[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring an IPSec Stateful Firewall Filter Rule

If you have configured a stateful firewall filter that designates the interface through which an IPSec tunnel is configured as an untrusted interface, you must create a new stateful firewall filter rule that allows IPSec traffic to pass.

For more information about firewall filters, see Configuring Firewall Filters and NAT.

To configure an IPSec stateful firewall filter:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 106.
  3. Go on to Configuring a NAT Pool.

Table 106: Configuring an IPSec Stateful Firewall Filter Rule

Create the stateful firewall rule and apply it to inbound traffic.
  1. From the top of the configuration hierarchy, click Services>Stateful firewall.
  2. In the rule field, click Add new entry.
  3. In the Rule name box, type the name of the rule. It can be any unique string.
  4. In the Match direction field, select Input from the list.
  1. From the top of the configuration hierarchy, enter

    edit services stateful-firewall

  2. Create the firewall rule and apply it to input traffic:

    set rule rule-name match-direction input

Create the firewall term to match only desired traffic.
  1. In the Term field, click Add new entry.
  2. In the Term name box, type the name of the term. It can be any unique string.
  3. Click From.
  4. In the Destination address field, click Add new entry.
  5. In the address field, select Enter specific value from the list.
  6. In the Address box, type the IP address of the local tunnel endpoint, in dotted decimal notation, and click OK.
  7. In the Source address field, click Add new entry.
  8. In the address field, select Enter specific value from the list.
  9. In the Address box, type the IP address of the remote tunnel endpoint, in dotted decimal notation, and click OK.
  10. In the Applications field, click Add new entry.
  11. In the Application name field, type junos-ipsec-esp, and click OK.
  12. In the Applications field, click Add new entry.
  13. In the Application name field, type junos-ike, and click OK.
  1. Create the firewall term and match all packets with a destination address that matches the local tunnel endpoint:

    set term term-name from destination-address local-tunnel-end-point-address

  2. Match all packets with a source address that matches the remote tunnel endpoint:

    set term term-name from source-address remote-tunnel-end-point-address

  3. Match all packets using IPSec as an application protocol:

    set term term-name from applications junos-ipsec-esp

  4. Match all packets using IKE as an application protocol:

    set term term-name from applications junos-ike

Configure the firewall term to accept only desired traffic.
  1. Click OK to return to the Term name page, and click Then.
  2. In the Designation field, select Accept from the list, select the Yes box.
  3. Click OK.

Set the match action to accept:

set term term-name then accept

Create the firewall term to reject all other traffic.
  1. From the top of the configuration hierarchy, click Services>Stateful firewall>Rule>rule-name
  2. In the Term field, click Add new entry.
  3. In the Term name field, type the name of the term. The name can be any unique string.
  4. Click Then.
  5. In the Designation field, select Discard from the list.
  1. From the top of the configuration hierarchy, enter

    edit services stateful-firewall rule rule-name

  2. Configure a term to discard all traffic:

    set term term-name then discard

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]