|The Netscreen Proxy ID problem|
|Firewalls - Netscreen|
|Tuesday, 18 May 2010 00:00|
A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN), or simply use a combination of source IP, destination IP and service in a tunnel policy. When phase 2 of IKE is negotiated, each end compares the configured local and remote proxy-ID with what is actually received.
There are a number of problems that you may face when creating Site to Site VPNs on a Netscreen Firewall. Which is in the way it announces its Proxy ID`s.
Below shows you the different combination's and the resulting Proxy ID`s for a policy being used for a policy based VPN.
How should it be configured ?
Below shows you the ways for configuring both a Policy and Route based VPN when using multiple subnets.
Multiple Subnets for a Policy VPN
1) Within 'VPNs / AutoKey IKE / [Your VPN Tunnel] / Advanced' ensure that Proxy ID option is not ticked.
Multiple Subnets for a Route Based VPN
To use multiple subnets you will need to bind multiple Phase 2 Policies (AutoKey IKE Tunnels) to your Tunnel Interface.
1) Within 'VPNs | AutoKey IKE | [Your VPN Tunnel] | New | Advanced' :
Please Note : When a proxy ID of 0.0.0.0/0.0.0.0 is used there is only one SA which is created for all the traffic.
New to ScreenOS 6.3 is Multiple Proxy ID support on Route-Based VPNs. Details on this can be found here.
- BigIP F5 LTM - Application Visibility and Reporting (aka Analytics)
- TCL - What is the difference between the eq and == operators ?
- Cisco ASA - How to Permit/Deny Traffic based on Domain Name (FQDN)
- How do I install g++ via Yum ?
- How do I install node.js in Centos ?
- Brocade ADX - The CSW Pseudo Stack
- Vyatta - How to Configure a Remote Access VPN
- Brocade ADX - How do I show the CPU usage for the MP (Management Processor) ?
- Vyatta - How do I configure NAT ?
- HTTP - What does 'Transfer-Encoding : Chunked' mean?
- Cisco ASA - SCP causes orphaned ssh_init processes
- F5 LTM (Deep Dive) - Using 'persist uie add' with the 'node' command in an iRule causes the F5 to send a RST
- VMware - vCetntre/vSphere shows virtual machine as 'Unknown VM' and inaccessible
- Brocade ADX - How to tune/configure the TCP stack
- Configuring a Hairpin VPN with Double NAT on a Cisco ASA running 8.0
- UNIX - What is a sticky bit ?
- Cisco ASA - Slow Memory Leak (CSCuh48577)
- F5 LTM - What is Auto Last Hop
- ADX - What is the order of priority for healthchecks ?
- Cisco ASA - ERROR: Capture doesn't support access-list containing mixed policies
- Check Point Commands
- Proxy ARP – SPLAT
- IPSO - Commands
- ASA 8.3 - Auto NAT Examples
- How to set the Time / Date and Timezone in CentOS
- vSphere - Creating User and Group Permissions
- Configuring Windows 2008 R2 as an NTP Server
- Juniper Netscreen Commands
- Configuring Wireless Connectivity within Backtrack 4 r2
- How do I install snmpwalk / snmpget using Yum ?
- Juniper Netscreen - NAT Explained
- VI shows the error Terminal too wide within Solaris
- PEMU - Free Cisco PIX Firewall Emulator / Simulator
- Troubleshooting a Netscreen Site 2 Site VPN
- Check Point Logging Troubleshooting Guide
- Check Point - How to Reset SIC
- How do I configure IPv6 in Windows XP ?
- Netscreen - NSRP
- Endpoint Connect Installation / Troubleshooting Guide
- Cisco ASA 8.3 - No NAT / NAT Exemption