A traffic selector is an agreement between IKE peers to permit traffic through a VPN tunnel if the traffic matches a specified pair of local and remote addresses. Only the traffic that conforms to a traffic selector is permitted through the associated security association (SA). Show
Understanding Traffic Selectors in Route-Based VPNsA traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define a traffic selector within a specific route-based VPN, which can result in multiple Phase 2 IPsec security associations (SAs). Only traffic that conforms to a traffic selector is permitted through the associated SA. Starting with Junos OS Release 12.1X46-D10 and Junos OS Release 17.3R1, traffic selectors can be configured with IKEv1 site-to-site VPNs. Starting with Junos OS Release 15.1X49-D100, traffic selectors can be configured with IKEv2 site-to-site VPNs.
Traffic Selector ConfigurationTo configure a traffic selector, use the For a given traffic selector, a single address and netmask is specified for the local and remote addresses. Traffic selectors can be configured with IPv4 or IPv6 addresses. Address books cannot be used to specify local or remote addresses. Multiple traffic selectors can be configured for the same VPN. A maximum of 200 traffic selectors can be configured for each VPN. Traffic selectors can be used with IPv4-in-IPv4, IPv4-in-IPv6, IPv6-in-IPv6, or IPv6-in-IPv4 tunnel modes. Below features are not supported with traffic selectors:
When there are multiple traffic selectors configured for a route-based VPN, clear traffic may enter a VPN tunnel without matching a traffic selector if the IKE gateway external interface is moved to another virtual router (VR). The software does not handle the multiple asynchronous interface events generated when an IKE gateway external interface is moved to another VR. As a workaround, first deactivate the IPsec VPN tunnel and commit the configuration without that tunnel before moving the IKE gateway external interface to another VR. Understanding Auto Route InsertionAuto route insertion (ARI) automatically inserts a static route for the remote network and hosts protected by a remote tunnel endpoint. A route is created based on the remote IP address configured in the traffic-selector. In the case of traffic selectors, the configured remote address is inserted as a route in the routing instance associated with the st0 interface that is bound to the VPN. Routing protocols and traffic selector configuration are mutually exclusive ways of steering traffic to a tunnel. ARI routes might conflict with routes that are populated through routing protocols. Therefore, you should not configure routing protocols on an st0 interface that is bound to a VPN on which traffic selectors are configured. ARI is also known as reverse route insertion (RRI). ARI routes are inserted in the routing table as follows:
The preference for the static ARI route is 5. This value is necessary to avoid conflict with similar routes that might be added by a routing protocol process. There is no configuration of the metric for the static ARI route. The static ARI route cannot be leaked to other routing instances using the Understanding Traffic Selectors and Overlapping IP AddressesThis section discusses overlapping IP addresses in traffic selector configurations.
Overlapping IP Addresses in Different VPNs Bound to the Same st0 InterfaceThis scenario is not supported with traffic selectors. Traffic selectors cannot be configured on different VPNs that are bound to the same point-to-multipoint st0 interface, as shown in the following example: [edit] user@host# show security ipsec vpn vpn-1 { bind-interface st0.1; } vpn vpn-2 { bind-interface st0.1; } Overlapping IP Addresses in the Same VPN Bound to the Same st0 InterfaceWhen overlapping IP addresses are configured for multiple traffic selectors in the same VPN, the first configured traffic selector that matches the packet determines the tunnel used for packet encryption. In the following example, four traffic selectors (ts-1, ts-2, ts-3, and ts-4) are configured for the VPN (vpn-1), which is bound to the point-to-point st0.1 interface: [edit] user@host# show security ipsec vpn vpn-1 vpn vpn-1 { bind-interface st0.1; traffic-selector ts-1 { local-ip 192.168.5.0/24; remote-ip 10.1.5.0/24; } traffic-selector ts-2 { local-ip 192.168.0.0/16; remote-ip 10.1.0.0/16; } traffic-selector ts-3 { local-ip 172.16.0.0/16; remote-ip 10.2.0.0/16; } traffic-selector ts-4 { local-ip 172.16.5.0/24; remote-ip 10.2.5.0/24; } } A packet with a source address 192.168.5.5 and a destination address 10.1.5.10 matches traffic selectors ts-1 and ts-2. However, traffic selector ts-1 is the first