SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos
Accepted Solution

Traffic selector

Why do i need to use traffic selector or Proxy-ID in route-based VPN to specify the permitted traffics across the tunnel where i can already use security policy to regulate my traffics??

Distinguished Expert
Posts: 4,937
Registered: ‎03-30-2009

Re: Traffic selector

Traffic selectors or proxy-id are part of the IPSEC VPN standards published for interoperability between vendors of site to site VPN devices.  These are part of the communications that peers send each other to setup the VPN tunnel.

 

By default without any configured proxy-id or traffic selector SRX will send completely open proxy-id pair of 0.0.0.0/0 and 0.0.0.0/0 to that any traffic that is routed to the tunnel can use the connection.  Routing then determines what hits the tunnel and your security policies what is permitted.

 

The use of traffic selectors or proxy-id is only needed when connecting to vendors that don't support using this default fully open proxy-id pair.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Distinguished Expert
Posts: 573
Registered: ‎08-23-2015

Re: Traffic selector

Hello,

 

It it not mandatory to use traffic-selectors/proxy-ids in a route based VPN. You can regulate the traffic with the help of security policies or firewall filters for sure.

 

But when using route based VPN with a peer device that does not support default proxy-id of 0.0.0.0 of route based VPN, traffic-selector or proxy-ids are useful.

 

Regards,

 

Rushi

Visitor
Posts: 4
Registered: ‎05-11-2011

Re: Traffic selector

One more thing, The proxy ID are used both in route-based and policy-based VPNs.

 

The proxy ID generation for policy-based VPNs is based on the security policy bound to the VPN, and it cannot be overwritten with the proxy-identity command under the 'set security ipsec vpn <vpn> ike proxy-identity' stanza. The proxy-identity is based upon the source-address, destination-address, and the application listed in the security policy. 

 

A traffic selector (also known as a proxy ID in IKEv1) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define a traffic selector within a specific route-based VPN, which can result in multiple Phase 2 IPsec security associations (SAs). Only traffic that conforms to a traffic selector is permitted through an SA.

 

reference:

https://www.juniper.net/documentation/en_US/junos/topics/concept/ipsec-vpn-traffic-selector-understa...

https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=METADATA