After you create the inbound firewall filter, apply it to the ES PIC. Here, the inbound firewall filter (ipsec-decrypt-policy-filter) is applied on the decrypted packet to perform the final policy check. The IPSec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and decrypts the incoming packet.
- [edit interfaces]
- es-1/2/0 {
-
- unit 0 {
-
- tunnel {
- source 10.5.5.5; # tunnel source
address
- destination 10.6.6.6; # tunnel destination
address
- }
-
- family inet {
-
- filter {
- input ipsec-decrypt-policy-filter;
- }
- ipsec-sa manual-sa1; # SA name applied to packet
-
- address 10.1.1.8/32 { # local interface address inside
local VPN
- destination 10.2.2.254; # destination address inside remote
VPN
- }
- }
- }
The Packet Forwarding Engine directs IPSec packets to the ES PIC. It uses the packet’s SPI, protocol, and destination address to look up the SA configured on one of the ES interfaces. The IPSec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and is used to decrypt the incoming packet. When the packets are processed (decrypted, authenticated, or both), the input firewall filter (ipsec-decrypt-policy-filter) is applied on the decrypted packet to perform the final policy check. Term1 defines the decrypted (and verified) traffic and performs the required policy check.
 |
Note: The inbound traffic filter is applied after the ES PIC has processed the packet, so the decrypted traffic is defined as any traffic that the remote gateway is encrypting and sending to this router. IKE uses this filter to determine the policy required for a tunnel. This policy is used during the negotiation with the remote gateway to find the matching SA configuration. |
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |