}
}
Each IPsec rule consists of a set of terms, similar to a firewall filter. A term consists of
the following:
•
from statement—Specifies the match conditions and applications that are included
and excluded.
•
then statement—Specifies the actions and action modifiers to be performed by the
router software.
The following sections explain how to configure the components of IPsec rules:
•
Configuring Match Direction for IPsec Rules on page 1106
•
Configuring Match Conditions in IPsec Rules on page 1107
•
Configuring Actions in IPsec Rules on page 1107
•
Configuring Destination Address on page 1107
Configuring Match Direction for IPsec Rules
Each rule must include a match-direction statement that specifies whether the match is
applied on the input or output side of the interface. To configure where the match is
applied, include the match-direction (input | output) statement at the [edit services
ipsec-vpn rule rule-name] hierarchy level:
[edit services ipsec-vpn rule rule-name]
match-direction input;
NOTE: ACX Series routers support match-direction as input. match-direction
as output is not supported.
The match direction is used with respect to the traffic flow through the inline service
interface. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is
entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route
the packet to the inline service interface. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
PIC, the packet direction is output. For more information on inside and outside interfaces,
see “Configuring Service Sets to Be Applied to Services Interfaces” on page 1031.
On the inline services interface, a flow lookup is performed. If no flow is found, rule
processing is performed. All rules in the service set are considered. During rule processing,
the packet direction is compared against rule directions. Only rules with direction
information that match the packet direction are considered.
Copyright © 2017, Juniper Networks, Inc.1106
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
