Knowledge Search


×
 

[J/SRX] Understanding how proxy IDs (traffic selectors) are generated in route-based and policy-based VPNs

  [KB29364] Show Article Properties


Summary:

This article provides shows the SRX behavior of proxy-id (traffic selectors) generation for route-based and policy-based VPNs.


Symptoms:

Incorrect proxy IDs can lead to the following VPN issues:

  • Unable to establish VPN tunnel with "failed to match peer proxy-ids"
  • Unstable tunnels
  • Traffic failing to pass on peer device due to traffic arriving on wrong VPN tunnel

Cause:

Proxy IDs are a validated item during VPN tunnel establishment with the proxy IDs of the VPN peers needing to be an inverse match of each other:

    J/SRX                         PEER
Local  192.168.1.0/24  \ /  Local  10.10.10.5/32
Remote 10.10.10.5/32   / \  Remote 192.168.1.0/24

Solution:

The following shows how proxy IDs (traffic selectors) are generated in route-based and policy-based VPNs.  With this information, you can correctly configure your proxy IDs.

Route-based VPN

The proxy ID generation for route-based VPNs can be defined explicitly, and if is not defined, the default proxy ID will be used.

  • Defined Proxy ID
  • When a proxy-identity is defined in the configuration using 'set security ipsec vpn <vpn-name> ike proxy-identity', the proxy-id used during VPN establishment will be the configured values.

    Note: Only one proxy-identity is allowed per 'set security ipsec vpn <vpn-name>' stanza.

    	vpn ike-vpn-srx1 {
     	    bind-interface st0.0;
     	    ike {
     		gateway gw-srx1;
     		proxy-identity {
     		    local 10.10.10.0/24;
     		    remote 192.168.1.0/24;
     		    }
     		    ipsec-policy ipsec_pol;
     		}
     	}
    
      	root> show security ipsec security-associations detail
     	--------------------------------------------------------------------------
     	ID: 131073 Virtual-system: root, VPN Name: ike-vpn-srx1
     	Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2
     	Local Identity: ipv4(any:0,[0..3]=10.10.10.0/24)
        	Remote Identity: ipv4(any:0,[0..3]=192.168.1.0/24)
    

  • Undefined Proxy ID
  • When no proxy-identity is defined, the system will use a default proxy-identity. The system default proxy-identity is 0.0.0.0 for local and remote with a service of 'any'.

            vpn ike-vpn-srx1 {
     	    bind-interface st0.0;
     	    ike {
     	        gateway gw-srx1;
     	        ipsec-policy ipsec_pol;    <---No defined proxy-identity
     	    }
     	 }
    
    	 root# run show security ipsec security-associations detail
             --------------------------------------------------------------------------
             ID: 268173315 Virtual-system: root, VPN Name: ike-vpn-srx1
             Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2
             Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
             Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
         

Policy-based VPN

The proxy ID generation for policy-based VPNs is based on the security policy bound to the VPN, and it cannot be overwritten with the proxy-identity command under the 'set security ipsec vpn <vpn> ike proxy-identity' stanza.

Note: For each security policy bound to a VPN, a new VPN tunnel will be built using the proxy-identity based on each security policy.

  • Policy using single item address objects
  • The proxy-identity is based upon the source-address, destination-address, and the application listed in the security policy. 

             security-zone trust {
    	     address-book {
    	         address local_net 10.10.10.0/24;
                 } 
    	     interfaces {
    		 ge-0/0/2.0;
    		 }
    	     }
    	 security-zone untrust {
    	     address-book {
    		 address remote_net 192.168.1.0/24;
    	     }
    	     host-inbound-traffic {
    		 system-services {
    		      ike;
    		 }
    	     }
    	     interfaces {
    		 ge-0/0/1.0;
    	     }
             }
    
    	 from-zone untrust to-zone trust {
    	    policy vpn_ingress {
    		match {
    	 	   source-address remote_net;
    		   destination-address local_net;
    		   application any;
    		}
    		then {
    		   permit {
    		      tunnel {
    			 ipsec-vpn ike-vpn-srx2;
    		      }
    		   }
          	        }
    	    }
            }
    
    	root# run show security ipsec security-associations detail
    	--------------------------------------------------------------------------
    	ID: 268173319 Virtual-system: root, VPN Name: ike-vpn-srx2
    	Local Gateway: 1.1.1.1, Remote Gateway: 3.3.3.3
    	Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)
    	Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
    	Version: IKEv1
    	 DF-bit: clear
    	 Policy-name: vpn_ingress
    
    
  • Policy using multi-cell address objects
  • When using multi-cell objects (multiple objects or address-sets) in a security policy, the system uses a system default for any multi-cell object.  The default proxy ID is 0.0.0.0 for local and remote, with a service of 'any'.

    	security-zone trust {
    	    address-book {
    		address local_net 10.10.10.0/24;
    		address local_net2 10.10.20.0/24;
    	    }
    	    interfaces {
    	        ge-0/0/2.0;
    	    }
    	}
    	security-zone untrust {
    	    address-book {
    		address remote_net 192.168.1.0/24;
        	    } 
    	    host-inbound-traffic {
    		system-services {
    	   	   ike;
    		}
    	    }
    	    interfaces {
    	 	ge-0/0/1.0;
    	    }
    	}
    
    	from-zone untrust to-zone trust {
    	    policy vpn_ingress {
    	 	match {
    	   	   source-address remote_net;
    		   destination-address [local_net local_net2];
    		   application any;
    		}
    		then {
    		   permit {
    		      tunnel {
    			ipsec-vpn ike-vpn-srx2;
    		      }
    		   }
    		}
    	    }
    	}	
    				
    	root# run show security ipsec security-associations detail
    	--------------------------------------------------------------------------
    	ID: 268173321 Virtual-system: root, VPN Name: ike-vpn-srx2
    	Local Gateway: 1.1.1.1, Remote Gateway: 3.3.3.3
    	Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    	Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
    	Version: IKEv1
    	 DF-bit: clear
    	 Policy-name: vpn_ingress
    
Related Links: