The Netscreen Proxy ID problem
A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN), or simply use a combination of source IP, destination IP and service in a tunnel policy. When phase 2 of IKE is negotiated, each end compares the configured local and remote proxy-ID with what is actually received.
There are a number of problems that you may face when creating Site to Site VPNs on a Netscreen Firewall. Which is in the way it announces its Proxy ID`s.
Generally if you create a VPN and set the Proxy ID`s within the Phase 2 Policy (AutoKey IKE Tunnels) the correct Proxy IDs are used and everything will be fine. The problem is when you want to use multiple subnets (or even multiple hosts).
If you add address groups to your policy based VPNs then 0.0.0.0 ID`s start being used with can cause a number of issues with the Phase to negotiations.
Below shows you the different combination's and the resulting Proxy ID`s for a policy being used for a policy based VPN.
||RESULTING PROXY ID (SRC / DST)
|Address Group||Address Group||0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0|
|Address Group||Subnet||0.0.0.0/0.0.0.0 > Subnet|
|Subnet||Subnet||Subnet > Subnet|
How should it be configured ?
Below shows you the ways for configuring both a Policy and Route based VPN when using multiple subnets.
Multiple Subnets for a Policy VPN
1) Within 'VPNs / AutoKey IKE / [Your VPN Tunnel] / Advanced' ensure that Proxy ID option is not ticked.
2) Then create multiple polices for the various subnets ensuring you do not use address groups as the Proxy ID will result in using each Within Policy Then add multiple Policies, one for each subnet, assigning each policy the same (IKE) VPN Tunnel.
Multiple Subnets for a Route Based VPN
To use multiple subnets you will need to bind multiple Phase 2 Policies (AutoKey IKE Tunnels) to your Tunnel Interface.
1) Within 'VPNs | AutoKey IKE | [Your VPN Tunnel] | New | Advanced' :
-- Bind to : Tunnel Interface [Select your Tunnel Interface]
-- Tick Proxy ID and add your source and destination subnets
2) For additional subnets create a new AutoKey IKE Tunnel (Phase 2 Policy) and assign to the same tunnel interface.
Please Note : When a proxy ID of 0.0.0.0/0.0.0.0 is used there is only one SA which is created for all the traffic.
New to ScreenOS 6.3 is Multiple Proxy ID support on Route-Based VPNs. Details on this can be found here.