I am refering to the below link for route-based VPN. I see besides trust/untrust zone, another zone vpn-chicago is created. And the policy is between trust zone and vpn-chicago zone. But the chicago address is attached to untrust zone. It's weird to me that the policy is to vpn-chicago zone but the destination address is attached to untrust zone instead. My question is: is this vpn zone mandatory for a route-based VPN? Or we can use untrust zone for the same?
I think you have spotted an error in the link. I have not labbed this up but I think it would failed the commit as you quite rightly say, the 'chicago' object it attached to the untrust zone. For this to work it would need to be attached to the vpn-chicago zone or attached to no zone in the global address book.
In answer to the question of do we need a separate zone, the answer is no but it is often a good idea as you may want traffic initiated from the remote site to be allowed into your trust zone. The policies can be simpler if the st0 interface is configured in a separate zone.
Thank you!! In my case, it's swap from ISG to SRX, and previous policies are all in Gp_untrust zone for operator's roaming. So if not mandantory to have vpn zone on my SRX, I will keep it the same Gp_untrust zone as ISG, as it's clear to customer already.