configured match and the tunnel associated with ts-1 is used for packet encryption. A packet with a source address 172.16.5.5 and a destination address 10.2.5.10 matches the traffic selectors ts-3 and ts-4. However, traffic selector ts-3 is the first configured match and the tunnel associated with traffic selector ts-3 is used for packet encryption. Overlapping IP Addresses in Different VPNs Bound to Different st0 InterfacesWhen overlapping IP addresses are configured for multiple traffic selectors in different VPNs that are bound to different point-to-point st0 interfaces, an st0 interface is first selected by the longest prefix match for a given packet. Within the VPN that is bound to the selected st0 interface, the traffic selector is then selected based on the first configured match for the packet. In the following example, a traffic selector is configured in each of two VPNs. The traffic selectors are configured with the same local subnetwork but different remote subnetworks. [edit] user@host# show security ipsec vpn vpn-1 { bind-interface st0.1; traffic-selector ts-1 { local-ip 192.168.1.0/24; remote-ip 10.1.1.0/24; } } vpn vpn-2 { bind-interface st0.2; traffic-selector ts-2 { local-ip 192.168.1.0/24; remote-ip 10.2.2.0/24; } } Different remote subnetworks are configured in each traffic selector, therefore two different routes are added to the routing table. Route lookup uses the st0 interface bound to the appropriate VPN. In the following example, a traffic selector is configured in each of two VPNs. The traffic selectors are configured with different remote subnetworks. The same local subnetwork is configured for each traffic selector, but different netmask values are specified. [edit] user@host# show security ipsec vpn vpn-1 { bind-interface st0.1; traffic-selector ts-1 { local-ip 192.168.0.0/8; remote-ip 10.1.1.0/24; } } vpn vpn-2 { bind-interface st0.2; traffic-selector ts-2 { local-ip 192.168.0.0/16; remote-ip 10.2.2.0/24; } } A different remote subnetwork is configured in each traffic selector, therefore two different routes are added to the routing table. Route lookup uses the st0 interface bound to the appropriate VPN. In the following example, traffic selectors are configured in each of two VPNs. The traffic selectors are configured with different local and remote subnetworks. [edit] user@host# show security ipsec vpn vpn-1 { bind-interface st0.1; traffic-selector ts-1 { local-ip 192.168.1.0/24; remote-ip 10.1.1.0/24; } } vpn vpn-2 { bind-interface st0.2; traffic-selector ts-2 { local-ip 172.16.1.0/24; remote-ip 10.2.2.0/24; } } In this case, the traffic selectors do not overlap. The remote subnetworks configured in the traffic selectors are different, therefore two different routes are added to the routing table. Route lookup uses the st0 interface bound to the appropriate VPN. In the following example, a traffic selector is configured in each of two VPNs. The traffic selectors are configured with the same local subnetwork. The same remote subnetwork is configured for each traffic selector, but different netmask values are specified. [edit] user@host# show security ipsec vpn vpn-1 { bind-interface st0.1; traffic-selector ts-1 { local-ip 192.168.1.0/24; remote-ip 10.1.1.0/24; } } vpn vpn-2 { bind-interface st0.2; traffic-selector ts-2 { local-ip 192.168.1.0/24; remote-ip 10.1.0.0/16; } } Note that the In some cases, valid packets can be dropped due to traffic selector traffic enforcement. In the following example, traffic selectors are configured in each of two VPNs. The traffic selectors are configured with different local subnetworks. The same remote subnetwork is configured for each traffic selector, but different netmask values are specified. [edit] user@host# show security ipsec vpn vpn-1 { bind-interface st0.1; traffic-selector ts-1 { local-ip 192.168.1.0/24; remote-ip 10.1.1.0/24; } } vpn vpn-2 { bind-interface st0.2; traffic-selector ts-2 { local-ip 172.16.1.0/16; remote-ip 10.1.0.0/16; } } Two routes to 10.1.1.0 (10.1.1.0/24 via interface st0.1 and 10.1.0.0/16 via interface st0.2) are added to the routing table. A packet sent from source 172.16.1.1 to destination 10.1.1.1 matches the routing table entry for 10.1.1.0/24 via interface st0.1. However, the packet does not match the traffic specified by traffic selector ts-1 and is dropped. If multiple traffic selectors are configured with the same remote subnetwork and netmask, equal cost routes are added to the routing table. This case is not supported with traffic selectors as the route chosen cannot be predicted. Example: Configuring Traffic Selectors in a Route-Based VPNThis example shows how to configure traffic selectors for a route-based VPN.
