If you’re setting up the firewall to work with a peer that supports policy-based VPN,
you must define Proxy IDs. Devices that support policy-based VPN use specific
security rules/policies or access-lists (source addresses, destination addresses,
and ports) for permitting interesting traffic through an IPSec tunnel. These rules
are referenced during quick mode or IKE phase 2 negotiation, and are exchanged as
proxy IDs in the first or the second message of the process. So, if you’re
configuring the firewall to work with a policy-based VPN peer, for a successful
phase 2 negotiation you must define the proxy ID so that the setting on both peers
is identical. If the proxy ID isn’t configured, because the firewall supports
route-based VPN, the default values used as proxy ID are source ip: 0.0.0.0/0,
destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged
with the peer, it results in a failure to set up the VPN connection.