[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring an IPSec Stateful Firewall Filter Rule

If you have configured a stateful firewall filter that designates the interface through which an IPSec tunnel is configured as an untrusted interface, you must create a new stateful firewall filter rule that allows IPSec traffic to pass.

For more information about firewall filters, see Configuring Firewall Filters and NAT.

To configure an IPSec stateful firewall filter:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 108.
  3. Go on to Configuring a NAT Pool.

Table 108: Configuring an IPSec Stateful Firewall Filter Rule

Task

J-Web Configuration Editor

CLI Configuration Editor

Create the stateful firewall rule and apply it to inbound traffic.

Use any unique string for the rule name.
  1. From the top of the configuration hierarchy, click Services>Stateful firewall.
  2. Next to the rule, click Add new entry.
  3. In the Rule name box, type the name of the rule.
  4. From the Match direction list, select Input.
  1. From the top of the configuration hierarchy, enter

    edit services stateful-firewall

  2. Create the firewall rule and apply it to input traffic:

    set rule rule-name match-direction input

Create the firewall term to match only desired traffic.

Use any unique string for the term name.
  1. Next to Term, click Add new entry.
  2. In the Term name box, type the name of the term.
  3. Click From.
  4. Next to Destination address, click Add new entry.
  5. From the address list, select Enter specific valuet.
  6. In the Address box, type the IP address of the local tunnel endpoint, in dotted decimal notation, and click OK.
  7. Next to Source address, click Add new entry.
  8. From the address list, select Enter specific value.
  9. In the Address box, type the IP address of the remote tunnel endpoint, in dotted decimal notation, and click OK.
  10. Next to Applications, click Add new entry.
  11. In the Application name box, type junos-ipsec-esp, and click OK.
  12. Next to Applications, click Add new entry.
  13. In the Application name box, type junos-ike, and click OK.
  1. Create the firewall term and match all packets with a destination address that matches the local tunnel endpoint:

    set term term-name from destination-address local-tunnel-end-point-address

  2. Match all packets with a source address that matches the remote tunnel endpoint:

    set term term-name from source-address remote-tunnel-end-point-address

  3. Match all packets using IPSec as an application protocol:

    set term term-name from applications junos-ipsec-esp

  4. Match all packets using IKE as an application protocol:

    set term term-name from applications junos-ike

Configure the firewall term to accept only desired traffic.
  1. Click OK to return to the Term name page, and click Then.
  2. From the Designation list, select Accept, then select the Yes box.
  3. Click OK.

Set the match action to accept:

set term term-name then accept

Create the firewall term to reject all other traffic.

Use any unique string for the term name.
  1. From the top of the configuration hierarchy, click Services>Stateful firewall>Rule>rule-name
  2. Next to Term, click Add new entry.
  3. In the Term name box, type the name of the term.
  4. Click Then.
  5. From the Designation list, select Discard.
  6. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services stateful-firewall rule rule-name

  2. Configure a term to discard all traffic:

    set term term-name then discard

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]