 |
Note: When you configure the ipsec-inside-interface statement, interface-style service sets are not supported. |
To configure an IPSec rule, include the rule statement and specify a rule name at the [edit services ipsec-vpn] hierarchy level:
-
rule rule-name {
-
match-direction (input | output);
-
-
term term-name {
-
-
from {
-
destination-address address;
-
ipsec-inside-interface interface-name;
-
source-address address;
- }
-
-
then {
-
backup-remote-gateway address;
-
clear-dont-fragment-bit;
-
-
dynamic {
- ike-policy policy-name;
- ipsec-policy policy-name;
- }
-
-
manual {
-
-
direction (inbound | outbound |
bidirectional) {
-
-
authentication {
- algorithm (hmac-md5-96 | hmac-sha1-96);
- key (ascii-text key | hexadecimal key );
- }
-
auxiliary-spi spi-value;
-
-
encryption {
- algorithm (algorithm);
- key (ascii-text key | hexadecimal key );
- }
-
protocol (ah | bundle | esp);
-
spi spi-value;
- }
- }
-
no-anti-replay;
-
remote-gateway address;
-
syslog;
-
tunnel-mtu bytes;
- }
- }
- }
Each IPSec rule consists of a set of terms, similar to a firewall filter. A term consists of the following:
In addition, each rule includes a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction (input | output) statement at the [edit services ipsec-vpn rule rule-name] hierarchy level:
-
match-direction (input | output);
The match direction is used with respect to the traffic flow through the AS or MultiServices PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or MultiServices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Services Interfaces.
On the AS or MultiServices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that match the packet direction are considered.
To configure IPSec match conditions, include the from statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level:
-
from {
-
destination-address address;
-
ipsec-inside-interface interface-name;
-
source-address address;
- }
You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the JUNOS Policy Framework Configuration Guide.
IPSec services support both IPv4 and IPv6 address formats. If you do not specifically configure either the source address or destination address, the default value 0.0.0.0/0 (IPv4 ANY) is used. To use IPv6 ANY (0::0/128) as either source or destination address, you must configure it explicitly.
For next-hop-style service sets only, the ipsec-inside-interface statement allows you to assign a logical interface to the tunnels established as a result of this match condition. The inside-service-interface statement that you can configure at the [edit services service-set name next-hop-service] hierarchy level allows you to specify .1 and .2 as inside and outside interfaces. However, you can configure multiple adaptive services logical interfaces with the service-domain inside statement and use one of them to configure the ipsec-inside-interface statement. For more information, see Configuring Services Interfaces and Configuring Interface Properties.
The JUNOS software evaluates the criteria you configure in the from statement. If multiple link-type tunnels are configured within the same next-hop-style service set, the ipsec-inside-interface value enables the rule lookup module to distinguish a particular tunnel from other tunnels in case the source and destination addresses for all of them are 0.0.0.0/0 (ANY-ANY).
|
Note: When you configure the ipsec-inside-interface statement, interface-style service sets are not supported. |
To configure IPSec actions, include the then statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level:
-
then {
-
backup-remote-gateway address;
-
clear-dont-fragment-bit;
-
-
dynamic {
- ike-policy policy-name;
- ipsec-policy policy-name;
- }
-
-
manual {
-
-
direction (inbound | outbound |
bidirectional) {
-
-
authentication {
- algorithm (hmac-md5-96 | hmac-sha1-96);
- key (ascii-text key | hexadecimal key );
- }
-
auxiliary-spi spi-value;
-
-
encryption {
- algorithm (algorithm);
- key (ascii-text key | hexadecimal key );
- }
-
protocol (ah | bundle | esp);
-
spi spi-value;
- }
- }
-
no-anti-replay;
-
remote-gateway address;
-
syslog;
-
tunnel-mtu bytes;
- }
The principal IPSec actions are to configure a dynamic or manual SA:
You can configure the following additional properties:
