SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

SRX-Difference Between static route and traffic-selector.

Jump to Best Answer
  • 1.  SRX-Difference Between static route and traffic-selector.

    Posted 06-19-2017 20:17

    Hi,

    i would like to understand the difference between apply traffic selector in a vpn or apply a static route using the st0.x associated with security vpn.

     

    Scenario:

    source: 10.10.10.0/24

    destination: 10.20.20.0/24

     

    Follow the two statement to reach the configuration:

     

    Traffic selector config:

    set security ipsec vpn VPN-10 traffic-selector NET-10 local-ip 10.10.10.0/24

    set security ipsec vpn VPN-10 traffic-selector NET-10 local-ip 10.20.20.0/24

     

    Static route:

    set routing-options static route 10.20.20.0/24 next-hop st0.10

     

    Both configuration is working to me, but, i would like to understand the difference between both way to deploy.

     

    Tks,

    Joao Victor

     



  • 2.  RE: SRX-Difference Between static route and traffic-selector.

     
    Posted 06-19-2017 21:35

    Hello,

     

    Traffic-selector makes sure that Phase 2 comes up with spcific Proxy-IDs (traffic permitted to go through the tunnel).

    Static route pointing to st0.x does not guaranteee that traffic will flow through the tunnel if the source-destination combination is not part of traffic selector.

     

    Regards,

     

    Rushi



  • 3.  RE: SRX-Difference Between static route and traffic-selector.

    Posted 06-20-2017 07:27

    Rtilak, tks a lot for your precisous answer. But one more question:

     

    1- what the advantage in use of static routes using the next-hop as st0.x? I know that is easer configure route instead of use traffic-selector. Can i face a some problem if we deloy static routes with st0.x as next-hop?

     

    Tks,

    João Victor



  • 4.  RE: SRX-Difference Between static route and traffic-selector.

     
    Posted 06-20-2017 19:33

    Hello,

     

    route and proxy-ids are two different things. Perhaps a dummy example would be good here.

     

    Let us say you have a local subnets of 10.10.10.0/24 & 10.10.20.0/24 & remote subnet of 192.168.1.0/24. And you have traffic-selector configured as local - 10.10.10.0/24 Remote - 192.168.1.0/24 as well as local - 10.10.20.0/24 & remote 192.168.1.0/24

     

    * route to 192.168.1.0/24 with next-hop st0.0 will ensure that any packet with any source going to destination 192.168.1.0 will

      be sent to st0.0

    * But traffic selectors configured above will ensure that only traffic from either 10.10.10.0/24 or 10.10.20.0/24 and going to 192.168.1.0/24 will be allowed to get encrypted.

     

    Regards,

     

    Rushi

     



  • 5.  RE: SRX-Difference Between static route and traffic-selector.

    Posted 06-12-2021 00:02
    sorry, I'm a bit confused here. I thought if you set up a vpn and bind the tunnel to st0 interface and route the traffic to the st0 interface, all traffic will be encrypted going to st0, correct?
    if the st0 is not bind to a vpn config, traffic send to st0 will not be encrypted, correct? 
    So as long as st0 interface in bind to the vpn, even if we use proxy-id for local and remote is set to 0.0.0.0 for the vpn config instead of TS, traffic will still be encrypted going to the st0 interface.  That's my understanding. correct me if I'm wrong.

    Thanks





  • 6.  RE: SRX-Difference Between static route and traffic-selector.
    Best Answer

    Posted 06-21-2017 04:14

    Traffic selectors provide you more granular control of the VPN traffic. When static route to st0 all permitted traffic will enter tunnel and access all resources allowed on the other end.

    Traffic selectors as indicated by rt, will allow to defince which IP will access which remote resource.



  • 7.  RE: SRX-Difference Between static route and traffic-selector.

    Posted 06-22-2017 06:50

    Thanks a lot for your clarification. You´re really clarify the question for me. You´re great! 

     

    Tks a lot for your precious answer. Smiley Wink