATing. The SAs needs to match regardless of NAT or not NAT. If you NAT on a ScreenOS device, then your SA on the far-end third-party gateway must anticipate this and use a different ACL. There is an example on how to do this in the ScreenOS Cookbook in chapter 8.19 "Configuring NAT with Policy Based VPN".

 

also the link to configure route based VPN on Cisco IOS routers. The proxy-id on the cisco device also defaults to 0/0 with route based VPN http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html

 

thanks

Raheel Anwar

 

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.