RequirementsOverviewThis example configures traffic selectors to allow traffic to flow between subnetworks on SRX_A and subnetworks on SRX_B. Table 1 shows the traffic selectors for this example. Traffic selectors are configured under Phase 2 options. Table 1: Traffic Selector Configurations
Flow-based processing of IPv6 traffic must be enabled with the TopologyIn Figure 1, an IPv6 VPN tunnel carries both IPv4 and IPv6 traffic between the SRX_A and SRX_B devices. That is, the tunnel operates in both IPv4-in-IPv6 and IPv6-in-IPv6 tunnel modes. Figure 1: Traffic Selector Configuration Example Configuration
Configuring SRX_A
CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at
the set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8:2000::1/64 set interfaces st0 unit 1 family inet set interfaces st0 unit 1 family inet6 set interfaces ge-1/0/1 unit 0 family inet address 192.168.10.1/24 set interfaces ge-1/0/1 unit 0 family inet6 address 2001:db8:10::0/64 set security ike proposal PSK-DH14-AES256-SHA256 authentication- method pre-shared-keys set security ike proposal PSK-DH14-AES256-SHA256 dh-group group14 set security ike proposal PSK-DH14-AES256-SHA256 authentication- algorithm sha-256 set security ike proposal PSK-DH14-AES256-SHA256 encryption-algorithm aes-256-cbc set security ike policy site-2-site mode main set security ike policy site-2-site proposals PSK-DH14-AES256-SHA256 set security ike policy site-2-site pre-shared-key ascii-text "$ABC123" set security ike gateway SRX_A-to-SRX_B ike-policy site-2-site set security ike gateway SRX_A-to-SRX_B address 192.168.20.2 set security ike gateway SRX_A-to-SRX_B external-interface ge-0/0/1.0 set security ike gateway SRX_A-to-SRX_B local-address 192.168.10.1 set security ipsec proposal ESP-AES256-SHA256 protocol esp set security ipsec proposal ESP-AES256-SHA256 authentication- algorithm hmac-sha-256-128 set security ipsec proposal ESP-AES256-SHA256 encryption-algorithm aes-256-cbc set security ipsec policy site-2-site perfect-forward-secrecy keys group14 set security ipsec policy site-2-site proposals ESP-AES256-SHA256 set security ipsec vpn SRX_A-to-SRX_B bind-interface st0.1 set security ipsec vpn SRX_A-to-SRX_B ike ipsec-policy site-2-site set security ipsec vpn SRX_A-to-SRX_B ike gateway SRX_A-to-SRX_B set security ipsec vpn SRX_A-to-SRX_B traffic-selector TS1- ipv6 local-ip 2001:db8:10::0/64 remote-ip 2001:db8:20::0/64 set security ipsec vpn SRX_A-to-SRX_B traffic-selector TS2- ipv4 local-ip 192.168.10.0/24 remote-ip 192.168.0.0/16 set security forwarding-options family inet6 mode flow-based set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-1/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny -all Step-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide. To configure traffic selectors:
ResultsFrom configuration mode, confirm your configuration by entering the [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet6 { address 2001:db8:2000::1/64; } } } ge-1/0/1 { unit 0 { family inet { address 192.168.10.1/24; } family inet6 { address 10::1/64; } } } st0 { unit 1 { family inet; family inet6; } } [edit] user@host# show security ike proposal PSK-DH14-AES256-SHA256 { authentication-method pre-shared-keys; dh-group group14; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; } policy site-2-site { mode main; proposals PSK-DH14-AES256-SHA256; pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA } gateway SRX_A-to-SRX_B { ike-policy site-2-site; address 192.168.20.2; external-interface ge-0/0/1.0; local-address 192.168.10.1; } [edit] user@host# show security ipsec proposal ESP-AES256-SHA256 { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; } policy site-2-site { perfect-forward-secrecy keys group14; proposals ESP-AES256-SHA256; } vpn SRX_A-to-SRX_B { bind-interface st0.1; ike { ipsec-policy site-2-site; gateway SRX_A-to-SRX_B; } traffic-selector TS1-ipv6 { local-ip 2001:db8:10::0/64; remote-ip 2001:db8:20::0/64; } traffic-selector TS2-ipv4 { local-ip 192.168.10.0/24; remote-ip 192.168.0.0/16; } } [edit] user@host# show security forwarding-options family { inet6 { mode flow-based; } } [edit] user@host# show security zones security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-1/0/1.0; } } security-zone untrust { host-inbound-traffic { system-services { ike; } } interfaces { ge-0/0/1.0; } } security-zone VPN { interfaces { st0.1; } } [edit] user@host# show security policies from-zone VPN to-zone trust { policy 1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone VPN { policy 1 { match { source-address any; destination-address any; application any; } then { permit; } } } If you are done configuring the device, enter Configuring SRX_B
