(16 August 2012)
Problem
I need to set up a VPN that requires multiple proxy-IDs. I can't use policy-based VPNs because I need MIP/DIP functionality across this tunnel.
Solution
Multiple proxy-IDs are supported in ScreenOS 6.3.0 (see
the KB article)
If you can't/won't upgrade, you can use a work-around:
- create a loopback interface with the required MIP/DIP configuration
- create multiple tunnel interfaces that are members of the loopback group you just created
- create multiple Autokey/IKE entries for each proxy-ID set and bind each one to an individual tunnel interface
- create a route for each remote proxy-ID target subnet via the appropriate tunnel interface
Briefly:
> set interface "tunnel.10" zone "VPN"
> set interface "tunnel.11" zone "VPN"
> set interface "loopback.1" zone "VPN"
> set interface loopback.1 ip 10.99.99.1/26
> set interface loopback.1 route
> set interface tunnel.10 ip unnumbered interface ethernet0/2
> set interface tunnel.11 ip unnumbered interface ethernet0/2
> set interface "tunnel.10" loopback-group "loopback.1"
> set interface "tunnel.11" loopback-group "loopback.1"
> set interface loopback.1 dip 4 10.99.99.2 10.99.99.62> set vpn "Partner-88 VPN - 10.100.135.0/24" gateway "Partner-88 Gateway" no-replay tunnel idletime 0 proposal "Partner-88"
> set vpn "Partner-88 VPN - 10.100.135.0/24" id 0x60 bind interface tunnel.10
> set vpn "Partner-88 VPN - 10.110.0.1/32" gateway "Partner-88 Gateway" no-replay tunnel idletime 0 proposal "Partner-88"
> set vpn "Partner-88 VPN - 10.110.0.1/32" id 0x61 bind interface tunnel.11
> set vpn "Partner-88 VPN - 10.100.135.0/24" proxy-id local-ip 10.99.99.0/26 remote-ip 10.100.135.0/24 "ANY"
> set vpn "Partner-88 VPN - 10.110.0.1/32" proxy-id local-ip 10.99.99.0/26 remote-ip 10.110.0.1/32 "ANY"> set route 10.100.135.0/24 interface tunnel.10
> set route 10.110.0.1/32 interface tunnel.11
Notes:
- Yeah, we have that many tunnel interfaces. More, actually, this is a simplified example.
- This presumes you already have a "Partner-88 Gateway" gateway defined.
- Policy creation is left as an exercise for the reader.
- The VPN zone is one we created to hold the remote subnets of our VPN peers.