IPSEC Traffic Selector in SRX

Starting from 12.1X46-D10 release, SRX has a new feature called traffic selector. Details of the feature can be found at juniper page here In a nutshell, it is similar to the proxy-id but has some major differences. By using proxy ids we can even establish two IPSEC tunnels to the same tunnel end point or for example use it when other end point is another vendor device. However proxy-id doesn’t really enforce anything in forwarding. Let’s explain the feature by using a topology;


In this topology I have two different networks on each side of the end point and I would like to protect traffic in between them. For example NET1-NET1 , NET2-NET2 traffic. As I assume you are already familiar with SRX IPSEC configuration, I will only show here what is different than a standard config.


On J23 SRX device, I have two traffic selector configs and they allow only traffic

  • from to
  • from to

other traffic will be blocked on this tunnel. For example when I try to pass a traffic which isn’t defined here, I received the following error in flow trace.

Let’s see the remote config on J41.


As you can see, we reverse the traffic selectors.

What you should be careful is that each traffic selector means a separate Security Association (SA) as you can also see from the output below.

There is a nice feature coming with this traffic selector feature as well. Once you set these selector entries and commit, static routes are installed automatically towards the st0.X interface. However if you want to implement this feature, I strongly recommend you to read the limitations section on the link provided above.

You have a feedback?