Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring IPsec Rules

    To configure an IPsec rule, include the rule statement and specify a rule name at the [edit services ipsec-vpn] hierarchy level:

    [edit services ipsec-vpn]
    rule rule-name {
    term term-name {
    ike-policy policy-name;
    ipsec-policy policy-name;
    }
    dead-peer-detection {
    interval seconds;
    threshold number;
    }
    direction (inbound | outbound | bidirectional) {
    algorithm (hmac-sha-256-128| hmac-sha1-96);
    key (ascii-text key | hexadecimal key);
    }
    auxiliary-spi spi-value;
    algorithm algorithm;
    key (ascii-text key | hexadecimal key);
    }
    spi spi-value;
    }
    }
    }
    }
    }

    Each IPsec rule consists of a set of terms, similar to a firewall filter. A term consists of the following:

    • from statement—Specifies the match conditions and applications that are included and excluded.
    • then statement—Specifies the actions and action modifiers to be performed by the router software.

    The following sections explain how to configure the components of IPsec rules:

    Configuring Match Direction for IPsec Rules

    Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface. To configure where the match is applied, include the match-direction (input | output) statement at the [edit services ipsec-vpn rule rule-name] hierarchy level:

    [edit services ipsec-vpn rule rule-name]

    Note: ACX Series routers support match-direction as input. match-direction as output is not supported.

    The match direction is used with respect to the traffic flow through the inline service interface. When a packet is sent to the PIC, direction information is carried along with it.

    With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.

    With a next-hop service set, packet direction is determined by the interface used to route the packet to the inline service interface. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to Be Applied to Services Interfaces.

    On the inline services interface, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that match the packet direction are considered.

    Configuring Match Conditions in IPsec Rules

    To configure the match conditions in an IPsec rule, include the from statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name]

    You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

    IPsec services on ACX Series support IPv4 address formats. If you do not specifically configure either the source address or destination address, the default value 0.0.0.0/0 (IPv4 ANY) is used.

    Configuring Actions in IPsec Rules

    To configure actions in an IPsec rule, include the then statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name]
    ike-policy policy-name;
    ipsec-policy policy-name;
    }
    }

    The principal IPsec actions are to configure a dynamic or manual SA:

    • You configure a dynamic SA by including the dynamic statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level and referencing policies you have configured at the [edit services ipsec-vpn ipsec] and [edit services ipsec-vpn ike] hierarchy levels; for more information, see Configuring Dynamic Security Associations.
    • You configure a manual SA by including the manual statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level; for more information, see Configuring Manual Security Associations.

    Configuring Destination Address

    To specify the remote address to which the IPsec traffic is directed, include the remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then]

    Modified: 2017-09-13