That's in the services ipsec-vpn rule:
rule ashburn2 {
term one {
from {
ipsec-inside-interface sp-0/0/0.13;
}
then {
remote-gateway 10.11.12.14;
dynamic {
ike-policy hq-ashburn2;
ipsec-policy site-to-site;
}
clear-dont-fragment-bit;
}
}
match-direction input;
}
--
matt
Nan Li wrote:
Show me the "match-direction input"
-----Original Message-----
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Stevens
Sent: Wednesday, January 28, 2009 10:24 AM
To: Stefan Fouant
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Firewall filter on IPSec tunnel
These are next-hop ipsec sets. For example:
service-set ashburn2 {
ipsec-vpn-options {
local-gateway 10.11.12.13;
}
ipsec-vpn-rules ashburn2;
next-hop-service {
inside-service-interface sp-0/0/0.13;
outside-service-interface sp-0/0/0.12;
}
}
local-gateway has been changed to protect the innocent...
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
