Directing Traffic into an IPsec Tunnel
Using a Filter to Select Traffic to Be Secured
For the ES PIC, you need to configure a firewall
filter to direct traffic into the IPsec tunnel. To apply a security
association to traffic that matches a firewall filter, include the ipsec-sa sa-name statement at the [edit firewall filter filter-name term term-name then] hierarchy level.
[edit firewall filter filter-name] term term-name { from { source-address { ip-address; } destination-address { ip-address; } } then { count counter-name; ipsec-sa sa-name; } } term other { then accept; }
For the AS and MultiServices PICs, you do not need
to configure a separate firewall filter. A filter is already built
into the IPsec VPN rule statement at the [edit services
ipsec-vpn] hierarchy level. To apply a security association
to traffic that matches the IPsec VPN rule, include the dynamic or manual statement at the [edit services rule rule-name term term-name then] hierarchy level. To specify whether the rule should match input
or output traffic, include the match-direction statement
at the [edit services rule rule-name] hierarchy level.
After defining the rules for your IPsec VPNs, you
must apply the rules to a service set. To do this, include the ipsec-vpn-rules rule-name statement at
the [edit services service-set service-set-name] hierarchy level. Include an IPv4 or IPv6 IPsec gateway with
the local-gateway local-ip-address statement at the [edit services service-set service-set-name] hierarchy level.
Also, you must select either a single interface
or a pair of interfaces that participate in IPsec. To select a single
interface, include the interface-service interface-name statement at the [edit services service-set service-set-name] hierarchy level. To select a pair
of interfaces and a next hop, include the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level and specify an inside interface and an outside
interface. Only next-hop service sets support IPsec within Layer 3
VPNs and use of routing protocols over the IPsec tunnel.
[edit services] service-set service-set-name { interface-service { service-interface interface-name; } next-hop-service { inside-service-interface interface-name; outside-service-interface interface-name; } ipsec-vpn-options { local-gateway local-ip-address <routing-instance instance-name>; trusted-ca ca-profile-name; } ipsec-vpn-rules rule-name; } ipsec-vpn { rule rule-name { term term-name { from { source-address { ip-address; } destination-address { ip-address; } } then { remote-gateway remote-ip-address; (dynamic | manual); } } match-direction output; } }
Applying the Filter or Service Set to the Interface Receiving Traffic to Be Secured
For the ES PIC, apply your firewall filter on the
input interface receiving the traffic that you wish to send to the
IPsec tunnel. To do this, include the filter statement
at the [edit interfaces interface-name unit unit-number family inet] hierarchy level.
[edit interfaces interface-name unit unit-number family inet] filter { input filter-name; }
For the AS and MultiServices PICs, apply your IPsec-based
interface service set to the input interface receiving the traffic
that you wish to send to the IPsec tunnel. To do this, include the service-set service-set-name statement
at the [edit interfaces interface-name unit unit-number family inet service (input | output)] hierarchy level.
[edit interfaces interface-name unit unit-number family inet] service { input { service-set service-set-name; } output { service-set service-set-name; } }
To configure a next-hop-based service set on the
AS and MultiServices PICs, include the service-domain statement
at the [edit interfaces interface-name unit unit-number] hierarchy level and specify one logical
interface on the AS PIC as an inside interface and a second logical
interface on the AS PIC as an outside interface.
[edit interfaces sp-fpc/pic/port] unit 0 { family inet { address ip-address; } } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; }