Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Unexpected proxy ID match when using overlapping proxy IDs

0

0

Article ID: KB26296 KB Last Updated: 08 Mar 2013Version: 1.0
Summary:
This article describes the issue of unexpected proxy ID match, when overlapping proxy IDs are used.
Symptoms:
If multiple overlapping proxy ID are configured, the match might not be exactly predictable as expected.
Cause:

Solution:
For example, if the following configuration is in place:
vpn A {
    bind-interface st0.1;
    ike {
        gateway my_ike_gw;
        proxy-identity {
            local 10.0.0.100/32;
            remote 172.16.0.200/32;
            service any;
        }
        ipsec-policy my_ipsec_policy;
    }
}
vpn B {
    bind-interface st0.2;
    ike {
        gateway my_ike_gw;
        proxy-identity {
            local 10.0.0.0/8;
            remote 172.16.0.0/12;
            service any;
        }
        ipsec-policy my_ipsec_policy;
    }
}
If the remote peer tries to establish an IPsec tunnel with the following proxy ID:
local 172.16.0.200/32
remote 10.0.0.100/32
service any
It is not guaranteed that VPN A will be matched, as it could match VPN B as well. This match is non-deterministic and not configurable. To avoid such situations, do not use overlapping IP ranges in proxy IDs.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search