06-06-2017 04:31 PM
Why do i need to use traffic selector or Proxy-ID in route-based VPN to specify the permitted traffics across the tunnel where i can already use security policy to regulate my traffics??
Solved! Go to Solution.
06-06-2017 06:08 PM
Traffic selectors or proxy-id are part of the IPSEC VPN standards published for interoperability between vendors of site to site VPN devices. These are part of the communications that peers send each other to setup the VPN tunnel.
By default without any configured proxy-id or traffic selector SRX will send completely open proxy-id pair of 0.0.0.0/0 and 0.0.0.0/0 to that any traffic that is routed to the tunnel can use the connection. Routing then determines what hits the tunnel and your security policies what is permitted.
The use of traffic selectors or proxy-id is only needed when connecting to vendors that don't support using this default fully open proxy-id pair.
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6 ACE PanOS 7
06-06-2017 07:29 PM
It it not mandatory to use traffic-selectors/proxy-ids in a route based VPN. You can regulate the traffic with the help of security policies or firewall filters for sure.
But when using route based VPN with a peer device that does not support default proxy-id of 0.0.0.0 of route based VPN, traffic-selector or proxy-ids are useful.
06-06-2017 09:51 PM
One more thing, The proxy ID are used both in route-based and policy-based VPNs.
The proxy ID generation for policy-based VPNs is based on the security policy bound to the VPN, and it cannot be overwritten with the proxy-identity command under the 'set security ipsec vpn <vpn> ike proxy-identity' stanza. The proxy-identity is based upon the source-address, destination-address, and the application listed in the security policy.
A traffic selector (also known as a proxy ID in IKEv1) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define a traffic selector within a specific route-based VPN, which can result in multiple Phase 2 IPsec security associations (SAs). Only traffic that conforms to a traffic selector is permitted through an SA.