View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Clarification of permit tunnel action

    Posted 04-27-2016 05:16

    I am reading some VPN examples from the O'Reily Juniper SRX Series book. One thing I'm not clear on, and I've been unable to find additional information in the Junos documentation, is the full behavior of the permit tunnel security policy action. In particular I'm looking at an example of a policy-based VPN configuration that includes the policy:

    [edit security policies from-zone untrust to-zone trust policy Remote-Client]
    match {
      source-address any;
      application any;
    } then {
      permit {
        tunnel {
          ipsec-vpn Remote-Client;

    I keep looking at this policy and thinking somehow it will be interpreted as permit all traffic from all sources, using the tunnel if possible... I know that's wrong but I can't shake the idea.

    Is it correct (or at least reasonable) to view the permit tunnel action as being both an action and a match condition? In other words can the above policy be described as "Allow all traffic from the Remote-Client tunnel traveling from untrust to trust through."



  • 2.  RE: Clarification of permit tunnel action

    Posted 04-27-2016 06:05

    Hi Ecartner,


    On the SRX  there are two types of tunnel route and policy based. Below is an example of the policy based vpn tunnel.

    Using the security policy below the policy-based vpn tunnel will be triggered.

    In the below example policy is from Untrust to trust , hence any esp traffic hitting the external interface in Untrust zone would be decrypted using the below policy.

    The source and destination used in the policy would act as proxy-id ( encryption domain) for the vpn tunnel and hence it is suggested to use only a sigle pair of source and destination in a security policy when ipsec vpn is called in it.


    Remote-Client is the name iof the ipsec vpn defined under the heirarchy :

    set security ipsec vpn Remote-Client





  • 3.  RE: Clarification of permit tunnel action
    Best Answer

    Posted 04-27-2016 06:24




    In Policy Based VPN tunnel the policy with the permit tunnel action serves the following purpose.


    1. Get the Proxy ID's for the negotiation of IKE Phase 2. (This is taken from the policy created from trust to untrust and with an action permit tunnel)
    2. The policy from the trust to untrust also matches the traffic and sends it over the VPN tunnel whenever the traffic is initiated from the trust zone.
    3. Then there is a pair policy from untrust to trust which is the mirror image of the policy from trust to untrust and the action permit tunnel.  It allows the traffic to pass which is reaching the SRX on the specified tunnel if it is specfied in the source and destination addresses respectively.

    Hence in a sense your understanding for the secuirty policy from untrust to trust "Allow all traffic from the Remote-Client tunnel traveling from untrust to trust through." is correct becasue the policy will mean that any source if tries to reach your subnet over the VPN tunnel Remote-client from untrust zone then it should be permitted.


    Hence you are correct that the permit tunnel acts an action item as well as a match condition ( atleast for the pair policy from untrust to trust) 


    For more information on pair policy please refer the following document:-



    Pulkit Bhandari

    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