Nilesh,
I actually tried it in both directions - neither seemed to work. JTAC
keeps trying to steer me towards JunOS enhanced services.
I find it a little surprising that I can't filter traffic going over the
tunnel. I imagine I could do GRE over IPSec - but that would require a
pretty large change to our current IPSec mesh.
--
matt
Nilesh Khambal wrote:
Hi Matt,
Where did you apply the filter? sp- inside or sp-outside interface? What
direction did you apply the filter?
For sp- interfaces always interpret the filter directions from PFE point
of view and “not” from service-pic point of view.
So what is “input” for service-pic on any interface is actually “output”
for PFE on that interface and vice-versa.
Hope this helps.
Thanks,
Nilesh
On 1/28/09 10:44 AM, "Matt Stevens" <m...@elevate.org> wrote:
That's in the services ipsec-vpn rule:
rule ashburn2 {
term one {
from {
ipsec-inside-interface sp-0/0/0.13;
}
then {
remote-gateway 10.11.12.14;
dynamic {
ike-policy hq-ashburn2;
ipsec-policy site-to-site;
}
clear-dont-fragment-bit;
}
}
match-direction input;
}
--
matt
Nan Li wrote:
> Show me the "match-direction input"
>
> -----Original Message-----
> From: juniper-nsp-boun...@puck.nether.net
> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Stevens
> Sent: Wednesday, January 28, 2009 10:24 AM
> To: Stefan Fouant
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] Firewall filter on IPSec tunnel
>
> These are next-hop ipsec sets. For example:
>
> service-set ashburn2 {
> ipsec-vpn-options {
> local-gateway 10.11.12.13;
> }
> ipsec-vpn-rules ashburn2;
> next-hop-service {
> inside-service-interface sp-0/0/0.13;
> outside-service-interface sp-0/0/0.12;
> }
> }
>
> local-gateway has been changed to protect the innocent...
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp