Regarding that policy based vpn create individual SAs :
is this behavior is related to each host or each policy ,
1-for example if i have a subnet on each site , whenever a host initiate a traffic to a host on the other site a new tunnel is generated (separete SA) ???
2-or it means that if im using multiple security policies referencing the same tunnel, each security policy is considered as individual SA ?
#2 - each security policy creates the SA yeilding the proxy-id for the IPSEC VPN.
i have think the same way until i found an article on juniper which is confusing
Right, the point is the proxy-id pairs are based on the address objects in the policy. Not on the address triggering the IPSEC tunnel.
For example, the policy has:
This will yeild 6 proxy-id pairs.
When a device 192.168.1.100 creates traffic to 10.1.1.25
This pair will come up: 192.168.1.0/24 - 10.1.1.0/24
Likewise any specific traffic initiated will match the appropriate pair from the policy but will not generate a pair that is not configured in the policy.
why this informations is not showed in juniper explanation ???? have you studied it from another vendor, if yes would you please share a link or a material
I mostly use the Juniper Documentation and configure the examples in the lab for learning.
But IPSEC I have been using in production on the SRX pretty much from day one. So I haven't visited those pages in a long tme.
In general, you should also try to use route based VPN on the SRX rather than policy based. This is more flexible in controling the routing of traffic and also permits the use of either OSPF or BGP to send traffic into tunnels.