For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > Multiple Proxy IDs

Multiple Proxy IDs

Created by dave. Last edited by dave, 11 years and 217 days ago. Viewed 7,975 times. #1
[edit] [rdf]
labels
attachments
(16 August 2012)

Problem

I need to set up a VPN that requires multiple proxy-IDs. I can't use policy-based VPNs because I need MIP/DIP functionality across this tunnel.

Solution

Multiple proxy-IDs are supported in ScreenOS 6.3.0 (see >>the KB article)

If you can't/won't upgrade, you can use a work-around:

  • create a loopback interface with the required MIP/DIP configuration
  • create multiple tunnel interfaces that are members of the loopback group you just created
  • create multiple Autokey/IKE entries for each proxy-ID set and bind each one to an individual tunnel interface
  • create a route for each remote proxy-ID target subnet via the appropriate tunnel interface
Briefly:

> set interface "tunnel.10" zone "VPN"
> set interface "tunnel.11" zone "VPN"
> set interface "loopback.1" zone "VPN"
> set interface loopback.1 ip 10.99.99.1/26
> set interface loopback.1 route
> set interface tunnel.10 ip unnumbered interface ethernet0/2
> set interface tunnel.11 ip unnumbered interface ethernet0/2
> set interface "tunnel.10" loopback-group "loopback.1"
> set interface "tunnel.11" loopback-group "loopback.1"
> set interface loopback.1 dip 4 10.99.99.2 10.99.99.62

> set vpn "Partner-88 VPN - 10.100.135.0/24" gateway "Partner-88 Gateway" no-replay tunnel idletime 0 proposal "Partner-88" > set vpn "Partner-88 VPN - 10.100.135.0/24" id 0x60 bind interface tunnel.10 > set vpn "Partner-88 VPN - 10.110.0.1/32" gateway "Partner-88 Gateway" no-replay tunnel idletime 0 proposal "Partner-88" > set vpn "Partner-88 VPN - 10.110.0.1/32" id 0x61 bind interface tunnel.11 > set vpn "Partner-88 VPN - 10.100.135.0/24" proxy-id local-ip 10.99.99.0/26 remote-ip 10.100.135.0/24 "ANY" > set vpn "Partner-88 VPN - 10.110.0.1/32" proxy-id local-ip 10.99.99.0/26 remote-ip 10.110.0.1/32 "ANY"

> set route 10.100.135.0/24 interface tunnel.10 > set route 10.110.0.1/32 interface tunnel.11

Notes:

  • Yeah, we have that many tunnel interfaces. More, actually, this is a simplified example.
  • This presumes you already have a "Partner-88 Gateway" gateway defined.
  • Policy creation is left as an exercise for the reader.
  • The VPN zone is one we created to hold the remote subnets of our VPN peers.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt