Exam JN0-336 Topic 1 Question 49 Discussion
Actual exam question for Juniper's JN0-336 exam
Question #: 49
Topic #: 1
Question #: 49
Topic #: 1
Which two statements about proxy IDs are correct? (Choose two.)
Suggested Answer: B,C Vote an answer
The correct answers are B and C. In Junos route-based IPsec VPNs, the default proxy ID is broad: local 0.0.0.0
/0, remote 0.0.0.0/0, and service any. This default behavior allows routed traffic entering the secure tunnel interface to determine what is protected by the VPN rather than requiring a narrow policy-based encryption domain. Juniper's IPsec VPN configuration guidance also states that proxy IDs are used in Phase 2 negotiations, and that a proxy ID mismatch is one of the common causes of Phase 2 failure. For interoperability with some third-party VPN peers, Juniper notes that proxy IDs may need to be manually configured to match the peer.
Option A is wrong because proxy IDs can override default route-based behavior when manually configured, especially when a peer requires specific local and remote protected subnets. Option D is wrong because proxy IDs are not created during IKE Phase 1. Phase 1 builds the secure IKE channel; proxy IDs belong to Phase 2
/IPsec SA negotiation, where the peers agree on traffic selectors for encrypted traffic. Reference topics: IPsec VPN, route-based VPNs, proxy IDs, Phase 2 negotiation, traffic selectors, third-party VPN interoperability.
/0, remote 0.0.0.0/0, and service any. This default behavior allows routed traffic entering the secure tunnel interface to determine what is protected by the VPN rather than requiring a narrow policy-based encryption domain. Juniper's IPsec VPN configuration guidance also states that proxy IDs are used in Phase 2 negotiations, and that a proxy ID mismatch is one of the common causes of Phase 2 failure. For interoperability with some third-party VPN peers, Juniper notes that proxy IDs may need to be manually configured to match the peer.
Option A is wrong because proxy IDs can override default route-based behavior when manually configured, especially when a peer requires specific local and remote protected subnets. Option D is wrong because proxy IDs are not created during IKE Phase 1. Phase 1 builds the secure IKE channel; proxy IDs belong to Phase 2
/IPsec SA negotiation, where the peers agree on traffic selectors for encrypted traffic. Reference topics: IPsec VPN, route-based VPNs, proxy IDs, Phase 2 negotiation, traffic selectors, third-party VPN interoperability.
by Tyler at Jun 25, 2026, 07:37 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).