Configuring IPSec Match Conditions

To configure IPSec match conditions, include the from statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level:

You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the JUNOS Policy Framework Configuration Guide.

IPSec services support both IPv4 and IPv6 address formats. If you do not specifically configure either the source address or destination address, the default value 0.0.0.0/0 (IPv4 ANY) is used. To use IPv6 ANY (0::0/128) as either source or destination address, you must configure it explicitly.

For next-hop-style service sets only, the ipsec-inside-interface statement allows you to assign a logical interface to the tunnels established as a result of this match condition. The inside-service-interface statement that you can configure at the [edit services service-set name next-hop-service] hierarchy level allows you to specify .1 and .2 as inside and outside interfaces. However, you can configure multiple adaptive services logical interfaces with the service-domain inside statement and use one of them to configure the ipsec-inside-interface statement. For more information, see Configuring Services Interfaces and Configuring Interface Properties.

The JUNOS software evaluates the criteria you configure in the from statement. If multiple link-type tunnels are configured within the same next-hop-style service set, the ipsec-inside-interface value enables the rule lookup module to distinguish a particular tunnel from other tunnels in case the source and destination addresses for all of them are 0.0.0.0/0 (ANY-ANY).

Note: When you configure the ipsec-inside-interface statement, interface-style service sets are not supported.