traffic-selector
Syntax
traffic-selector traffic-selector-name {
local-ip ip-address/netmask;
remote-ip ip-address/netmask;
preference pref_value;
protocol protocol_name/protocol_id;
source-port low-high;
destination-port low-high;
metric metric_value;
description description_value;
term term_name {
local-ip ip-address/netmask;
remote-ip ip-address/netmask;
protocol protocol_name/protocol_id;
source-port low-high;
destination-port low-high;
}
}
Hierarchy Level
[edit security ipsec vpn vpn-name]
Description
A traffic selector is an agreement between IKE peers to permit traffic through a tunnel, if the traffic matches a specified pair of local IP address range, remote IP address range, source port range, destination port range, and protocol. This functionality is supported only for IKEv2.
In the Junos OS Releases earlier to 21.1R1, we support one pair of local IP prefix and remote IP prefix per IPsec tunnel for traffic filtering through IPsec tunnel. From Junos OS Release 21.1R1 onwards, you can configure multiple sets of local IP prefix, remote IP prefix, source port range, destination port range, and protocol for traffic selection.
This means, multiple sets of IP address ranges, port ranges, and protocols can be part of same traffic selector as defined in RFC 7296. In this functionality, concept of term is introduced within the traffic-selectors. Each term defines a set of local IP range, remote IP range, source port range, destination port range, and protocol. All the terms combined will be part of single IPsec SA. The terms in a single traffic selector can have both IPv4 and IPv6 address. Hence a single IPsec SA has both IPv4 and IPv6 as both local and remote IP addresses. A maximum of 200 terms are supported in each traffic selector.
When you configure multiple traffic selectors, each traffic selector leads to a separate negotiation that results in the multiple IPsec tunnels. But, if you configure multiple terms under one traffic selector, this configuration results in single IPsec SA negotiation with multiple IP prefixes, ports, and protocols.
It is mandatory to configure atleast one local IP prefix and one remote IP prefix for a traffic selector. Other parameters are optional.
If multiple traffic selectors have overlapping routes, a tie breaker of routing metric is used for the forwarding decision.
To install the required Junos package for supporting this functionality on your SRX
Series Firewall, use the command request system software
add
optional://junos-ike.tgz.
For backward compatibility, we support configuring IP prefixes directly under the
[edit security ipsec vpn vpn-name traffic-selector
traffic-selector-name] hierarchy.
Use [edit security ipsec vpn vpn-name traffic-selector
traffic-selector-name term
term-name] hierarchy level to configure multiple
sets of IP address ranges, port ranges, and protocols for the same traffic selector
as defined in RFC 7296.
You should not configure same values for different traffic selectors for the same IKE gateway. This is not a valid traffic selector configuration. If you configure multiple traffic selectors with the same values, then depending on the peer configuration there might be unintended high CPU utilization.
Options
| local-ip ip-address/netmask |
A local IP address or a local subnetwork protected by the local VPN device. |
| remote-ip ip-address/netmask |
A remote IP address or a remote subnetwork protected by the peer VPN device. |
| preference pref_value |
Local preference value of the traffic selector for a particular
|
| term term_name |
Define a set of local IP range, remote IP range, source port range, destination port range, and protocol. All the terms combined will be part of single IPsec SA. A maximum of 200 terms are supported in each traffic selector. It is optional to configure this parameter. |
| protocol protocol_name/protocol_id |
Transport protocol list for a traffic selector for an IPsec tunnel. It is optional to configure this parameter. In case protocol is not configured, then ‘any’ protocol is assumed to be configured.
|
| source-port low-high |
Source port range from lower to higher range port numbers. It is optional to configure this parameter. If no port is configured but only protocol is configured, port ‘any’ will be assumed for source port ranges for that protocol.
|
| destination-port low-high |
Destination port range from lower to higher range port numbers. It is optional to configure this parameter. If no port is configured but only protocol is configured, port ‘any’ will be assumed for destination port ranges for that protocol.
|
| metric metric_value |
Tie breaker when multiple traffic selectors have overlapping routes, to decide the most preferred path. It is optional to configure this parameter. |
| description description_value |
Traffic selector description. It is optional to configure this parameter. It is optional to configure this parameter.
|
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.1X46-D10.
term, protocol, source-port,
destination-port, metric, and
description options introduced in Junos OS Release 21.1R1.
preference pref_value option introduced in Junos
OS Release 22.2R1.