configuring Multiple Proxy IDs in VPN Tunnel with overlapping subnet ranges

configuring Multiple Proxy IDs in VPN Tunnel with overlapping subnet ranges

3669
Created On 04/09/19 09:24 AM - Last Modified 09/08/20 21:48 PM


Symptom
When configuring IPSec VPNs, Proxy IDs are a requirement with a peer that supports Policy Based VPNs.

Sometimes multiple local and remote subnets need to communicate over VPN for the same peer. If peer side is a policy based VPN you will need to setup multiple proxy IDs on the Palo Alto firewall Tunnel configuration to match with peer's policies.

Even with the correct configuration, the traffic may fail because of the way proxy IDs are stored in the Dataplane (DP).  This article highlights best practices to be used when configuring multiple Proxy IDs with the same peer which are for overlapping subnets.


Environment
  • Any PAN-OS.
  • Palo Alto Firewall.
  • IPSEC VPN configured with Proxy IDs.


Cause
When multiple Proxy IDs are configured, naming of Policy IDs is important as order of proxy ID matching depends on the string order of the proxy id name.
Example:

Let's say there are 4 Proxy IDs configured under the tunnel configuration:

TestProxyID-1            : Local = 10.1.1.0/24,      Remote = 192.168.30.0/24
ProxyID-10_8_0_0         : Local = 10.8.1.0/24,      Remote = 192.168.30.0/24
proxy-id-10_123_0_0      : Local = 10.123.1.0/24,    Remote = 192.168.30.0/24
AllNetworks              : Local = 10.0.0.0/8,       Remote = 192.168.30.0/24


When the proxy IDs are stored in  DP, they are sorted using String Comparison (ASCII sorting)
To determine the sort order, we can use any sorting tools such as  https://www.textfixer.com/tools/alphabetical-order.php

Using the above, the string sort order for the above proxy ID names:


AllNetworks              : Local = 10.0.0.0/8,       Remote = 192.168.30.0/24
proxy-id-10_123_0_0      : Local = 10.123.1.0/24,    Remote = 192.168.30.0/24
ProxyID-10_8_0_0         : Local = 10.8.1.0/24,      Remote = 192.168.30.0/24
TestProxyID-1            : Local = 10.1.1.0/24,      Remote = 192.168.30.0/24


IPSEC Security SA's will be stored in this order in DP. This will affect traffic processing as when a certain traffic needs to be encrypted using one of the proxy IDs, it will look from top to bottom for the first matching proxy ID.

In the above example, even though "AllNetworks" proxy ID is defined on bottom in the configuration, but in DP it will be the first in order.

In the above example, if any traffic is going from source 10.123.1.0/24 via this IPSEC tunnel to a remote IP, it will not be send via "proxy-id-10_123_0_0" but via "AllNetworks". So this may fail on the remote side, who is checking incoming traffic against proxy IDs.
 


Resolution
For proxy IDs with overlapping subnets, define the proxy ID names so that more specific proxy ID name is above the broader Proxy ID name as per String Sorting.
 


Additional Information
Tips and Tricks: Why Use A VPN Proxy ID

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLTlCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language