Hello,
In Policy Based VPN tunnel the policy with the permit tunnel action serves the following purpose.
- Get the Proxy ID's for the negotiation of IKE Phase 2. (This is taken from the policy created from trust to untrust and with an action permit tunnel)
- The policy from the trust to untrust also matches the traffic and sends it over the VPN tunnel whenever the traffic is initiated from the trust zone.
- Then there is a pair policy from untrust to trust which is the mirror image of the policy from trust to untrust and the action permit tunnel. It allows the traffic to pass which is reaching the SRX on the specified tunnel if it is specfied in the source and destination addresses respectively.
Hence in a sense your understanding for the secuirty policy from untrust to trust "Allow all traffic from the Remote-Client tunnel traveling from untrust to trust through." is correct becasue the policy will mean that any source if tries to reach your subnet 10.0.0.0/8 over the VPN tunnel Remote-client from untrust zone then it should be permitted.
Hence you are correct that the permit tunnel acts an action item as well as a match condition ( atleast for the pair policy from untrust to trust)
For more information on pair policy please refer the following document:-
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 