I just want to know why we use Proxy-identity ( Local/remote) in VPN? At our design, earlier we were configuring VPN's without Proxy-identities, but after using NAT in our environment, the vendor has configured all the VPN's with Proxy-identities whether using NAT or not. Is this something related or necessary with NAT or has nothing to do with it? now i have a habit of configuring every VPN with proxy-identity but i can't explain to someone why i did this.
Further i just want to know what's the way around to configure mutiple proxy-identities on the following firewalls
SRX1500 with 17.3R1.10
SRX320 with 15.1X49-D45
We are going to access Multiple LAN's at the Datacentre(SRX1500) with branch-end LAN (SRX320) by using Proxy-identities.
We have redundant Service providers and our vendor have told us that traffic-selectors dont work in the auto-shifting of traffic in the event of failure of either ISP Link. So we have configured IPSec VPN with proxy-identites but now our management have asked us to access another LAN from the Datacentre. So now what's the solution to cater this scenario?
We have configured Multi Proxy-identities on NetSceen devices SSG20 (after updating OS) and ISG2000. Now we want to achieve the same goal on SRX too.
I think We could achieve the same result by configuring multiple IPSec (Proxy-identity) against same IKE as we did with Traffic Selectors and in this way we could also have a redundant link autoshifting enable.
If I understand you correctly, yes you can also configure multiple policy based vpn to generate the multiple proxy-id pair on a VPN tunnel. This is an alternative to using route based VPN and works under the security policy stanza instead.
I am not sure what you mean by redundant link auto shifting. But there are vpn failover options if that is what you are getting at.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home
No, i am talking about Route-based VPN's with dual or triple ISP's links. If i use traffic-selectors then route is auto injected to the routing table and vanishes whenever either VPN is de-activated or Link gows down (Fiber-break issue from ISP side). But is I use Proxy-id then route is statically entered and stays there eben i deactivate VPN.
Second question is Whether we could implement Multple Local-Remote IP pairs with Proxy ID over same tunnel and IKE as we do with Traffic-Selector?