passive-mode-tunneling (Security IPsec)

Syntax

Hierarchy Level

Description

Allows tunneling of malformed packets. By default, the feature is disabled. When you enable this feature using the configuration statement set security ipsec vpn vpn-name passive-mode-tunneling:

Traffic bypasses the usual active IP checks such as the version, TTL, protocol, options, and address.
There is no effect on the TTL value (decrement) as IPsec tunnel is not treated as the next hop.
Even if the packet size exceeds the tunnel MTU value, it doesn't generate ICMP error message or perform fragmentation.

Options

No specific options are needed. If you configure the statement, the feature is enabled.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Platform-Specific Passive Mode Tunneling Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific behavior for your platforms.

Platform	Difference
MX Series	MX-SPC3 services card that support this feature allows the packets to bypass the flow processing and directly undergo encapsulation and decapsulation when passing through the passive mode tunnel. As a result, the device does not create session flow output. You'll not see session details in the output of the `show security flow session` command with packet based processing of IPsec traffic in passive mode tunnels. You must configure `passive-monitor-mode` statement before enabling `passive-mode-tunneling` statement so that the malformed packets can reach the MX-SPC3 services card from the Packet Forwarding Engine (PFE). See passive-monitor-mode. MX-SPC3 services card supports `header-integrity-check` statement in the `service-set` configuration to verify the packet header for anomalies in IP, TCP, UDP, and ICMP information. It is important to note that this functionality is opposite to that of the `passive-mode-tunneling` statement. So configuring both the `header-integrity-check` statement and the `passive-mode-tunneling` statement, results in an error during the configuration commit. See header-integrity-check. In MX-SPC3 services card with `passive-mode-tunneling` enabled and `header-integrity-check` configured in the `service-set`, the following implications apply to multiple VPN configurations: If the `header-integrity-check` statement is enabled, `passive-mode-tunneling` statement must be disabled for all VPNs. Additionally, `service-set` cannot have two or more IPsec VPNs with different `passive-mode-tunneling` values. This means that if `header-integrity-check` statement is enabled, a `service-set` can have only one type of VPN configured with either `passive-mode-tunneling` enabled or disabled. If the `header-integrity-check` statement is disabled, then a `service-set` can have two or more IPsec VPNs with different `passive-mode-tunneling` values.
SRX Series	SRX Series Firewalls that support this feature allows the firewall to process malformed packets and create a flow session. You can view the session flow details using the `show security flow session` command. The flow process checks the passive mode tunneling state and decides whether to bypass IP checks and prevent packet drops. We do not support the feature for mixed mode configurations on your firewall. This implies that when you enable the feature on one IPsec VPN tunnel, it gets enabled for all the tunnels on your firewall. Enabling passive mode tunneling on your firewall restricts the configuration of security features such as the screen options for attack detection and prevention, as well as the security policies (excluding the default permit all policy). Conversely, if you configure security features such as screens options and security policies, passive mode tunneling cannot be enabled. We recommend you to configure the default permit all policy to avoid packet drop due to a policy match.

Platform

Difference

MX Series

MX-SPC3 services card that support this feature allows the packets to bypass the flow processing and directly undergo encapsulation and decapsulation when passing through the passive mode tunnel. As a result, the device does not create session flow output. You'll not see session details in the output of the show security flow session command with packet based processing of IPsec traffic in passive mode tunnels.
You must configure passive-monitor-mode statement before enabling passive-mode-tunneling statement so that the malformed packets can reach the MX-SPC3 services card from the Packet Forwarding Engine (PFE). See passive-monitor-mode.
MX-SPC3 services card supports header-integrity-check statement in the service-set configuration to verify the packet header for anomalies in IP, TCP, UDP, and ICMP information. It is important to note that this functionality is opposite to that of the passive-mode-tunneling statement. So configuring both the header-integrity-check statement and the passive-mode-tunneling statement, results in an error during the configuration commit. See header-integrity-check.
In MX-SPC3 services card with passive-mode-tunneling enabled and header-integrity-check configured in the service-set, the following implications apply to multiple VPN configurations:
- If the header-integrity-check statement is enabled, passive-mode-tunneling statement must be disabled for all VPNs. Additionally, service-set cannot have two or more IPsec VPNs with different passive-mode-tunneling values. This means that if header-integrity-check statement is enabled, a service-set can have only one type of VPN configured with either passive-mode-tunneling enabled or disabled.
- If the header-integrity-check statement is disabled, then a service-set can have two or more IPsec VPNs with different passive-mode-tunneling values.

SRX Series

SRX Series Firewalls that support this feature allows the firewall to process malformed packets and create a flow session. You can view the session flow details using the show security flow session command. The flow process checks the passive mode tunneling state and decides whether to bypass IP checks and prevent packet drops.
We do not support the feature for mixed mode configurations on your firewall. This implies that when you enable the feature on one IPsec VPN tunnel, it gets enabled for all the tunnels on your firewall.
Enabling passive mode tunneling on your firewall restricts the configuration of security features such as the screen options for attack detection and prevention, as well as the security policies (excluding the default permit all policy). Conversely, if you configure security features such as screens options and security policies, passive mode tunneling cannot be enabled.
We recommend you to configure the default permit all policy to avoid packet drop due to a policy match.

Release Information

Statement introduced in Junos OS Release 23.1R1.

ON THIS PAGE