SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Traffic selector

    Posted 06-06-2017 16:32

    Why do i need to use traffic selector or Proxy-ID in route-based VPN to specify the permitted traffics across the tunnel where i can already use security policy to regulate my traffics??


    #SRX


  • 2.  RE: Traffic selector
    Best Answer

    Posted 06-06-2017 18:09

    Traffic selectors or proxy-id are part of the IPSEC VPN standards published for interoperability between vendors of site to site VPN devices.  These are part of the communications that peers send each other to setup the VPN tunnel.

     

    By default without any configured proxy-id or traffic selector SRX will send completely open proxy-id pair of 0.0.0.0/0 and 0.0.0.0/0 to that any traffic that is routed to the tunnel can use the connection.  Routing then determines what hits the tunnel and your security policies what is permitted.

     

    The use of traffic selectors or proxy-id is only needed when connecting to vendors that don't support using this default fully open proxy-id pair.



  • 3.  RE: Traffic selector

     
    Posted 06-06-2017 19:30

    Hello,

     

    It it not mandatory to use traffic-selectors/proxy-ids in a route based VPN. You can regulate the traffic with the help of security policies or firewall filters for sure.

     

    But when using route based VPN with a peer device that does not support default proxy-id of 0.0.0.0 of route based VPN, traffic-selector or proxy-ids are useful.

     

    Regards,

     

    Rushi



  • 4.  RE: Traffic selector

    Posted 06-06-2017 21:51

    One more thing, The proxy ID are used both in route-based and policy-based VPNs.

     

    The proxy ID generation for policy-based VPNs is based on the security policy bound to the VPN, and it cannot be overwritten with the proxy-identity command under the 'set security ipsec vpn <vpn> ike proxy-identity' stanza. The proxy-identity is based upon the source-address, destination-address, and the application listed in the security policy. 

     

    A traffic selector (also known as a proxy ID in IKEv1) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define a traffic selector within a specific route-based VPN, which can result in multiple Phase 2 IPsec security associations (SAs). Only traffic that conforms to a traffic selector is permitted through an SA.

     

    reference:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/ipsec-vpn-traffic-selector-understanding.html 

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=METADATA