Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SA usage for many proxy-id

    Posted 03-18-2020 11:02

    Hello!

    I´m using a SSG140 6.3.0r17.0 and a customer is asking to establish a VPN using Cisco ASA 5545. He provided me as a proxy id, 10 networks as his local IP and 15 addresses /32 that I´ll have to NAT my servers IP. As long as there is a security association for every proxy-id, in this scenario, is there a way set up a VPN that will not consume 10 x 15 SA?

    Thank you in advance

    Bruno


    #proxy-id
    #SA
    #license


  • 2.  RE: SA usage for many proxy-id

    Posted 03-18-2020 11:12

    Hi Bruno, 

     

    i hope you are doing great!

     

    Please check the following KB:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16008&actp=METADATA&act=login&act=login 

     

    Please read it all, i believe it contains what you need 🙂

     

    Pablo Restrepo



  • 3.  RE: SA usage for many proxy-id

    Posted 03-18-2020 11:51

    Hi Pablo,

     

    Thank you for your heply! I Hope you ar doing great too!

     

    I understood from the KB that I can, for the same VPN “test” do the command below for each pair of local and remote IP.

    set vpn test proxy-id local-ip 10.1.1.0/24 remote-ip 20.1.1.0/24 any

    But since there is 15 local IP to each of the 10 remote, when I try the “get sa” command, there will be 150 SA defined.

    I was trying to understand if te previous way mentioned, using policy based VPN, will use less SA and permit NAT to my source IP.

     

    I really appreciate your help!

     

    Best regards,

     

    Bruno



  • 4.  RE: SA usage for many proxy-id

    Posted 03-18-2020 12:00

    Bruno, 

     

    My pleasure 🙂

     

    If this solves your problem, please mark this post as "Accepted Solution" Pura vida from Costa Rica 😄

     

    Pablo Restrepo



  • 5.  RE: SA usage for many proxy-id
    Best Answer

    Posted 03-19-2020 03:19 
    I was trying to understand if te previous way mentioned, using policy based VPN, will use less SA and permit NAT to my source IP.

    No, the number of SA required are strictly determined by the number of ip address pairs needed for the vpn traffic to be sent.

     

    If both sides are Juniper then you have the option of using open proxy-id pair 0.0.0.0/0 to 0.0.0.0/0 by default when creating a route based vpn on both sides.  This works with both ScreenOS or Junos.

     

    Nat can be applied only on route based vpn.  So you could nat a number of subnets behind a nat and reduce the proxy-id pair.  In that case the ip address you use for nat is then used for the local side of the the pair and you drop all the subnets that are nated behind that address.