[j-nsp] Firewall filter on IPSec tunnel

Matt Stevens matt at elevate.org
Mon Feb 2 15:41:46 EST 2009 

Nilesh,

I actually tried it in both directions - neither seemed to work. JTAC 
keeps trying to steer me towards JunOS enhanced services.

I find it a little surprising that I can't filter traffic going over the 
tunnel. I imagine I could do GRE over IPSec - but that would require a 
pretty large change to our current IPSec mesh.
-- 
matt


Nilesh Khambal wrote:
> Hi Matt,
> 
> Where did you apply the filter? sp- inside or sp-outside interface? What 
> direction did you apply the filter?
> 
> For sp- interfaces always interpret the filter directions from PFE point 
> of view and “not” from  service-pic point of view.
> 
> So what is “input” for service-pic on any interface is actually “output” 
> for PFE on that interface and vice-versa.
> 
> Hope this helps.
> 
> Thanks,
> Nilesh
> 
> On 1/28/09 10:44 AM, "Matt Stevens" <matt at elevate.org> wrote:
> 
>     That's in the services ipsec-vpn rule:
> 
>          rule ashburn2 {
>              term one {
>                  from {
>                      ipsec-inside-interface sp-0/0/0.13;
>                  }
>                  then {
>                      remote-gateway 10.11.12.14;
>                      dynamic {
>                          ike-policy hq-ashburn2;
>                          ipsec-policy site-to-site;
>                      }
>                      clear-dont-fragment-bit;
>                  }
>              }
>              match-direction input;
>          }
> 
>     --
>     matt
> 
> 
>     Nan Li wrote:
>     >  Show me the "match-direction input"
>     >
>     >  -----Original Message-----
>     >  From: juniper-nsp-bounces at puck.nether.net
>     >  [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Matt Stevens
>     >  Sent: Wednesday, January 28, 2009 10:24 AM
>     >  To: Stefan Fouant
>     >  Cc: juniper-nsp at puck.nether.net
>     >  Subject: Re: [j-nsp] Firewall filter on IPSec tunnel
>     >
>     >  These are next-hop ipsec sets. For example:
>     >
>     >  service-set ashburn2 {
>     >       ipsec-vpn-options {
>     >           local-gateway 10.11.12.13;
>     >       }
>     >       ipsec-vpn-rules ashburn2;
>     >       next-hop-service {
>     >           inside-service-interface sp-0/0/0.13;
>     >           outside-service-interface sp-0/0/0.12;
>     >       }
>     >  }
>     >
>     >  local-gateway has been changed to protect the innocent...
> 
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
>

More information about the juniper-nsp mailing list