what are the differences between proxy-ID and traffic selector and when to use them ?
Proxy-ID and Traffic selector both of them do identical function:- Define set of traffic that can go over tunnel.
With proxy-ID, a single VPN (bound to a tunnel interface) can have a single Local Subnet & single Remote Subnet.
If there are multiple subnets on each side of a route based VPN, since single tunnel interface can have single set of remote and local subnet, the solution used to become complex involving multiple tunnel interface and/or routing-instances with FBF.
But with introduction of traffic selector in a route based VPN, this complexity is gone. You create a single VPN (bound to a tunnel interface) and configure permitted subnets under traffic selector.
For more information, you can refer links below:
When using route based VPN but there is a single subnet behind local device & remote device that needs to communicate over VPN. This is what I explained in my earlier reply as well.
sorry for bothering,
what i got is that if i have multiple subnets on both sides and i want just a single subnet to be permitted through the tunnel then i use traffic selector ( proxy-id) .
so its function here is similar to secuirty policy ?? and if im correctly understanding why i cant just use secuirty policy or statless filter to do this ?
By default proxy-ids of route based tunnel is source - 0.0.0.0/0, destination 0.0.0.0/0 & application any.
If you needed to configure route-based VPN with peer which did not understand above default proxy-ids, some configuration was needed to configure proxy-ids manually & it was:
* set security ipsec vpn <name> ike proxy-identity local <local subnet> remote <remote subnet>
This was OK for a scenario where there is one subnet each behind two VPN peers. But if one wanted to use route based VPN with multiple subnets behind VPN gateways, complexity increased as per VPN only single subnet pair was configuration so you needed to create multiple tunnel interfaces, multiple VPNs and in some cases routing instances.
So to tackle this, Traffic-selector configuration was introduced. With traffic selector only one VPN with one tunnel interface could cater multiple subnet to multiple subnet communication.
Now after VPN establishes as per proxy-id configuration or traffic-selector, if you need granular control over traffic to pass through VPN, you can take help of security policies or firewall filters.
So proxy-id (primitive way) & traffic-selector is equivalent to crypto map access-list in other vendor device.
security policies, firewall filters can be configured as vpn-filter access-list in other vendor devices.
thank you MR/ Rushi
This is not entirely true ... traffic selector does allow you to specifiy multiple local/remote subnets but it does not allow you to specify application protocol/ports, if VPN peer is not Juniper, say Cisco IOS/ASA which can define crypto-ACL (aka, proxy-IDs) with source and destination port, you will need to configure proxy-identity on Junos to interop, or configure policy-based VPN altogether.
I can use cisco asa with crypto maps in one side and srx with traffic-selector in the other side, with no problem. I have this deployed and working fine 🙂 .
With Juniper Netscreen OS Firewalls , you can configure Multiple Proxy identities (in some cases after OS updation) , but in SRX Gateways that same goal is achieved by traffic selectors, Also Traffic Selectors have the advantage of auto injecting routes in the routing table withou the need to manually defining the route. But with Proxy identity you have to configure the route. That's another difference. Traffic -selectors option is not available in Netscreen OS devices.