Using a Filter to Select Traffic to Be Secured
For the ES PIC, you need to configure a firewall filter to direct traffic into the IPSec tunnel. To apply a security association to traffic that matches a firewall filter, include the ipsec-sa sa-name statement at the [edit firewall filter filter-name term term-name then] hierarchy level.
For the AS and MultiServices PICs, you do not need to configure a separate firewall filter. A filter is already built into the IPSec VPN rule statement at the [edit services ipsec-vpn] hierarchy level. To apply a security association to traffic that matches the IPSec VPN rule, include the dynamic or manual statement at the [edit services rule rule-name term term-name then] hierarchy level. To specify whether the rule should match input or output traffic, include the match-direction statement at the [edit services rule rule-name] hierarchy level.
After defining the rules for your IPSec VPNs, you must apply the rules to a service set. To do this, include the ipsec-vpn-rules rule-name statement at the [edit services service-set service-set-name] hierarchy level. Include an IPv4 or IPv6 IPSec gateway with the local-gateway local-ip-address statement at the [edit services service-set service-set-name] hierarchy level.
Also, you must select either a single interface or a pair of interfaces that participate in IPSec. To select a single interface, include the interface-service interface-name statement at the [edit services service-set service-set-name] hierarchy level. To select a pair of interfaces and a next hop, include the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level and specify an inside interface and an outside interface. Only next-hop service sets support IPSec within Layer 3 VPNs and use of routing protocols over the IPSec tunnel.
