SRX

Hi, just a quick question that i dont have the gear to lab atm. But is it possible to create a site-to-site from my SRX using Routed based vpn to an 3rd party device that uses policy based vpn.

Using NHTB and exact match proxy identity or whats is required if this even work.

Of course - the route based VPN at your end has nothing to do with the 3rd party - they can use whichever method they want. If you had control of both, I would recommend always using route based but it doesnt matter. Whatever method you choose at your end will work with the 3rd parties.

I always build my side as route based.  They make the routing table neater and I can pick up those static routes to the remote site vpn and redistribute them into OSPF for use by the other sites on the internal network.

You have correctly identified the issues.

I create a separate tunnel interface where all the policy based vpn connect using multipoint.  Then add the nhtb entry for each new site.  This tunnel interface only needs to consume a single ip address as it never has to neighbor to anyone else.

I'll then use a different subnet for the hub tunnels for the base network.