I am reading some VPN examples from the O'Reily Juniper SRX Series book. One thing I'm not clear on, and I've been unable to find additional information in the Junos documentation, is the full behavior of the permit tunnel security policy action. In particular I'm looking at an example of a policy-based VPN configuration that includes the policy:
[edit security policies from-zone untrust to-zone trust policy Remote-Client]
match {
source-address any;
destination-address 10.0.0.8/8;
application any;
} then {
permit {
tunnel {
ipsec-vpn Remote-Client;
}
}
}I keep looking at this policy and thinking somehow it will be interpreted as permit all traffic from all sources, using the tunnel if possible... I know that's wrong but I can't shake the idea.
Is it correct (or at least reasonable) to view the permit tunnel action as being both an action and a match condition? In other words can the above policy be described as "Allow all traffic from the Remote-Client tunnel traveling from untrust to trust through."
Thanks