Technical Documentation

Using a Filter to Select Traffic to Be Secured

For the ES PIC, you need to configure a firewall filter to direct traffic into the IPSec tunnel. To apply a security association to traffic that matches a firewall filter, include the ipsec-sa sa-name statement at the [edit firewall filter filter-name term term-name then] hierarchy level.

[edit firewall filter filter-name]term term-name {from {source-address {ip-address;}destination-address {ip-address;}}then {count counter-name;ipsec-sa sa-name;}}term other {then accept;}

For the AS and MultiServices PICs, you do not need to configure a separate firewall filter. A filter is already built into the IPSec VPN rule statement at the [edit services ipsec-vpn] hierarchy level. To apply a security association to traffic that matches the IPSec VPN rule, include the dynamic or manual statement at the [edit services rule rule-name term term-name then] hierarchy level. To specify whether the rule should match input or output traffic, include the match-direction statement at the [edit services rule rule-name] hierarchy level.

After defining the rules for your IPSec VPNs, you must apply the rules to a service set. To do this, include the ipsec-vpn-rules rule-name statement at the [edit services service-set service-set-name] hierarchy level. Include an IPv4 or IPv6 IPSec gateway with the local-gateway local-ip-address statement at the [edit services service-set service-set-name] hierarchy level.

Also, you must select either a single interface or a pair of interfaces that participate in IPSec. To select a single interface, include the interface-service interface-name statement at the [edit services service-set service-set-name] hierarchy level. To select a pair of interfaces and a next hop, include the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level and specify an inside interface and an outside interface. Only next-hop service sets support IPSec within Layer 3 VPNs and use of routing protocols over the IPSec tunnel.

[edit services]service-set service-set-name {interface-service {service-interface interface-name;}next-hop-service {inside-service-interface interface-name;outside-service-interface interface-name;}ipsec-vpn-options {local-gateway local-ip-address <routing-instance instance-name>;trusted-ca ca-profile-name;}ipsec-vpn-rules rule-name;}ipsec-vpn {rule rule-name {term term-name {from {source-address {ip-address;}destination-address {ip-address;}}then {remote-gateway remote-ip-address;(dynamic | manual);}}match-direction output;}}

Published: 2010-04-15