[Contents] [Prev] [Next] [Index] [Report an Error]

Applying the Inbound Traffic Filter to the Encryption Interface

After you create the inbound firewall filter, you can apply it to the ES PIC. To apply the filter to the ES PIC, include the filter statement at the [edit interfaces es-fpc/pic/port unit logical-unit-number family inet filter] hierarchy level:



filter {
input filter;
}

The input filter is the name of the filter applied to received traffic. For a configuration example, see Example: Configuring an Inbound Traffic Filter. For more information about firewall filters, see the JUNOS Policy Framework Configuration Guide.

Example: Applying the Inbound Traffic Filter to the Encryption Interface

Apply the inbound firewall filter (ipsec-decrypt-policy-filter) to the decrypted packet to perform the final policy check. The IPSec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and decrypts the incoming packet.

The Packet Forwarding Engine directs IPSec packets to the ES PIC. It uses the packet’s security parameter index (SPI), protocol, and destination address to look up the SA configured on one of the ES interfaces. The IPSec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and is used to decrypt the incoming packet. When the packets are processed (decrypted, authenticated, or both), the input firewall filter (ipsec-decrypt-policy-filter) is applied on the decrypted packet to perform the final policy check. term1 defines the decrypted (and verified) traffic and performs the required policy check. For information about term1, see Example: Configuring an Inbound Traffic Filter.

Note: The inbound traffic filter is applied after the ES PIC has processed the packet, so the decrypted traffic is defined as any traffic that the remote gateway is encrypting and sending to this router. IKE uses this filter to determine the policy required for a tunnel. This policy is used during the negotiation with the remote gateway to find the matching SA configuration.



[edit interfaces] 
es-1/2/0 {


unit 0 {


tunnel {
source 10.5.5.5;                         # tunnel source
address
destination 10.6.6.6;                  # tunnel destination
address
}




family inet {


filter {
input ipsec-decrypt-policy-filter;
}


ipsec-sa manual-sa1;                 # SA name applied
to packet
address 10.1.1.8/32 { # local interface address inside
local VPN
destination 10.2.2.254;          # destination address
inside remote VPN
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]