Knowledge Search


×
 

[ScreenOS] What is a Proxy-ID and how is it configured?

  [KB5565] Show Article Properties


Summary:
This article provides information about Proxy-ID and how to configure it on ScreenOS devices.
Symptoms:
Information about Proxy-ID.
Solution:

What is Proxy-ID

A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN) or just use a combination of source IP, destination IP, and service in a tunnel policy. When phase 2 of IKE is negotiated, each end compares the configured local and remote proxy-ID with what is actually received.


Example:

Assume that the incoming tunnel policy is as follows:

Source

Destination

Service

Action

10.1.1.0/24

192.168.1.0/24

ANY

Tunnel (INCOMING)

This device will use the following proxy-ID during phase 2 of IKE negotiations:

  • Local Proxy ID: 10.1.1.0/24

  • Remote Proxy ID: 192.168.1.0/24

  • Service:  Any
 

The configured proxy ID must match with what is received from the other device that is negotiating an IKE/IPSec tunnel. For example, for phase 2 to complete successfully for the example listed above, the outgoing tunnel policy on the remote device would have to be configured as follows:

Source

Destination

Service

Action

192.168.1.0/24

10.1.1.0/24

ANY

Tunnel (OUTGOING)

 


How to configure Proxy-id for a route based VPN 

Using the information listed above, enter the command:

set vpn vpn1 proxy-id local-ip 192.168.1.0/24 remote-ip 10.1.1.0/24 any

 


Multiple Proxy ID

In ScreenOS release 6.3, a new feature with respect to PROXY-ID's is available; that is Multiple Proxy ID support on a Route-Based VPN. For more information, refer to KB16008 - Function of a new feature "Multiple Proxy ID support on a Route-Based VPN" (Supported started with ScreenOS 6.3).

Note: Proxy-id for a policy based VPN is taken from the address book you have configured in the policy.

Modification History:
2019-05-21: Added how to configure a Proxy ID to a VPN; and updated the applicable platforms
Related Links: