IPSec encrypts data that goes into a certain tunnel based on a agreed Security Association (SA), whereby each Phase 2 SA is defined for a unidirectional data flow covering data traffic that is distinguishable by a so called proxy-ID. In IKEv2 there is a new term called traffic-selector which serves the same purpose as the proxy-ID, however traffic-selector is something that can be defined on an per-SA basis using the two fields, source IP address and destination IP address. The traffic-selector helps to define source and destination patterns that are allowed through a route-based VPN tunnel and helps to enforce data to SA mapping and thus prevents traffic from being transported through the tunnel that there is no negotiation existing for. This training demonstrates how to configure route-based VPNs on Juniper SRX series devices.

Difficulty Level: Advanced