 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
To configure an IPSec rule, include the rule statement and specify a rule name at the [edit services ipsec-vpn] hierarchy level:
-
rule rule-name {
-
match-direction (input | output);
-
-
term term-name {
-
-
from {
-
destination-address address;
-
ipsec-inside-interface interface-name;
-
source-address address;
- }
-
-
then {
-
backup-remote-gateway address;
-
clear-dont-fragment-bit;
-
-
dynamic {
- ike-policy policy-name;
- ipsec-policy policy-name;
- }
-
initiate-dead-peer-detection;
-
-
manual {
-
-
direction (inbound | outbound |
bidirectional) {
-
-
authentication {
- algorithm (hmac-md5-96 | hmac-sha1-96);
- key (ascii-text key | hexadecimal key);
- }
-
auxiliary-spi spi-value;
-
-
encryption {
- algorithm algorithm;
- key (ascii-text key | hexadecimal key);
- }
-
protocol (ah | bundle | esp);
-
spi spi-value;
- }
- }
-
no-anti-replay;
-
remote-gateway address;
-
syslog;
-
tunnel-mtu bytes;
- }
- }
- }
Each IPSec rule consists of a set of terms, similar to a firewall filter. A term consists of the following:
In addition, each rule includes a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction (input | output) statement at the [edit services ipsec-vpn rule rule-name] hierarchy level:
-
match-direction (input | output);
The match direction is used with respect to the traffic flow through the AS or MultiServices PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or MultiServices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Services Interfaces.
On the AS or MultiServices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that match the packet direction are considered.
For more information about configuring IPSec rules, see the following sections:
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |