Why does policy based VPN need Proxy ID's and how does it exactly work?

First question

I understand that route based VPNs don’t need them because of a routing table entry if destination = X use tunnel interface Y to send out pakets to destination, so there is a predefined route from source to destination.

But why does policy based VPN need Proxy ID’s and how are they exactly used? Would be nice if someone could explain it in a paket flow kind of way.

​

Side question

I’ve seen on some websites that you can configure Proxy ID’s for route based VPN. What’s the reason for that? Is it because of compability reasons like if the firewall or router on the other side can only use policy based VPN? This suggest that one side can use route based VPN and the other one policy based VPN and create a functioning tunnel.

You’ve answered your side question already. It is for route and policy based compatibility.

On a policy based VPN proxy IDs are defined in an acess list. Instead of a route into a tunnel the access list defines traffic that the VPN should find “interesting”.

You apply the ACL to the VPN/crypto map and when the router sees traffic that matches the ACL it tries to fire up the VPN.

Your side question: when one side is policy-based, it’s very likely you need to match the proxy IDs for the phase 2 tunnels to come up. Different platforms will play differently with each other, but generally you’ll need to do that. If you dig into diag/stats screens of the phase 2 (ipsec) tunnels, you can see they will always have associated proxy IDs, whether they are 0.0.0.0/0 / 0.0.0.0/0 or a more defined networks. It’s also not uncommon to see multiple phase 2 tunnels with policy-based VPNs. If you can, just do route based VPNs. Leave the IDs 0.0.0.0/0 / 0.0.0.0/0 and control what goes over the tunnel with routing. It’s just easier. Especially if you control both ends and they are the same platform.

Proxy ID’s are simply what networks should be sent over the tunnel. Very similar to policy based routing/ forwarding Where the router/firewall uses a policy to override the routing table. Route based VPN uses a VTI interface which allows static and dynamic routing to work just like a physical interface. Now vendors like Palo alto and maybe some others still use a tunnel interface with “proxy IDs” which can be a little confusing but it’s just their way of maintaining compatibility with more traditional policy based VPN 's.

VPN proxy IDs are defined in an access list

What do they do?

wouldn’t 0.0.0.0/0 / 0.0.0.0/0 send all traffic, except for known networks, to the peer? That seems to be an overkill, isn’t it?

When a route based VPN is used with a policy based.

The policy based will require the sender to tell it what is has configured for interesting VPN traffic, that’s the proxy ID you set.

0.0.0.0/0 for phase 2 is just for negotiation. What actually goes into the tunnel is defined by routing.

If I understand it correctly:

In a route based VPN my Router or FW would encrypt, hash etc. on all traffic that matches the routing table entry src - dst → tunnel interface X.

In a policy based VPN my Router or FW would do the same on all traffic that matches the Proxy IDs (basically ACL entries) aka interesting traffic?

so it’s only necessary for route based vpns?

It’s not necessary at all, but only route-based VPNs can do it.