将流量引导至 IPsec 隧道
使用过滤器选择要保护的流量
对于 ES PIC,您需要配置防火墙过滤器以将流量定向到 IPsec 隧道。要将安全关联应用于与防火墙过滤器匹配的流量,请在层次结构级别包含 ipsec-sa sa-name 该语句 [edit firewall filter filter-name term term-name then] 。
[edit firewall filter filter-name] term term-name { from { source-address { ip-address; } destination-address { ip-address; } } then { count counter-name; ipsec-sa sa-name; } } term other { then accept; }
对于 AS 和多服务 PIC,您无需配置单独的防火墙过滤器。在层次结构级别,[edit services ipsec-vpn]IPsec VPN rule 语句中已内置了一个过滤器。要将安全关联应用于与 IPsec VPN 规则匹配的流量,请在层次结构级别包含动态manual或语句[edit services rule rule-name term term-name then]。要指定规则应匹配输入流量还是输出流量,请在层次结构级别包含match-direction语句[edit services rule rule-name]。
为 IPsec VPN 定义规则后,必须将规则应用于服务集。为此,请在层次结构级别包含ipsec-vpn-rules rule-name[edit services service-set service-set-name]语句。在层次结构级别将 [edit services service-set service-set-name] IPv4 或 IPv6 IPsec 网关与语句一起local-gateway local-ip-address包含在内。
此外,还必须选择单个接口或一对参与 IPsec 的接口。要选择单个接口,请在层次结构级别包含[edit services service-set service-set-name]接口服务interface-name语句。要选择一对接口和下一跃点,请在层次结构级别包含next-hop-service语句[edit services service-set service-set-name],并指定内部接口和外部接口。只有下一跃点服务集支持第 3 层 VPN 内的 IPsec 和通过 IPsec 隧道使用的路由协议。
[edit services] service-set service-set-name { interface-service { service-interface interface-name; } next-hop-service { inside-service-interface interface-name; outside-service-interface interface-name; } ipsec-vpn-options { local-gateway local-ip-address <routing-instance instance-name>; trusted-ca ca-profile-name; } ipsec-vpn-rules rule-name; } ipsec-vpn { rule rule-name { term term-name { from { source-address { ip-address; } destination-address { ip-address; } } then { remote-gateway remote-ip-address; (dynamic | manual); } } match-direction output; } }
将过滤器或服务集应用于接收要保护的流量的接口
对于 ES PIC,请在接收要发送到 IPsec 隧道的流量的输入接口上应用防火墙过滤器。为此,请在层次结构级别包含filter[edit interfaces interface-name unit unit-number family inet]语句。
[edit interfaces interface-name unit unit-number family inet] filter { input filter-name; }
对于 AS 和多服务 PIC,请将基于 IPsec 的接口服务集应用于接收要发送到 IPsec 隧道的流量的输入接口。为此,请在层次结构级别包含service-set service-set-name[edit interfaces interface-name unit unit-number family inet service (input | output)]语句。
[edit interfaces interface-name unit unit-number family inet] service { input { service-set service-set-name; } output { service-set service-set-name; } }
要在 AS 和多服务 PIC 上配置基于下一跃点的服务集,请在层次结构级别包含该 service-domain 语句 [edit interfaces interface-name unit unit-number] ,并将 AS PIC 上的一个逻辑接口指定为内部接口,将 AS PIC 上的第二个逻辑接口指定为外部接口。
[edit interfaces sp-fpc/pic/port] unit 0 { family inet { address ip-address; } } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; }