Hello!
I have a lot of srx 240 and srx 100 with Site-to-Site VPN between it, and I'd used STS VPN Wizard at https://www.juniper.net/customers/support/configtools/vpnconfig.html
now, after update to 11.2R2.4 I've found that VPN wizard is now builtin.
so, I've tried to use it and get some misunderstanind with Security Zones for st0.x interfaces.
Wizard on support site makes new security zone with %STS_Name% and bind st0.x interface to it like this:
----
Security zone: vpntoauto
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
st0.0
-----
but builtin wizard offer to add st0.x interface only to trust or untrust zone and make this config:
-----
Security zone: trust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 2
Interfaces:
st0.1
vlan.0
-------
anyway I have no paranoya and allow all traffic to pass between trust (internal network) and all other st0.x interfaces (branch sites).
and I see three variants:
1. make new zone for each STS and bind correlating st0.x to it
2. add all st0.x to trust
3. made a new zone like STS_Zone and add all st0.x interfaces to it.
what is the most correct way?
thanks for advice!