Firewall filters for outbound traffic direct the traffic through the desired IPSec tunnel and ensure that the tunneled traffic goes out the appropriate interface (see Figure 5). Here, an outbound firewall filter is created on security Gateway A; it identifies the traffic to be encrypted and adds it to the input side of the interface that carries the internal virtual private network (VPN) traffic:
- [edit firewall]
- filter ipsec-encrypt-policy-filter {
-
- term term1 {
-
- from {
- source-address { # local network
- 10.1.1.0/24;
- }
- destination-address { # remote network
- 10.2.2.0/24;
- }
- }
- then ipsec-sa manual-sa1; # apply SA name to packet
- term default {
- then accept;
- }
 |
Note: The source address, port, and protocol on the outbound traffic filter must match the destination address, port, and protocol on the inbound traffic filter. The destination address, port, and protocol on the outbound traffic filter must match the source address, port, and protocol on the inbound traffic filter. |