SRX

192.168.1.0----srx1 1.1.1.1------------xxxx----------2.2.2.2 srx2-----192.168.2.0

this is a basic question

I am fresh man in ipsec

why need to set then permit ipsec-tunnel tunnelname

 IPSEC use udp500 and ip header is 1.1.1.1 and 2.2.2.2

why don't we just permit this 1.1.1.1 and 2.2.2.2 via then permit?

That creates a policy based VPN - once the traffic is permitted by the policy, that configuration tells the FW to place the traffic into the IPSec tunnel

excerpt from Junos OS Security Configuration Guide
[edit]
user@host# show security policies
from-zone trust to-zone untrust {
policy vpn-tr-untr {
match {
source-address sunnyvale;
destination-address chicago;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ike-vpn-chicago;
pair-policy vpn-untr-tr;
}

}
}

why there is pair policy?

2:do I need to create security policy for return traffic of ipsec?

by the way:

what is local id and remot id here

192.168.1.0/192.168.2.0？

Hi Robbie,

So from the top:

---

@Robbie wrote:

why need to set then permit ipsec-tunnel tunnelname

IPSEC use udp500 and ip header is 1.1.1.1 and 2.2.2.2

why don't we just permit this 1.1.1.1 and 2.2.2.2 via then permit?

---

Security policies are used to permit *transit* traffic across the SRX between security zones.  The IPSEC tunnel is *initiated* by the SRX from the egress security zone, so doesn't need to be matched by the policy engine.  The traffic between your 192.168.x.0 subnets does - hence the security policy.

This is a bit different if you're coming from and ASA/PIX background where firewall rules are more like interface-based ACLs, but you'll soon grow to love it 😉

---

@Robbie wrote:

by the way:

what is local id and remot id here

192.168.1.0/192.168.2.0？

---

Correct - the local and remote IDs are generally the subnets that you are tunnelling traffic for - just use "service any" when you configure them.