SRX Services Gateway
Highlighted
SRX Services Gateway

Why to Use of Proxy-identity in VPN?

‎02-19-2018 09:11 AM

Hello everyone,

I just want to know why we use Proxy-identity ( Local/remote) in VPN? At our design, earlier we were configuring VPN's without Proxy-identities, but after using NAT in our environment, the vendor has configured all the VPN's with Proxy-identities whether using NAT or not. Is this something related or necessary with NAT or has nothing to do with it? now i have a habit of configuring every VPN with proxy-identity but i can't explain to someone why i did this. 

9 REPLIES 9
Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎02-19-2018 09:28 AM

Hi,

 

Please refer to this KB for couple of known use cases:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=METADATA

 

 

 

 

/Karan Dhanak
Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎02-19-2018 09:39 AM

 

 

With proxy-ID, single VPN (tunnel interface) can have a single local and remote subnet. 

Also, please refer to this thread:

https://forums.juniper.net/t5/SRX-Services-Gateway/Proxy-ID/td-p/305951

 

 

 

 

 

 

 

/Karan Dhanak
Highlighted
SRX Services Gateway
Solution
Accepted by topic author AZkhan
‎02-20-2018 09:27 AM

Re: Why to Use of Proxy-identity in VPN?

‎02-20-2018 03:09 AM

With IPSEC vpn there is always a proxy-id pair sent.  This is part of the standard.

 

When you don't explicitly configure one on the SRX it will us 0.0.0.0/0 to 0.0.0.0/0 meaning any subnet can be sent or recieved on the tunnel.

This is the recommended and simpliest path.

 

But most other vendors do not allow this open proxy pair.  So we must configure explict pair(s) for compatibility and for the tunnel to come up.

 

Traffic selectors allow more that one pair.

proxy id configuration item allows only one pair

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎02-20-2018 09:44 AM

Thanks alot for the clear explanation of the Proxy-identity. I have also confirmed this by the following command 

" >show security ipsec security-associations detail "

Further i just want to know what's the way around to configure mutiple proxy-identities on the following firewalls

SRX1500 with 17.3R1.10

SRX320 with 15.1X49-D45

We are going to access Multiple LAN's at the Datacentre(SRX1500)  with branch-end LAN (SRX320) by using Proxy-identities.

We have redundant Service providers and our vendor have told us that traffic-selectors dont work in the auto-shifting of traffic in the event of failure of either ISP Link. So we have configured IPSec VPN with proxy-identites but now our management have asked us to access another LAN from the Datacentre. So now what's the solution to cater this scenario? 

We have configured Multi Proxy-identities on NetSceen devices SSG20 (after updating OS)  and ISG2000. Now we want to achieve the same goal on SRX too.

Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎02-21-2018 02:29 AM

Traffic selectors is the way to configure multiple proxy-id on the SRX similar to ScreenOS 6.3.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎07-24-2018 12:46 AM

I think We could achieve the same result by configuring multiple IPSec (Proxy-identity) against same IKE as we did with Traffic Selectors and in this way we could also have a redundant link autoshifting enable. 

What's your stance on this? 


@spuluka

@spuluka
Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎07-24-2018 02:43 AM

If I understand you correctly, yes you can also configure multiple policy based vpn to generate the multiple proxy-id pair on a VPN tunnel.  This is an alternative to using route based VPN and works under the security policy stanza instead.

 

I am not sure what you mean by redundant link auto shifting.  But there are vpn failover options if that is what you are getting at.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎08-15-2018 11:42 AM

No, i am talking about Route-based VPN's with dual or triple ISP's links. If i use traffic-selectors then route is auto injected to the routing table and vanishes whenever either VPN is de-activated or Link gows down (Fiber-break issue from ISP side). But is I use Proxy-id then route is statically entered and stays there eben i deactivate VPN. 

Second question is Whether we could implement Multple Local-Remote IP pairs with Proxy ID over same tunnel and IKE as we do with Traffic-Selector?

Highlighted
SRX Services Gateway

Re: Why to Use of Proxy-identity in VPN?

‎08-16-2018 02:35 AM

Unfortunately, the proxy id method only supports a single pair.  If you have multiple pairs your only option is either policy vpn or traffic selectors.

 

I assume the other side is not SRX or otherwise does not support the open proxy id.

 

How are you doing the vpn failover.  I wonder if the PBF method will work with traffic selectors on the vpn.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback