Hi, guys,
We have a need to setup IPsec VPN with third-party Cisco IOS by using route-based VPN (long story short, we can not use policy based VPN because of its NAT limitations, we can not do any-to-any proxy-ID because customer won't support it without major design change), traffic that will flow in/out the tunnel is icmp and SIP, we explicitly configure traffic selectors, say my side network is "1.2.3.4/30", customer side network is "1.2.3.8/30" (or mirroring crypto ACLs in Cisco's term), all are well, we are able to establish connectivity for ICMP and SIP.
When IPsec SA is up, SRX automatically injects a static route to 1.2.3.8/30 which is propergated to our internal netwok, problem arises when my side host "1.2.3.100" which is outside of network "1.2.3.4/30" wants to talk to a host in customer side "1.2.3.8/30", this traffic does not fall into the proxy-IDs/encryption domains, but SRX has explict route to the destination, this traffic is droped by SRX, we would want SRX to be smart enough to send this traffic to Internet. We might/might not solve this problem by configuring filtering based forwarding, but because a unique situation we have and complexity filter based forwarding introduces, it is out of question.
Cisco IOS does not have this kind of problem in the first place because it allows users to define the crypto ACLs with any combination of protocols or ports, anything that does not match crypto ACL will be default routed.
What other options do I have to solve this problem gracefully on SRX? I liked SRX's routing and automation capability but it just lacks software features and other capabilities Cisco IOS has.