The IPSec tunnel configuration allows you
to authenticate and/or encrypt the data (IP packet) as it traverses
the tunnel.
If you are setting up the firewall to work with
a peer that supports policy-based VPN, you must define Proxy IDs.
Devices that support policy-based VPN use specific security rules/policies
or access-lists (source addresses, destination addresses and ports)
for permitting interesting traffic through an IPSec tunnel. These
rules are referenced during quick mode/IKE phase 2 negotiation,
and are exchanged as Proxy-IDs in the first or the second message
of the process. So, if you are configuring the firewall to work
with a policy-based VPN peer, for a successful phase 2 negotiation
you must define the Proxy-ID so that the setting on both peers is
identical. If the Proxy-ID is not configured, because the firewall
supports route-based VPN, the default values used as Proxy-ID are
source ip: 0.0.0.0/0, destination ip: 0.0.0.0/0 and application:
any; and when these values are exchanged with the peer, it results
in a failure to set up the VPN connection.