That's in the services ipsec-vpn rule: rule ashburn2 { term one { from { ipsec-inside-interface sp-0/0/0.13; } then { remote-gateway 10.11.12.14; dynamic { ike-policy hq-ashburn2; ipsec-policy site-to-site; } clear-dont-fragment-bit; } } match-direction input; }
-- matt Nan Li wrote:
Show me the "match-direction input" -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Stevens Sent: Wednesday, January 28, 2009 10:24 AM To: Stefan Fouant Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Firewall filter on IPSec tunnel These are next-hop ipsec sets. For example: service-set ashburn2 { ipsec-vpn-options { local-gateway 10.11.12.13; } ipsec-vpn-rules ashburn2; next-hop-service { inside-service-interface sp-0/0/0.13; outside-service-interface sp-0/0/0.12; } } local-gateway has been changed to protect the innocent...
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp