Hi,
I’ve written a firewall filter to protect the RE on one of my SRX boxes in the lab. The filter allows (among other things) IKE and ESP traffic to the RE. I’m counting all term hits and while looking at the stats I found the following:
> show firewall filter protect-re-ipv4
Filter: protect-re-ipv4
Counters:
Name Bytes Packets
accept-dhcp-client 349 1
accept-dhcp-server 1010 3
accept-esp 0 0
accept-icmp 88279 1058
accept-ike 145688 1293
accept-ntp 14592 192
accept-ospf 354924 2896
accept-radius 481 7
accept-snmp 562861 2336
accept-ssh 250506 3424
accept-ssh-established 0 0
accept-traceroute-udp 312 6
discard-bad-packets 644 13
No hits for ESP. Hm, that’s weird. The VPN works like it should though and the ESP stats looks fine:
> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 21644688
Decrypted bytes: 31782884
Encrypted packets: 73623
Decrypted packets: 79730
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
The configuration looks like this:
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input protect-re-ipv4;
}
address 192.168.1.1/32;
}
}
}
}
firewall {
family inet {
filter protect-re-ipv4 {
term no-icmp-fragments {
from {
is-fragment;
protocol icmp;
}
then {
discard;
}
}
term accept-icmp {
from {
protocol icmp;
}
then {
policer mgmt-5m;
count accept-icmp;
accept;
}
}
term accept-traceroute-udp {
from {
protocol udp;
destination-port 33434-33534;
}
then {
policer mgmt-1m;
count accept-traceroute-udp;
accept;
}
}
term accept-ike {
from {
source-prefix-list {
ike-hosts;
}
protocol udp;
port 500;
}
then {
count accept-ike;
accept;
}
}
term accept-esp {
from {
source-prefix-list {
ike-hosts;
}
protocol esp;
}
then {
count accept-esp;
accept;
}
}
term accept-ospf {
from {
source-prefix-list {
interfaces-ipv4;
}
destination-prefix-list {
interfaces-ipv4;
ospf-multicast;
}
protocol ospf;
}
then {
count accept-ospf;
accept;
}
}
term accept-ssh {
from {
source-prefix-list {
ssh-hosts;
}
protocol tcp;
port ssh;
}
then {
policer mgmt-5m;
count accept-ssh;
accept;
}
}
term accept-ssh-established {
from {
source-prefix-list {
ssh-hosts;
}
source-port ssh;
tcp-established;
}
then {
policer mgmt-5m;
count accept-ssh-established;
accept;
}
}
term accept-snmp {
from {
source-prefix-list {
snmp-hosts;
}
protocol udp;
port snmp;
}
then {
policer mgmt-5m;
count accept-snmp;
accept;
}
}
term accept-ntp {
from {
source-prefix-list {
ntp-hosts;
}
protocol udp;
port ntp;
}
then {
policer mgmt-1m;
count accept-ntp;
accept;
}
}
term accept-radius {
from {
source-prefix-list {
radius-hosts;
}
protocol udp;
port radius;
}
then {
policer mgmt-1m;
count accept-radius;
accept;
}
}
term accept-dhcp-client {
from {
source-address {
0.0.0.0/32;
}
destination-address {
255.255.255.255/32;
}
protocol udp;
source-port 68;
destination-port 67;
}
then {
count accept-dhcp-client;
accept;
}
}
term accept-dhcp-server {
from {
protocol udp;
source-port [ 67 68 ];
destination-port [ 67 68 ];
}
then {
count accept-dhcp-server;
accept;
}
}
term discard-bad-packets {
then {
count discard-bad-packets;
log;
discard;
}
}
}
}
policer mgmt-1m {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 625k;
}
then discard;
}
policer mgmt-5m {
if-exceeding {
bandwidth-limit 5m;
burst-size-limit 625k;
}
then discard;
}
}
So, why isn’t anything hitting the accept-esp term? 🙂