Hi-
I was a bit confused by rsuraj's response.
Does the "Edit Removing Point #2" mean that point #2 is wrong?
My understanding is that the public gateway interface of the VPN should be locked down in terms of what services it will process, and the "host-inbound-traffic system-services ike" allows the SRX to process incoming IKE dialogues (ie it allows the SRX to respond to a VPN initiation from a peer).
Is that not correct?