Hi Robbie,
So from the top:
@Robbie wrote:
why need to set then permit ipsec-tunnel tunnelname
IPSEC use udp500 and ip header is 1.1.1.1 and 2.2.2.2
why don't we just permit this 1.1.1.1 and 2.2.2.2 via then permit?
Security policies are used to permit *transit* traffic across the SRX between security zones. The IPSEC tunnel is *initiated* by the SRX from the egress security zone, so doesn't need to be matched by the policy engine. The traffic between your 192.168.x.0 subnets does - hence the security policy.
This is a bit different if you're coming from and ASA/PIX background where firewall rules are more like interface-based ACLs, but you'll soon grow to love it 😉
@Robbie wrote:
by the way:
what is local id and remot id here
192.168.1.0/192.168.2.0?
Correct - the local and remote IDs are generally the subnets that you are tunnelling traffic for - just use "service any" when you configure them.