hello,
I have already asked similar questions 1 year ago without getting feedback;
here it is again with other words :
1) when using routed-based VPNs, defining proxy ids can be cumbersome if you have multiple local and remote distincts subnets or hosts concerned that you cannot aggregate in 1 or 2 IP "supernets";
I guess it would be simpler if Juniper allowed to code several names or address-set in those local/remote Proxys (as CISCO does in their Crypto map) (as it is now possible to do into NAT source and dest via source-address-name for example)
2) traffic-selector method as described in :
https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/ipsec-vpn-traffic-selector-understanding.html :
can be a good way to reduce this constrait as it is shorter to define IPSEC section, but you still need to identify and code each pair of local/remote IPs
so, if you have, let's say, 5 local and 10 remote IPs concerned, you will have to define 5*10 = 50 traffic selectors in the IPSEC section;
and, by the way, this way of coding traffic selector is not supported when using IKE V2 on a tunnel, as stated in this link, which tends to be more frequent now than a few year ago;
3) so, in some cases, either because IKEV2 is used or because the number of local and remote subnets results into an important number of local/remote pairs of addresses (even if it is simpler/shorter with traffic selector), it might be better to create a Policy-based VPN where you don't have to care about coding those pairs ;
the only question left about this Policy-based VPN is related to the fact that, if you have multiple sources or dest addresses or you uses source/dest address-sets coded in some Policy rules, the following Juniper document indicates that the resulting generated Proxy Id (Local and Remote) will be 0.0.0.0 :
see https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=RSS at the last section "Policy using multi-cell address objects"
In such a case, the question is to know how will the VPN peer box (at the other side of the tunnel, which can be of any kind, not only Juniper) react ?
will it reject those 0.0.0.0 Proxy Ids if its own Proxy Ids are coded with the concerned real subnets (thanks to CISCO Crypto-map for example) or will it allow them ?
Any idea is welcome