[j-nsp] IPSec on Logical System

[Network Geek]

I have user Logical System DATALSYS on my SRX where all my production data
is flowing with reth10.X as my exit interfaces to each of the partners. All
of these units of reth10 belong to PARTNER zone.

On my master Logical System resides fxp0 only, no existing Virtual Router,
no Zone.

Now I have a new partner Y who requires an IPSec to connect to us.
IPSec mandates to configure phase1 and phase2 on the master LS and also
mandates the external interface to be in the master LS.

I hence then configured reth10.Y on the Master LS, same for
 the IKE and the IPSec, both in the master LS and bind it to st0.Y who is
in the other hand in DATALS LS.

My questions are:
1. Is it ok to have interface units on user LS and and another or some
units of the same phyisical/ reth10 interface sitting on the master LS?

2. Is it required to assign the unit Y (reth10.Y) to a security zone?

3. Can I put my st0.Y Interface into PARTNER zone of DATALS? Or is it
practice to create another zone dedicated for the IPSec tunnels?

4. Since all my partners' flows are on DATALS, with the external interface
of partner Y sitting in Master LS, do I need to interconnect DATALS to
Master using vpls?

Thanks