Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2520
Views
0
Helpful
3
Replies

Proxy Ids and Route Based VPNs

adityamysore17
Level 1
Level 1

‎05-15-2019 04:41 AM - last edited on ‎05-15-2019 06:43 AM by Level 9

Hi,

 

I have a query regarding Proxy IDs and Route based VPNs.

 

I understand that the proxy IDs that we use while configuring the VPN peers should match on both ends (for the tunnel to come UP). Let us say I have this scenario:

 

I have configured a VPN tunnel between 2 networks x.x.x.x/q and y.y.y.y/w and the proxy IDs that I have used for this VPN configuration are a subnet of the 2 networks (i.e subnet of x.x.x.x/q and y.y.y.y/w respectively). After the tunnel comes up, I create VTIs on both ends and now I need to configure routing(to route traffic to the other network via the tunnel interfaces).

Let us say I add a route(manually) for a destination CIDR (r.r.r.r/t, which lies in the network y.y.y.y/w but does not fall under the proxy IDs configured) pointing to the tunnel interface in the routing table of the VPN device. So in this case, will the VPN device still encrypt it and send it over the tunnel or does it just drop it because the proxy IDs do not match?

Thanks!

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎05-15-2019 07:09 AM

The traffic will be sent into the tunnel. Just think about the flow of the data:

 

If you have the policy-based VPN, the processing starts when your crypto-map on the outside interface "sees" the traffic matching the crypto-acl. With an additional route-based VPN on that device, the traffic is routed into the tunnel before the crypto-map has any chance of getting that traffic. If the tunnel is established over the interface with the crypto-map, the crypto-map will still not act on the traffic as it's encapsulated traffic now.

0 Helpful

adityamysore17
Level 1
Level 1
In response to Karsten Iwen

‎05-15-2019 07:33 AM

Hi,

Thanks for the insight. Is it specific to Cisco devices? I’ve come across a
few articles(for example Strongswan) which say that the traffic should
still match the proxy IDs even though you’ve sent it directly to the tunnel
interface.

Applying your explanation, I’m not really sure how it is checked.

Thanks again!



0 Helpful

Karsten Iwen
VIP
VIP
In response to adityamysore17

‎05-15-2019 08:10 AM

It is specific to the device. The policy has to be applied somewhere. On Cisco devices it's typically on the outside interface. On a linux box it's probably somewhere else.

0 Helpful
Customers Also Viewed These Support Documents