I would really appreciate some clarification in the following matter.
What I'm seeing
I'm looking at two different SRX210 firewalls and specifically at their ipsec stanza.
I'm seeing the following which makes me wonder about proxy-identity:
admin@firewall> show configuration security ipsec vpn <vpn-name>
bind-interface st0.1;
ike {
gateway <gateway>;
proxy-identity;
ipsec-policy <policy-name>;
}
If I make a questionmark after ike, the following is produced which is of no help to me in understanding this:
admin@firewall# set security ipsec vpn <vpn-name> ike ?
Possible completions:
> proxy-identity IPSec proxy-id to use in IKE negotiations
The question
What are the effects, if any, by entering nothing after proxy-identity in the configuration of a SRX?
Mark: all names and identites have been replaced for security sakes
Thanks in advance!
Best Answer
Proxy-identity defaults to whatever you have set on the policy (in case of policy-based VPN). In case of route-based VPN, it defaults to:
Proxy-identity is used only for negotiating the IKE phase of the VPN, and has to mirror the proxy-identity that is set on the other site of the VPN tunnel. It has no effect on actually routing or permitting traffic through the tunnel once it has been established, that has to be done with routes and/or policies.
This is easily verified if you have access to Juniper routers where you can mess around with the VPN settings.
no proxy-identity settings
Testing default settings without mentioning proxy-identity.
The VPN is established, using 0.0.0.0/0 as local and remote subnets:
real proxy-identity settings
As a second test, I've added real proxy-identity settings to match my remote and local subnets:
As expected, the tunnel is established using the proper local and remote subnet information:
blank proxy-identity
Now I'll remove the local and remote subnets from the proxy-identity stanza:
The tunnel is reastablished using 0.0.0.0/0 as local and remote subnets.
In other words, my assumption is correct and leaving the stanza blank means the router uses its default settings.