SRX Route Based VPN - Proxy IDs

By default when you create an IPSEC tunnel on an SRX the Proxy IDs are set to 0.0.0.0/0. There are a number of occasions when you will have a need to explicitly define the proxy IDs, the first is for an additional layer of security so both sides need another authentication method before they establish. The second would be when you need to establish a VPN to non Juniper devices such as Cisco, Sonicwall or Checkpoint and the interesting traffic coming from the other side needs to match on the Proxy ID. There are other reasons however I see these as the more important in my environments.

The Config

In our example I am establishing a VPN with a Juniper SSG so in theory you can put anything in the Proxy IDs as long as both sides match. This is different when establishing with Cisco's or other vendors as they need to actually match the traffic being sent over the tunnel.

So in our example we are have a remote IP range of 10.10.11.0/24 and a local range of 172.16.201.0/24. However we are performing subnet overlap on the tunnel so to keep it in tune we are considering our local range of 192.222.222.0/24. That being the case the following code is used:

root@host# set security ipsec vpn LAB_VPN_01 ike proxy-identity local 192.222.222.0/24
root@host# set security ipsec vpn LAB_VPN_01 ike proxy-identity remote 10.10.11.0/24