CLI Quick ConfigurationTo
quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8:2000::2/64 set interfaces st0 unit 1 family inet set interfaces st0 unit 1 family inet6 set interfaces ge-1/0/1 unit 0 family inet address 192.168.20.1/24 set interfaces ge-1/0/1 unit 0 family inet6 address 2001:db8:20::0/64 set interfaces ge-1/1/1 unit 0 family inet address 192.168.0.1/24 set security ike proposal PSK-DH14-AES256-SHA256 authentication-method pre-shared-keys set security ike proposal PSK-DH14-AES256-SHA256 dh-group group14 set security ike proposal PSK-DH14-AES256-SHA256 authentication-algorithm sha-256 set security ike proposal PSK-DH14-AES256-SHA256 encryption-algorithm aes-256-cbc set security ike policy site-2-site mode main set security ike policy site-2-site proposals PSK-DH14-AES256-SHA256 set security ike policy site-2-site pre-shared-key ascii-text "$ABC123" set security ike gateway SRX_B-to-SRX_A ike-policy site-2-site set security ike gateway SRX_B-to-SRX_A address 192.168.10.1 set security ike gateway SRX_B-to-SRX_A external-interface ge-0/0/1.0 set security ike gateway SRX_B-to-SRX_A local-address 192.168.20.2 set security ipsec proposal ESP-AES256-SHA256 protocol esp set security ipsec proposal ESP-AES256-SHA256 authentication-algorithm hmac-sha-256-128 set security ipsec proposal ESP-AES256-SHA256 encryption-algorithm aes-256-cbc set security ipsec policy site-2-site perfect-forward-secrecy keys group14 set security ipsec policy site-2-site proposals ESP-AES256-SHA256 set security ipsec vpn SRX_B-to-SRX-A bind-interface st0.1 set security ipsec vpn SRX_B-to-SRX-A ike ipsec-policy site-2-site set security ipsec vpn SRX_B-to-SRX-A ike gateway SRX_B-to-SRX_A set security ipsec vpn SRX_B-to-SRX-A traffic-selector TS1-ipv6 local-ip 2001:db8:20::0/64 remote-ip 2001:db8:10::0/64 set security ipsec vpn SRX_B-to-SRX-A traffic-selector TS2-ipv4 local-ip 192.168.0.0/16 remote-ip 192.168.10.0/24 set security forwarding-options family inet6 mode flow-based set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-1/0/1.0 set security zones security-zone trust interfaces ge-1/1/1.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone VPN interfaces st0.1 set security zones security-zone untrust interfaces ge-0/0/1.0 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny -all Step-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide. To configure traffic selectors:
ResultsFrom configuration mode, confirm your configuration by entering the [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet6 { address 2001:db8:2000::2/64; } } } ge-1/0/1 { unit 0 { family inet { address 192.168.20.1/24; } family inet6 { address 2001:db8:20::0/64; } } } ge-1/1/1 { unit 0 { family inet { address 192.168.0.1/24; } } } st0 { unit 1 { family inet; family inet6; } } [edit] user@host# show security ike proposal PSK-DH14-AES256-SHA256 { authentication-method pre-shared-keys; dh-group group14; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; } policy site-2-site { mode main; proposals PSK-DH14-AES256-SHA256; pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA } gateway SRX_B-to-SRX_A { ike-policy site-2-site; address 192.168.10.1; external-interface ge-0/0/1.0; local-address 192.168.20.2; } [edit] user@host# show security ipsec proposal ESP-AES256-SHA256 { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; } policy site-2-site { perfect-forward-secrecy keys group14; proposals ESP-AES256-SHA256; } vpn SRX_B-to-SRX-A { bind-interface st0.1; ike { ipsec-policy site-2-site; gateway SRX_B-to-SRX_A; } traffic-selector TS1-ipv6 { local-ip 2001:db8:20::0/64; remote-ip 2001:db8:10::0/64; } traffic-selector TS2-ipv4 { local-ip 192.168.0.0/16; remote-ip 192.168.10.0/24; } } [edit] user@host# show security forwarding-options family { inet6 { mode flow-based; } } [edit] user@host# show security zones security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-1/0/1.0; ge-1/1/1.0; } } security-zone untrust { host-inbound-traffic { system-services { ike; } } interfaces { ge-0/0/1.0; } } security-zone VPN { interfaces { st0.1; } } [edit] user@host# show security policies from-zone VPN to-zone trust { policy 1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone VPN { policy 1 { match { source-address any; destination-address any; application any; } then { permit; } } } If you are done configuring the device, enter VerificationConfirm that the configuration is working properly. The sample outputs shown are on SRX-A.
