[j-nsp] Firewall filter on IPSec tunnel
Nilesh Khambal
nkhambal at juniper.net
Mon Feb 2 15:33:54 EST 2009
Hi Matt,
Where did you apply the filter? sp- inside or sp-outside interface? What
direction did you apply the filter?
For sp- interfaces always interpret the filter directions from PFE point of
view and ³not² from service-pic point of view.
So what is ³input² for service-pic on any interface is actually ³output² for
PFE on that interface and vice-versa.
Hope this helps.
Thanks,
Nilesh
On 1/28/09 10:44 AM, "Matt Stevens" <matt at elevate.org> wrote:
> That's in the services ipsec-vpn rule:
>
> rule ashburn2 {
> term one {
> from {
> ipsec-inside-interface sp-0/0/0.13;
> }
> then {
> remote-gateway 10.11.12.14;
> dynamic {
> ike-policy hq-ashburn2;
> ipsec-policy site-to-site;
> }
> clear-dont-fragment-bit;
> }
> }
> match-direction input;
> }
>
> --
> matt
>
>
> Nan Li wrote:
>> > Show me the "match-direction input"
>> >
>> > -----Original Message-----
>> > From: juniper-nsp-bounces at puck.nether.net
>> > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Matt Stevens
>> > Sent: Wednesday, January 28, 2009 10:24 AM
>> > To: Stefan Fouant
>> > Cc: juniper-nsp at puck.nether.net
>> > Subject: Re: [j-nsp] Firewall filter on IPSec tunnel
>> >
>> > These are next-hop ipsec sets. For example:
>> >
>> > service-set ashburn2 {
>> > ipsec-vpn-options {
>> > local-gateway 10.11.12.13;
>> > }
>> > ipsec-vpn-rules ashburn2;
>> > next-hop-service {
>> > inside-service-interface sp-0/0/0.13;
>> > outside-service-interface sp-0/0/0.12;
>> > }
>> > }
>> >
>> > local-gateway has been changed to protect the innocent...
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list