Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    IPsec Tunnel Traffic Configuration Overview

    Traffic configuration defines the traffic that must flow through the IPsec tunnel. You configure outbound and inbound firewall filters, which identify and direct traffic to be encrypted and confirm that decrypted traffic parameters match those defined for the given tunnel. The outbound filter is applied to the LAN or WAN interface for the incoming traffic you want to encrypt off of that LAN or WAN. The inbound filter is applied to the ES PIC to check the policy for traffic coming in from the remote host. Because of the complexity of configuring a router to forward packets, no automatic checking is done to ensure that the configuration is correct. Make sure that you configure the router very carefully.

    Note: The valid firewall filters statements for IPsec are destination-port, source-port, protocol, destination-address, and source-address.

    In Figure 1, Gateway A protects the network 10.1.1.0/24, and Gateway B protects the network 10.2.2.0/24. The gateways are connected by an IPsec tunnel.

    Figure 1: Example: IPsec Tunnel Connecting Security Gateways

    Example: IPsec Tunnel Connecting Security Gateways

    The SA and ES interfaces for Gateway A are configured as follows:

    [edit security ipsec] security-association manual-sa1 {manual {direction bidirectional {protocol esp; spi 2312; authentication {algorithm hmac-md5-96; key ascii-text 1234123412341234; }encryption {algorithm 3des-cbc; key ascii-text 123456789009876543211234; }}}}[edit interfaces es-0/1/0] unit 0 {tunnel {source 10.5.5.5; destination 10.6.6.6; }family inet {ipsec-sa manual-sa1; address 10.1.1.8/32 {destination 10.1.1.9; }}}

    The SA and ES interfaces for Gateway B are configured as follows:

    [edit security ipsec]security-association manual-sa1 {manual {direction bidirectional {protocol esp; spi 2312; authentication {algorithm hmac-md5-96; key ascii-text 1234123412341234; }encryption {algorithm 3des-cbc; key ascii-text 123456789009876543211234; }}}}[edit interfaces es-0/1/0] unit 0 {tunnel {source 10.6.6.6; destination 10.5.5.5;}family inet {ipsec-sa manual-sa1; address 10.1.1.9/32; {destination 10.1.1.8; }}}
     

    Related Documentation

     

    Published: 2012-11-15

    Previous Page Next Page