Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] Understanding how proxy IDs (traffic selectors) are generated in route-based and policy-based VPNs

0

0

Article ID: KB29364 KB Last Updated: 04 Dec 2014Version: 1.0
Summary:

This article provides shows the SRX behavior of proxy-id (traffic selectors) generation for route-based and policy-based VPNs.


Symptoms:

Incorrect proxy IDs can lead to the following VPN issues:

  • Unable to establish VPN tunnel with "failed to match peer proxy-ids"
  • Unstable tunnels
  • Traffic failing to pass on peer device due to traffic arriving on wrong VPN tunnel

Cause:

Proxy IDs are a validated item during VPN tunnel establishment with the proxy IDs of the VPN peers needing to be an inverse match of each other:

    J/SRX                         PEER
Local  192.168.1.0/24  \ /  Local  10.10.10.5/32
Remote 10.10.10.5/32   / \  Remote 192.168.1.0/24

Solution:

The following shows how proxy IDs (traffic selectors) are generated in route-based and policy-based VPNs.  With this information, you can correctly configure your proxy IDs.

Route-based VPN

The proxy ID generation for route-based VPNs can be defined explicitly, and if is not defined, the default proxy ID will be used.

  • Defined Proxy ID
  • When a proxy-identity is defined in the configuration using 'set security ipsec vpn <vpn-name> ike proxy-identity', the proxy-id used during VPN establishment will be the configured values.

    Note: Only one proxy-identity is allowed per 'set security ipsec vpn <vpn-name>' stanza.

    	vpn ike-vpn-srx1 {
     	    bind-interface st0.0;
     	    ike {
     		gateway gw-srx1;
     		proxy-identity {
     		    local 10.10.10.0/24;
     		    remote 192.168.1.0/24;
     		    }
     		    ipsec-policy ipsec_pol;
     		}
     	}
    
      	root> show security ipsec security-associations detail
     	--------------------------------------------------------------------------
     	ID: 131073 Virtual-system: root, VPN Name: ike-vpn-srx1
     	Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2
     	Local Identity: ipv4(any:0,[0..3]=10.10.10.0/24)
        	Remote Identity: ipv4(any:0,[0..3]=192.168.1.0/24)
    

  • Undefined Proxy ID
  • When no proxy-identity is defined, the system will use a default proxy-identity. The system default proxy-identity is 0.0.0.0 for local and remote with a service of 'any'.

            vpn ike-vpn-srx1 {
     	    bind-interface st0.0;
     	    ike {
     	        gateway gw-srx1;
     	        ipsec-policy ipsec_pol;    <---No defined proxy-identity
     	    }
     	 }
    
    	 root# run show security ipsec security-associations detail
             --------------------------------------------------------------------------
             ID: 268173315 Virtual-system: root, VPN Name: ike-vpn-srx1
             Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2
             Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
             Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
         

Policy-based VPN

The proxy ID generation for policy-based VPNs is based on the security policy bound to the VPN, and it cannot be overwritten with the proxy-identity command under the 'set security ipsec vpn <vpn> ike proxy-identity' stanza.

Note: For each security policy bound to a VPN, a new VPN tunnel will be built using the proxy-identity based on each security policy.

  • Policy using single item address objects
  • The proxy-identity is based upon the source-address, destination-address, and the application listed in the security policy. 

             security-zone trust {
    	     address-book {
    	         address local_net 10.10.10.0/24;
                 } 
    	     interfaces {
    		 ge-0/0/2.0;
    		 }
    	     }
    	 security-zone untrust {
    	     address-book {
    		 address remote_net 192.168.1.0/24;
    	     }
    	     host-inbound-traffic {
    		 system-services {
    		      ike;
    		 }
    	     }
    	     interfaces {
    		 ge-0/0/1.0;
    	     }
             }
    
    	 from-zone untrust to-zone trust {
    	    policy vpn_ingress {
    		match {
    	 	   source-address remote_net;
    		   destination-address local_net;
    		   application any;
    		}
    		then {
    		   permit {
    		      tunnel {
    			 ipsec-vpn ike-vpn-srx2;
    		      }
    		   }
          	        }
    	    }
            }
    
    	root# run show security ipsec security-associations detail
    	--------------------------------------------------------------------------
    	ID: 268173319 Virtual-system: root, VPN Name: ike-vpn-srx2
    	Local Gateway: 1.1.1.1, Remote Gateway: 3.3.3.3
    	Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)
    	Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
    	Version: IKEv1
    	 DF-bit: clear
    	 Policy-name: vpn_ingress
    
    
  • Policy using multi-cell address objects
  • When using multi-cell objects (multiple objects or address-sets) in a security policy, the system uses a system default for any multi-cell object.  The default proxy ID is 0.0.0.0 for local and remote, with a service of 'any'.

    	security-zone trust {
    	    address-book {
    		address local_net 10.10.10.0/24;
    		address local_net2 10.10.20.0/24;
    	    }
    	    interfaces {
    	        ge-0/0/2.0;
    	    }
    	}
    	security-zone untrust {
    	    address-book {
    		address remote_net 192.168.1.0/24;
        	    } 
    	    host-inbound-traffic {
    		system-services {
    	   	   ike;
    		}
    	    }
    	    interfaces {
    	 	ge-0/0/1.0;
    	    }
    	}
    
    	from-zone untrust to-zone trust {
    	    policy vpn_ingress {
    	 	match {
    	   	   source-address remote_net;
    		   destination-address [local_net local_net2];
    		   application any;
    		}
    		then {
    		   permit {
    		      tunnel {
    			ipsec-vpn ike-vpn-srx2;
    		      }
    		   }
    		}
    	    }
    	}	
    				
    	root# run show security ipsec security-associations detail
    	--------------------------------------------------------------------------
    	ID: 268173321 Virtual-system: root, VPN Name: ike-vpn-srx2
    	Local Gateway: 1.1.1.1, Remote Gateway: 3.3.3.3
    	Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    	Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
    	Version: IKEv1
    	 DF-bit: clear
    	 Policy-name: vpn_ingress
    

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search