Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is a Proxy-ID and how is it configured?

0

0

Article ID: KB5565 KB Last Updated: 22 May 2019Version: 5.0
Summary:
This article provides information about Proxy-ID and how to configure it on ScreenOS devices.
Symptoms:
Information about Proxy-ID.
Solution:

What is Proxy-ID

A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN) or just use a combination of source IP, destination IP, and service in a tunnel policy. When phase 2 of IKE is negotiated, each end compares the configured local and remote proxy-ID with what is actually received.


Example:

Assume that the incoming tunnel policy is as follows:

Source

Destination

Service

Action

10.1.1.0/24

192.168.1.0/24

ANY

Tunnel (INCOMING)

This device will use the following proxy-ID during phase 2 of IKE negotiations:

  • Local Proxy ID: 10.1.1.0/24

  • Remote Proxy ID: 192.168.1.0/24

  • Service:  Any
 

The configured proxy ID must match with what is received from the other device that is negotiating an IKE/IPSec tunnel. For example, for phase 2 to complete successfully for the example listed above, the outgoing tunnel policy on the remote device would have to be configured as follows:

Source

Destination

Service

Action

192.168.1.0/24

10.1.1.0/24

ANY

Tunnel (OUTGOING)

 


How to configure Proxy-id for a route based VPN 

Using the information listed above, enter the command:

set vpn vpn1 proxy-id local-ip 192.168.1.0/24 remote-ip 10.1.1.0/24 any

 


Multiple Proxy ID

In ScreenOS release 6.3, a new feature with respect to PROXY-ID's is available; that is Multiple Proxy ID support on a Route-Based VPN. For more information, refer to KB16008 - Function of a new feature "Multiple Proxy ID support on a Route-Based VPN" (Supported started with ScreenOS 6.3).

Note: Proxy-id for a policy based VPN is taken from the address book you have configured in the policy.

Modification History:
2019-05-21: Added how to configure a Proxy ID to a VPN; and updated the applicable platforms

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search