Proxy Ids and Route Based VPNs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2019
04:41 AM
- last edited on
05-15-2019
06:43 AM
by
Monica Lluis
Hi,
I have a query regarding Proxy IDs and Route based VPNs.
I understand that the proxy IDs that we use while configuring the VPN peers should match on both ends (for the tunnel to come UP). Let us say I have this scenario:
I have configured a VPN tunnel between 2 networks x.x.x.x/q and y.y.y.y/w and the proxy IDs that I have used for this VPN configuration are a subnet of the 2 networks (i.e subnet of x.x.x.x/q and y.y.y.y/w respectively). After the tunnel comes up, I create VTIs on both ends and now I need to configure routing(to route traffic to the other network via the tunnel interfaces).
Let us say I add a route(manually) for a destination CIDR (r.r.r.r/t, which lies in the network y.y.y.y/w but does not fall under the proxy IDs configured) pointing to the tunnel interface in the routing table of the VPN device. So in this case, will the VPN device still encrypt it and send it over the tunnel or does it just drop it because the proxy IDs do not match?
Thanks!
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2019 07:09 AM
The traffic will be sent into the tunnel. Just think about the flow of the data:
If you have the policy-based VPN, the processing starts when your crypto-map on the outside interface "sees" the traffic matching the crypto-acl. With an additional route-based VPN on that device, the traffic is routed into the tunnel before the crypto-map has any chance of getting that traffic. If the tunnel is established over the interface with the crypto-map, the crypto-map will still not act on the traffic as it's encapsulated traffic now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2019 07:33 AM
Thanks for the insight. Is it specific to Cisco devices? I’ve come across a
few articles(for example Strongswan) which say that the traffic should
still match the proxy IDs even though you’ve sent it directly to the tunnel
interface.
Applying your explanation, I’m not really sure how it is checked.
Thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2019 08:10 AM
It is specific to the device. The policy has to be applied somewhere. On Cisco devices it's typically on the outside interface. On a linux box it's probably somewhere else.
