After you create the inbound firewall filter, apply it to the master ES PIC. Here, the inbound firewall filter (ipsec-decrypt-policy-filter) is applied on the decrypted packet to perform the final policy check. The IPSec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and decrypts the incoming packet. This example does not show SA and filter configuration. For information about SA and filter configuration, see the JUNOS System Basics Configuration Guide, the JUNOS Policy Framework Configuration Guide, and Example: Configuring an Inbound Traffic Filter.
- [edit interfaces]
- es-1/2/0 {
-
- es-options {
- backup-interface es-1/0/0;
- }
-
- unit 0 {
-
- tunnel {
- source 10.5.5.5;
- destination 10.6.6.6;
- }
-
- family inet {
- ipsec-sa manual-sa1;
-
- filter {
- input ipsec-decrypt-policy-filter;
- }
-
- address 10.1.1.8/32 {
- destination 10.2.2.254;
- }
- }
- }
- }