Proxy ID for IPSec VPN
Focus
Focus
Network Security

Proxy ID for IPSec VPN

Table of Contents

Proxy ID for IPSec VPN

Learn about proxy ID and how to set up the proxy ID to implement the Palo Alto Networks IPSec.
Where Can I Use This?What Do I Need?
  • PAN-OS
No license required
Proxy Identity or proxy ID refers to a set of traffic that belongs to an IPSec VPN which is subjected to the SA being negotiated between peers (or setup once the negotiation has succeeded).
It allows identifying and then directing the traffic:
  • to appropriate tunnel where multiple tunnels coexist between the same two peers that share the same IKE gateway.
  • allows unique and shared SAs with different parameters to coexist.
Use proxy IDs in the configurations where VPN tunnels are set up between the same two peers.
Proxy IDs help identify what traffic belongs to a particular IPSec VPN. This lets an operating system install the appropriate hooks to direct traffic that matches the source and destination address in the proxy ID (client ID) and direct it into the matching IPSec SA or VPN into and out of the matching IPSec SAs.

Setting up the Proxy ID

Palo Alto Networks is among a few other vendors that use proxy IDs. The following figure shows the Palo Alto Networks proxy ID window along with its options.
Select NetworkIPSec TunnelProxy IDs. Enter the proxy ID name, local IP address, remote IP address if required by the peer, and the protocol type along with its local and remote port numbers.
Each proxy ID is considered to be a VPN tunnel and therefore is counted towards the IPSec VPN tunnel capacity of the firewall. For example, the maximum limit for a site-to-site IPSec VPN tunnel is 1000 for PA-3020, 100 for PA-2050, and 25 for PA-200.
Proxy IDs behave differently with IKE versions:
  • IKEv1—Palo Alto Networks devices support only proxy ID exact matches. If proxy IDs for peers do not match, then the VPN does not work correctly.
  • IKEv2—Supports traffic selector narrowing when proxy ID setting is different on the two VPN gateways.

Using Proxy IDs

The following example shows two VPN gateways: A and B.
IKE negotiation is started by VPN GW-az, i=initiator, r=responder. VPN GW-a defines traffic selector TSi-a/TSr-a and VPN GW-b specifies traffic selector TSi-b/TSr-b. While TSr-a is the same as TSr-b and so it can be ignored, TSi-a can be different from TSi-b.
In this case, the traffic cannot route over the VPN tunnel since the same network exists on both sides of the tunnel.
However, as shown below, the only way to resolve this issue is for both peer gateways to create NATs to translate a new, unique network subnet to the internal network otherwise one side has to change the subnet IP.
This way, all traffic on either side would be destined to the new NAT address instead of the other similar network. Both gateways would have to perform NAT for this to work properly to remove any confusions about which network is on which side.

Configuring IPSec VPN for a Palo Alto Networks Firewall

If the other side of the tunnel is a third-party VPN device otherwise a non PAN-OS firewall, then you need to specify a matching local proxy ID and remote proxy ID: typically the local and remote LAN subnets.
When configuring an IPSec tunnel proxy ID to identify local and remote IP networks for traffic that is NATed, the proxy ID configuration for the IPSec tunnel must be configured with the post-NAT IP network information. The reason for this is that the proxy ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.