For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > Multiple Proxy-IDs Failure Mode

Multiple Proxy-IDs Failure Mode

Created by dave. Last edited by dave, 9 years and 77 days ago. Viewed 2,138 times. #1
[edit] [rdf]
labels
attachments
(2015-01-12)

Problem

I have a VPN where traffic works when the connection is incoming; however outgoing traffic doesn't reach the far side.

Solution

This is an edge case. I was moving the VPN from one VR to another, and had to redefine the phase-2 connection because you can't transfer a phase-2 between gateway definitions that reside on different VRs. (Or something.)

So when I removed the VPN, I had to redefine the proxy-ID, and I did so like this:

set vpn MyVPN proxy-id local-ip 192.168.99.0/24 remote-ip 10.0.0.0/24 "ANY"

Because I am an idiot, it then turned out that the original VPN had the proxy-ID locked down to a single IP on my side, so I had to add a second proxy-ID:

set vpn MyVPN proxy-id local-ip 192.168.99.1/32 remote-ip 10.0.0.0/24 "ANY"

Inbound traffic now works. However because the GUI doesn't let you delete proxy-IDs, I did not remove the first, incorrect definition.

This, of course, leaves us with two VPNs set up on one gateway: one with the incorrect proxy-ID, and one with the correct one. And because the first one defined matched the traffic, the firewall would always try to use it, even though the VPN was actually down (since the other end didn't have it defined).

So: remove the incorrect proxy-ID from the command line and everything works.

Summary

Proxy-ID pairs are evaluated in the order they are defined, not best-match. First-match will be used in this case.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt