Configuring Match Conditions in IPsec Rules
To configure the match conditions in an IPsec rule, include the from statement at the
[edit services ipsec-vpn rule rule-name term term-name] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name]
from {
destination-address address;
source-address address;
}
You can use either the source address or the destination address as a match condition,
in the same way that you would configure a firewall filter; for more information, see the
Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.
IPsec services on ACX Series support IPv4 address formats. If you do not specifically
configure either the source address or destination address, the default value 0.0.0.0/0
(IPv4 ANY) is used.
Configuring Actions in IPsec Rules
To configure actions in an IPsec rule, include the then statement at the [edit services
ipsec-vpn rule rule-name term term-name] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name]
then {
dynamic {
ike-policy policy-name;
ipsec-policy policy-name;
}
remote-gateway address;
}
The principal IPsec actions are to configure a dynamic or manual SA:
•
You configure a dynamic SA by including the dynamic statement at the [edit services
ipsec-vpn rule rule-name term term-name then] hierarchy level and referencing policies
you have configured at the [edit services ipsec-vpn ipsec] and [edit services ipsec-vpn
ike] hierarchy levels; for more information, see Configuring Dynamic Security Associations.
•
You configure a manual SA by including the manual statement at the [edit services
ipsec-vpn rule rule-name term term-name then] hierarchy level; for more information,
see Configuring Manual Security Associations.
Configuring Destination Address
To specify the remote address to which the IPsec traffic is directed, include the
remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name
then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then]
remote-gateway address;
1107Copyright © 2017, Juniper Networks, Inc.
Chapter 33: Configuring IPsec
To Next Page
Loading...
Need help?
General
