This article provides information on how to determine if a policy is required for route-based VPN traffic to flow through a Juniper Firewall.
Environment:
- Is a policy required? If so, to which zones should the policy be applied?
Symptoms and errors:
Traffic is allowed, even though the policy is set to deny.
Is a policy required for a Route-Based VPN?
A policy may or may not be needed.
When a policy is required:
A route based VPN will require a policy, if the user traffic initiates or arrives on a different security zone than the security zone, to which the tunnel interface is bound. For example, If the tunnel interface is bound to the Untrust zone and VPN traffic involves a user on the Trust zone, a policy is required from Trust > Untrust zone.
When a policy is not required:
If the user traffic initiatesor arrives in the same security zone as the security zone, to which tunnel interface is bound, no access policy is required, as long as the Intrazone-Block is disabled for that zone. For example, If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not required.
Example:

The zone, to which the tunnel interface is bound, will decide the policy to be created. If the tunnel is bound to the Trust Zone and the users to be allowed are on the trust zone, an Intra-zone policy (Trust to Trust) can be used to allow or deny traffic. If the tunnel is bound to the Untrust or a Custom Zone, then the policy will be from Trust to Untrust or Trust to [custom zone name] for the outward traffic that is generated from Trust zone users and reverse policies for inward direction traffic.
Note: By default, the blocking of Intra zone traffic is disabled for all zones; except for the Untrust zone. So, even without a policy, Intra zone traffic will be allowed; unless the Intra Zone Block setting is changed for the zone. So, you can use a explicit deny/reject policy to deny traffic for the tunnel that is bound to same zone with block intra zone traffic being disabled.
The order that the policy lookup takes place on ScreenOS device is as follows:
- Standard policies
- Global Policies
- Intra-zone block/allow
If none of the above policies fit, the default is
deny all.
The Action used in the policy will be either Permit, Deny, or Reject and not Tunnel. The Tunnel action is used, when configuring policy-based VPNs.
For a configuration example, refer to KB9514 - How to configure a policy for a route-based VPN .
For more information about the Packet Flow Sequence, refer to Concepts & Examples Guide - Part 2 - Fundamentals (ScreenOS 6.3). For other ScreenOS versions, refer to the following link:
www.juniper.net/techpubs/software/screenos/
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.