SRX

Expand all | Collapse all

policy based VPN

Jump to Best Answer
  • 1.  policy based VPN

    Posted 06-18-2017 12:52

    Regarding that policy based vpn create individual SAs :

    is this behavior is related to each host or each policy ,

    1-for example if i have a subnet on each site , whenever a host initiate a traffic to a host on the other site a new tunnel is generated (separete SA) ???

     

    2-or it means that if im using multiple security policies referencing the same tunnel, each security policy is considered as individual SA ?



  • 2.  RE: policy based VPN

     
    Posted 06-18-2017 13:08

    #2 - each security policy creates the SA yeilding the proxy-id for the IPSEC VPN.



  • 3.  RE: policy based VPN

    Posted 06-18-2017 13:17

    i have think the same way until i found an article on juniper which is confusing 

     

    Untitled.png



  • 4.  RE: policy based VPN
    Best Answer

     
    Posted 06-18-2017 13:24

    Right, the point is the proxy-id pairs are based on the address objects in the policy.  Not on the address triggering the IPSEC tunnel.

     

    For example, the policy has:

    sources:

    192.168.1.0/24

    192.168.2.3/32

    192.168.100.0/25

    Destination:

    10.1.1.0/24

    10.2.2.3/32

     

    This will yeild 6 proxy-id pairs.

     

    When a device 192.168.1.100 creates traffic to 10.1.1.25

    This pair will come up:  192.168.1.0/24 - 10.1.1.0/24

     

    Likewise any specific traffic initiated will match the appropriate pair from the policy but will not generate a pair that is not configured in the policy.



  • 5.  RE: policy based VPN

    Posted 06-18-2017 13:35

    why this informations is not showed in juniper explanation ???? have you studied it from another vendor, if yes would you please share a link or a material 



  • 6.  RE: policy based VPN

     
    Posted 06-19-2017 02:49

    I mostly use the Juniper Documentation and configure the examples in the lab for learning.

     

    But IPSEC I have been using in production on the SRX pretty much from day one.  So I haven't visited those pages in a long tme.

     

    In general, you should also try to use route based VPN on the SRX rather than policy based.  This is more flexible in controling the routing of traffic and also permits the use of either OSPF or BGP to send traffic into tunnels.