ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

proxy ID in route based IPSec VPN

06.25.08   |  
‎06-25-2008 07:43 PM
I've 4 internal servers that will initiate connections to a remote one through an IPSEC VPN.
NATing the destination public IP is needed to avoid routing it in our internal network.
At the same time NATing the source private IP to be a public one to avoid any IP conflict at the other VPN end (PAT cannot be used as it is not applicable by the other party).
To do so we have to use the route based VPN which has proxy id by default.
So I have to override it from phase two configuration.

The issue I face here is that I had to override the proxy id with /29 subnet to contain the four IPs but this wasn’t accepted by the other party which has a Cisco gateway and configures the VPN access-lists with   
hosts (/32) only (4 access-lists), so in order to match these proxy ids I had to configure four VPNs (or four phase 2) to overcome the proxy id issue and override it to get this VPN working.        
Is there any solution for this case other than creating 4 route-based VPNs?
Thanks for any reply in advance
ScreenOS Firewalls (NOT SRX)
Accepted by topic author funoove
‎08-26-2015 01:27 AM

Re: proxy ID in route based IPSec VPN

06.25.08   |  
‎06-25-2008 07:46 PM

i don't know if you missed this answer provided by Stefan and Jerrish on one of the aliases:


You can use one or multiple SA with NATing. The SAs needs to match regardless of NAT or not NAT. If you NAT on a ScreenOS device, then your SA on the far-end third-party gateway must anticipate this and use a different ACL. There is an example on how to do this in the ScreenOS Cookbook in chapter 8.19 "Configuring NAT with Policy Based VPN".


also the link to configure route based VPN on Cisco IOS routers. The proxy-id on the cisco device also defaults to 0/0 with route based VPN



Raheel Anwar


Follow me on Twitter @anwar_raheel

If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!