Learn about proxy ID and how to set up the proxy ID to implement the Palo Alto
Networks IPSec.
Where Can I Use This?
What Do I Need?
PAN-OS
No license required
Proxy Identity or proxy ID refers to a set of traffic that belongs to an IPSec VPN which
is subjected to the SA being negotiated between peers (or setup once the negotiation has
succeeded).
It allows identifying and then directing the traffic:
to appropriate tunnel where multiple tunnels coexist between the same two peers that
share the same IKE gateway.
allows unique and shared SAs with different parameters to coexist.
Use proxy IDs in the configurations where VPN tunnels are set up between the same two
peers.
Proxy IDs help identify what traffic belongs to a particular IPSec VPN. This lets an
operating system install the appropriate hooks to direct traffic that matches the source
and destination address in the proxy ID (client ID) and direct it into the matching
IPSec SA or VPN into and out of the matching IPSec SAs.
Setting up the Proxy ID
Palo Alto Networks is among a few other vendors that use proxy IDs. The following
figure shows the Palo Alto Networks proxy ID window along with its options.
Select NetworkIPSec TunnelProxy IDs. Enter the proxy ID name, local IP address, remote IP address if
required by the peer, and the protocol type along with its local and remote port
numbers.
Each proxy ID is considered to be a VPN tunnel and therefore
is counted towards the IPSec VPN tunnel capacity of the firewall. For example, the
maximum limit for a site-to-site IPSec VPN tunnel is 1000 for PA-3020, 100 for
PA-2050, and 25 for PA-200.
Proxy IDs behave differently with IKE versions:
IKEv1—Palo Alto Networks devices support only proxy ID exact matches. If
proxy IDs for peers do not match, then the VPN does not work correctly.
IKEv2—Supports traffic selector narrowing when proxy ID setting is
different on the two VPN gateways.
Using Proxy IDs
The following example shows two VPN gateways: A and B.
IKE negotiation is started by VPN GW-az, i=initiator, r=responder. VPN GW-a defines
traffic selector TSi-a/TSr-a and VPN GW-b specifies traffic selector TSi-b/TSr-b.
While TSr-a is the same as TSr-b and so it can be ignored, TSi-a can be different
from TSi-b.
In this case, the traffic cannot route over the VPN tunnel since the same network
exists on both sides of the tunnel.
However, as shown below, the only way to resolve this issue is for both peer gateways
to create NATs to translate a new, unique network
subnet to the internal network otherwise one side has to change the subnet IP.
This way, all traffic on either side would be destined to the new NAT address instead
of the other similar network. Both gateways would have to perform NAT for this to work properly to
remove any confusions about which network is on which side.
Configuring IPSec VPN for a Palo Alto Networks Firewall
If the other side of the tunnel is a third-party VPN device otherwise a non PAN-OS
firewall, then you need to specify a matching local proxy ID and remote proxy ID:
typically the local and remote LAN subnets.
When configuring an IPSec tunnel proxy ID to identify local and remote IP networks
for traffic that is NATed, the proxy ID configuration for the IPSec tunnel must be
configured with the post-NAT IP network information. The reason for this is that the
proxy ID information defines the networks that will be allowed through the tunnel on
both sides for the IPSec configuration.