Configuring IPsec Rule Sets
The rule-set statement defines a collection of IPsec rules that determine what actions
the router software performs on packets in the data stream. You define each rule by
specifying a rule name and configuring terms. Then, you specify the order of the rules by
including the rule-set statement at the [edit services ipsec-vpn] hierarchy level with a
rule statement for each rule:
[edit services ipsec-vpn]
rule-set rule-set-name {
rule rule-name;
}
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, the
packet is dropped by default.
Tracing IPsec Operations
Trace operations track IPsec events and record them in a log file in the /var/log directory.
By default, this file is named /var/log/kmd.
To trace IPsec operations, include the traceoptions statement at the [edit services
ipsec-vpn] hierarchy level:
[edit services ipsec-vpn]
traceoptions {
file <filename> <files number> <match regular-expression> <size bytes> <world-readable |
no-world-readable>;
flag flag;
level level;
no-remote-trace;
}
You can specify the following IPsec tracing flags:
•
all—Trace everything.
•
certificates—Trace certificates events.
•
database—Trace security associations database events.
•
general—Trace general events.
•
ike—Trace IKE module processing.
•
parse—Trace configuration processing.
•
policy-manager—Trace policy manager processing.
•
routing-socket—Trace routing socket messages.
Copyright © 2017, Juniper Networks, Inc.1108
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
