Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Understanding how proxy IDs are generated in route-based and policy-based VPNs

0

0

Article ID: KB29364 KB Last Updated: 31 Dec 2020Version: 3.0
Summary:
 

This article explains how proxy IDs are generated on SRX devices (traffic selectors) when route-based and policy-based VPNs are configured.

 

Symptoms:
 

Incorrect proxy IDs can lead to the following VPN issues:

  • Inability to establish a VPN tunnel due to "failed to match peer proxy-ids" problem

  • Unstable tunnels

  • Traffic failing to pass on peer device due to traffic arriving on wrong VPN tunnel

 

Cause:
 

Proxy IDs are a validated item during VPN tunnel establishment with the proxy IDs of the VPN peers needing to be an inverse match of one another:

    SRX                         PEER

Local  192.168.1.0/24  \ /  Local  10.10.10.5/32
Remote 10.10.10.5/32   / \  Remote 192.168.1.0/24

 

Solution:
 

The following shows how proxy IDs (traffic selectors) are generated in route-based and policy-based VPNs. With this information, you can correctly configure your proxy IDs.

 

Route-based VPN

  • Defined Proxy ID 

Proxy ID generation for route-based VPNs can be defined explicitly. If it is not defined, a default proxy ID will be used.

When a proxy-identity is defined in the configuration by using set security ipsec vpn <vpn-name> ike proxy-identity, the proxy-identity used during VPN establishment will be the values that have been configured.

Note: Only one proxy-identity is allowed per set security ipsec vpn <vpn-name> stanza.

vpn ike-vpn-srx1 {
    bind-interface st0.0;
    ike {
        gateway gw-srx1;
 	proxy-identity {
 	    local 10.10.10.0/24;
 	    remote 192.168.1.0/24;
 	    }
 	    ipsec-policy ipsec_pol;
 	}
 }

root> show security ipsec security-associations detail
--------------------------------------------------------------------------
ID: 131073 Virtual-system: root, VPN Name: ike-vpn-srx1
Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2
Local Identity: ipv4(any:0,[0..3]=10.10.10.0/24)
Remote Identity: ipv4(any:0,[0..3]=192.168.1.0/24)
  • Undefined Proxy ID

When no proxy-identity is defined, the system uses a default proxy-identity, which is 0.0.0.0 for local and remote with a service of "any".

vpn ike-vpn-srx1 {
    bind-interface st0.0;
    ike {
        gateway gw-srx1;
        ipsec-policy ipsec_pol;    <---No defined proxy-identity
    }
}

root# run show security ipsec security-associations detail
--------------------------------------------------------------------------
ID: 268173315 Virtual-system: root, VPN Name: ike-vpn-srx1
Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)    
  • Defined traffic-selector

When a traffic-selector is defined in the configuration by using set security ipsec vpn <vpn-name> traffic-selector <traffic-selector name>, the local and remote identity that is used in IPsec VPN establishment would be the values that have been configured. With this feature, you can create multiple IPsec security associations (SAs). 

  • Starting with Junos OS Release 12.1X46-D10 and Junos OS Release 17.3R1, traffic selectors can be configured with IKEv1 site-to-site VPNs. 

  • Starting with Junos OS Release 15.1X49-D100, traffic selectors can be configured with IKEv2 site-to-site VPNs.

vpn ipsec-vpn-LAB {
    bind-interface st0.0;
    ike {
        gateway ike-gate-LAB;
        ipsec-policy ipsec-policy-LAB;
    }
    traffic-selector TS1 {
        local-ip 10.10.10.0/24;
        remote-ip 192.168.1.0/24;
root> run show security ipsec security-associations detail
----------------------------------------------------------------------------------
ID: 67108865 Virtual-system: root, VPN Name: ipsec-vpn-LAB
  Local Gateway: 10.1.1.1, Remote Gateway: 10.1.1.2
  Traffic Selector Name: TS1
  Local Identity: ipv4(10.10.10.0-10.10.10.255)
  Remote Identity: ipv4(192.168.1.0-192.168.1.255)
 
 

Policy-based VPN

Proxy ID generation for policy-based VPNs is based on the security policy that is bound to the VPN, and cannot be overwritten with the proxy-identity command under the set security ipsec vpn <vpn> ike proxy-identity stanza.

Note: For each security policy that is bound to a VPN, a new VPN tunnel will be built by using the proxy-identity based on each security policy.

  • Policy using single item address objects

A proxy-identity is based on the source-address, the destination-address, and the application listed in the security policy. 

security-zone trust {
    address-book {
	address local_net 10.10.10.0/24;
        } 
	interfaces {
	    ge-0/0/2.0;
	    }
        }
security-zone untrust {
    address-book {
	address remote_net 192.168.1.0/24;
	}
	host-inbound-traffic {
            system-services {
		 ike;
		 }
	    }
	    interfaces {
		ge-0/0/1.0;
	    }
}

from-zone untrust to-zone trust {
   policy vpn_ingress {
       match {
	  source-address remote_net;
	  destination-address local_net;
	  application any;
       }
       then {
	  permit {
	     tunnel {
		ipsec-vpn ike-vpn-srx2;
	     }
	  }
       }
    }
}

root# run show security ipsec security-associations detail
--------------------------------------------------------------------------
ID: 268173319 Virtual-system: root, VPN Name: ike-vpn-srx2
Local Gateway: 1.1.1.1, Remote Gateway: 3.3.3.3
Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
Version: IKEv1
 DF-bit: clear
 Policy-name: vpn_ingress
  • Policy using multi-cell address objects

When using multi-cell objects (multiple objects or address-sets) in a security policy, the system uses a system default for any multi-cell object. The default proxy ID is 0.0.0.0 for local and remote with a service of "any".

security-zone trust {
    address-book {
	address local_net 10.10.10.0/24;
	address local_net2 10.10.20.0/24;
    }
    interfaces {
	ge-0/0/2.0;
    }
}
security-zone untrust {
    address-book {
	address remote_net 192.168.1.0/24;
    } 
    host-inbound-traffic {
	system-services {
	   ike;
	}
    }
    interfaces {
 	ge-0/0/1.0;
    }
}

from-zone untrust to-zone trust {
    policy vpn_ingress {
        match {
	   source-address remote_net;
	   destination-address [local_net local_net2];
	   application any;
	}
	then {
	   permit {
	      tunnel {
		ipsec-vpn ike-vpn-srx2;
	      }
	   }
	}
    }
}	
				
root# run show security ipsec security-associations detail
--------------------------------------------------------------------------
ID: 268173321 Virtual-system: root, VPN Name: ike-vpn-srx2
Local Gateway: 1.1.1.1, Remote Gateway: 3.3.3.3
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
Version: IKEv1
 DF-bit: clear
 Policy-name: vpn_ingress

 

Modification History:
 
  • 2020-12-31: Article checked for accuracy and modified to reflect latest information; traffic selector logic added

  • 2020-06-26: Article reviewed for accuracy. Article is correct and complete.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search