Verifying IPsec Phase 2 Status
PurposeVerify the IPsec Phase 2 status. ActionFrom operational mode, enter the user@host> show security ipsec security-associations Total active tunnels: 3 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173313 ESP:3des/ sha-256 3d75aeff 2984/ unlim - root 500 2001:db8:2000::2 >268173313 ESP:3des/ sha-256 a468fece 2984/ unlim - root 500 2001:db8:2000::2 <268173316 ESP:3des/ sha-256 417f3cea 3594/ unlim - root 500 2001:db8:2000::2 >268173316 ESP:3des/ sha-256 a4344027 3594/ unlim - root 500 2001:db8:2000::2 From operational mode, enter the user@host> show security ipsec security-associations detail ID: 268173313 Virtual-system: root, VPN Name: SRX_A-to-SRX_B Local Gateway: 192.168.10.1, Remote Gateway: 2192.168.20.2 Traffic Selector Name: TS1-ipv6 Local Identity: ipv6(2001:db8:10::-2001:db8:10::ffff:ffff:ffff:ffff) Remote Identity: ipv6(2001:db8:20::-2001:db8:20::ffff:ffff:ffff:ffff) Version: IKEv1 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29 Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 3d75aeff, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2976 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2354 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: a468fece, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2976 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2354 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 ID: 268173316 Virtual-system: root, VPN Name: SRX_A-to-SRX_B Local Gateway: 192.168.10.1, Remote Gateway: 192.168.20.2 Traffic Selector Name: TS2-ipv4 Local Identity: ipv4(192.168.10.0-192.168.10.255) Remote Identity: ipv4(192.168.20.0-192.168.20.255) Version: IKEv1 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29 Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 417f3cea, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3586 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2948 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: a4344027, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3586 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2948 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 MeaningThe Verifying Traffic Selectors
PurposeVerify negotiated traffic selectors on the secure tunnel interface. ActionFrom operational mode, enter the user@host> show security ipsec traffic-selector st0.1 Source IP Destination IP Interface Tunnel-id IKE-ID 2001:db8:10::-2001:db8:10::ffff:ffff:ffff:ffff 2001:db8:20::-2001:db8:20::ffff:ffff:ffff:ffff st0.1 268173313 2001:db8:2000::1 192.168.10.0-192.168.10.255 192.168.0.0-192.168.255.255 st0.1 268173316 2001:db8:2000::1 192.168.10.0-192.168.10.255 192.168.20.0-192.168.20.255 st0.1 268173317 2001:db8:2000::1 Verifying Routes
PurposeVerify active routes ActionFrom operational mode, enter the user@host> show route inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.0.0/16 *[ARI-TS/5] 00:00:32 > via st0.1 2001:db8:20::0/64 *[ARI-TS/5] 00:00:34 > via st0.1 MeaningThe
Release History Table 15.1X49-D140 Starting with Junos OS Release 15.1X49-D140, on all SRX Series devices and vSRX instances, when you configure the traffic-selector with a remote address of 0::0 (IPv6), the following “error: configuration check-out failed” message is displayed when performing the commit and the configuration checkout fails. 15.1X49-D100 Starting with Junos OS Release 15.1X49-D100, traffic selectors can be configured with IKEv2 site-to-site VPNs. 12.1X46-D10 Starting with Junos OS Release 12.1X46-D10 and Junos OS Release 17.3R1, traffic selectors can be configured with IKEv1 site-to-site VPNs. Which statement describes the operation of the IKE protocol?Which statement describes the operation of the IKE protocol? It calculates shared keys based on the exchange of a series of data packets.
Which choices provide for the confidentiality function in the IPsec framework?IPsec encapsulates packets using Authentication Header (AH) or Encapsulation Security Protocol (ESP). The choice of AH or ESP establishes which other building blocks are available. AH is appropriate only when confidentiality is not required or permitted. ESP provides both confidentiality and authentication.
|