SRX

To all

what i understand is that is is  interesting traffic between local subnet and remote subnet  whihc we configure on policy

 after that i cant understand what is its purpose it should be same at both end

2)if i have multiple subnet running behid my firewall and i  need to establish connectivity mutliple subnet remote end

should i need configure proxy-id for each and each proxy-id should be match at remote end

Thanks in advance  to all you guys

1) this is part of the ipsec negotiation.

let's assume you have gateway_A with local lan lan_A/mask_A

and gateway_B with local lan lan_B/mask_B.

if you wish to set up a vpn between gateway_A and gateway_B so lan_A/mask_A can talk to

lan_B/mask_B, you must seut up the following : 

on gateway_A : proxy id : local id : lan_A/mask_A, remote id : lan_B/mask_B

on gateway_B ; proxy id : local id : lan_B/mask_B, remote id : lan_A/mask_A

2) if you have multiple subnet, and only one vpn site to site, you can setup

- route based vpn with local id and remote id set to 0.0.0.0/0

- policy based with one phase 2 (ie ipsec vpn) config and one policy per pair of local and remote lan.

the easiest is to use route based vpn.

this is described in the tech note http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/vpn-route-based-jseries-srx/route-based-vpns-j-series-srx.pdf

Thanks for your reply

What i understand let say i configur my local-id A  then Remote end should configure his remote id A

similary vice versra i will go  with  Local-id A  Remote-id B 

ID should match other-wise VPN will not be successfull?

so what about when we doing VPN with Cisco it doesnt require  Proxyid feature Simple Access-list  to allow interesting traffic should carry

Thanks again

Remote id are negotiated during phase2.

If there is a mismatch (you can configure one gateway to accept what the other one sends, to make it more "tolerant" ...), the phase2 will fail and you should get an error indicating there was a mismatch.

Regardless of the vendor the IPSEC requires proxy id to match.

Sometimes the device doesn't mention proxy id, but you'll find it in the ike packets.

In most cases the name is not the same but the configured access list, vpn domain, etc will be used to get the proxy ids that will be sent or checked during phase2.

When the tunnel is established you can get in the security associations the proxy id that were negoitiated.