[j-nsp] Firewall filter on IPSec tunnel
Nilesh Khambal
nkhambal at juniper.net
Mon Feb 2 16:42:38 EST 2009
Could you please share the filter configuration and how you applied it on
the inside interface?
You can filter traffic going over the IPSec tunnel i.e. From
clear-->encrypted direction by applying an output firewall filter to sp-
inside interface. To filter the traffic after it is decrypted from IPSec
tunnel, you need apply an input filter to sp- inside interface. You can not
apply a filter to match the internal (encrypted) IP header on sp- outside
interface (in either direction) since on outside you will always receive
encrypted traffic (in both direction) with an outer IP header consisting of
local-gateway and remote-gateway. We will not see the original IP header
inside the payload that you are trying to filter on since its encrypted.
Try to narrow down the problem with filter using counters to see if the
traffic is even hitting the filter terms.
Thanks,
Nilesh
On 2/2/09 12:41 PM, "Matt Stevens" <matt at elevate.org> wrote:
> Nilesh,
>
> I actually tried it in both directions - neither seemed to work. JTAC
> keeps trying to steer me towards JunOS enhanced services.
>
> I find it a little surprising that I can't filter traffic going over the
> tunnel. I imagine I could do GRE over IPSec - but that would require a
> pretty large change to our current IPSec mesh.
More information about the juniper-nsp
mailing list