i would like to understand the difference between apply traffic selector in a vpn or apply a static route using the st0.x associated with security vpn.
Follow the two statement to reach the configuration:
Traffic selector config:
set security ipsec vpn VPN-10 traffic-selector NET-10 local-ip 10.10.10.0/24
set security ipsec vpn VPN-10 traffic-selector NET-10 local-ip 10.20.20.0/24
set routing-options static route 10.20.20.0/24 next-hop st0.10
Both configuration is working to me, but, i would like to understand the difference between both way to deploy.
Traffic-selector makes sure that Phase 2 comes up with spcific Proxy-IDs (traffic permitted to go through the tunnel).
Static route pointing to st0.x does not guaranteee that traffic will flow through the tunnel if the source-destination combination is not part of traffic selector.
Rtilak, tks a lot for your precisous answer. But one more question:
1- what the advantage in use of static routes using the next-hop as st0.x? I know that is easer configure route instead of use traffic-selector. Can i face a some problem if we deloy static routes with st0.x as next-hop?
route and proxy-ids are two different things. Perhaps a dummy example would be good here.
Let us say you have a local subnets of 10.10.10.0/24 & 10.10.20.0/24 & remote subnet of 192.168.1.0/24. And you have traffic-selector configured as local - 10.10.10.0/24 Remote - 192.168.1.0/24 as well as local - 10.10.20.0/24 & remote 192.168.1.0/24
* route to 192.168.1.0/24 with next-hop st0.0 will ensure that any packet with any source going to destination 192.168.1.0 will
be sent to st0.0
* But traffic selectors configured above will ensure that only traffic from either 10.10.10.0/24 or 10.10.20.0/24 and going to 192.168.1.0/24 will be allowed to get encrypted.
Traffic selectors provide you more granular control of the VPN traffic. When static route to st0 all permitted traffic will enter tunnel and access all resources allowed on the other end.
Traffic selectors as indicated by rt, will allow to defince which IP will access which remote resource.
Thanks a lot for your clarification. You´re really clarify the question for me. You´re great!
Tks a lot for your precious answer.