Knowledge Search


×
 

[SRX] Unexpected proxy ID match when using overlapping proxy IDs

  [KB26296] Show Article Properties


Summary:
This article describes the issue of unexpected proxy ID match, when overlapping proxy IDs are used.
Symptoms:
If multiple overlapping proxy ID are configured, the match might not be exactly predictable as expected.
Cause:

Solution:
For example, if the following configuration is in place:
vpn A {
    bind-interface st0.1;
    ike {
        gateway my_ike_gw;
        proxy-identity {
            local 10.0.0.100/32;
            remote 172.16.0.200/32;
            service any;
        }
        ipsec-policy my_ipsec_policy;
    }
}
vpn B {
    bind-interface st0.2;
    ike {
        gateway my_ike_gw;
        proxy-identity {
            local 10.0.0.0/8;
            remote 172.16.0.0/12;
            service any;
        }
        ipsec-policy my_ipsec_policy;
    }
}
If the remote peer tries to establish an IPsec tunnel with the following proxy ID:
local 172.16.0.200/32
remote 10.0.0.100/32
service any
It is not guaranteed that VPN A will be matched, as it could match VPN B as well. This match is non-deterministic and not configurable. To avoid such situations, do not use overlapping IP ranges in proxy IDs.
Related Links: