Hi Ecartner,
On the SRX there are two types of tunnel route and policy based. Below is an example of the policy based vpn tunnel.
Using the security policy below the policy-based vpn tunnel will be triggered.
In the below example policy is from Untrust to trust , hence any esp traffic hitting the external interface in Untrust zone would be decrypted using the below policy.
The source and destination used in the policy would act as proxy-id ( encryption domain) for the vpn tunnel and hence it is suggested to use only a sigle pair of source and destination in a security policy when ipsec vpn is called in it.
Remote-Client is the name iof the ipsec vpn defined under the heirarchy :
set security ipsec vpn Remote-Client
Regards
Hemant