Re: [j-nsp] Firewall filter on IPSec tunnel

Mon, 02 Feb 2009 12:45:20 -0800 

Nilesh,
I actually tried it in both directions - neither seemed to work. JTAC keeps trying to steer me towards JunOS enhanced services. 


I find it a little surprising that I can't filter traffic going over the 
tunnel. I imagine I could do GRE over IPSec - but that would require a 
pretty large change to our current IPSec mesh.

--
matt


Nilesh Khambal wrote:

Hi Matt,


Where did you apply the filter? sp- inside or sp-outside interface? What 
direction did you apply the filter?



For sp- interfaces always interpret the filter directions from PFE point 
of view and “not” from  service-pic point of view.



So what is “input” for service-pic on any interface is actually “output” 
for PFE on that interface and vice-versa.


Hope this helps.

Thanks,
Nilesh

On 1/28/09 10:44 AM, "Matt Stevens" <m...@elevate.org> wrote:

    That's in the services ipsec-vpn rule:

         rule ashburn2 {
             term one {
                 from {
                     ipsec-inside-interface sp-0/0/0.13;
                 }
                 then {
                     remote-gateway 10.11.12.14;
                     dynamic {
                         ike-policy hq-ashburn2;
                         ipsec-policy site-to-site;
                     }
                     clear-dont-fragment-bit;
                 }
             }
             match-direction input;
         }

    --
    matt


    Nan Li wrote:
    >  Show me the "match-direction input"
    >
    >  -----Original Message-----
    >  From: juniper-nsp-boun...@puck.nether.net
    >  [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Stevens
    >  Sent: Wednesday, January 28, 2009 10:24 AM
    >  To: Stefan Fouant
    >  Cc: juniper-nsp@puck.nether.net
    >  Subject: Re: [j-nsp] Firewall filter on IPSec tunnel
    >
    >  These are next-hop ipsec sets. For example:
    >
    >  service-set ashburn2 {
    >       ipsec-vpn-options {
    >           local-gateway 10.11.12.13;
    >       }
    >       ipsec-vpn-rules ashburn2;
    >       next-hop-service {
    >           inside-service-interface sp-0/0/0.13;
    >           outside-service-interface sp-0/0/0.12;
    >       }
    >  }
    >
    >  local-gateway has been changed to protect the innocent...

    _______________________________________________
    juniper-nsp mailing list juniper-nsp@puck.nether.net
    https://puck.nether.net/mailman/listinfo/juniper-nsp



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp






















					Reply via email to