Example: Dynamic Endpoint Tunneling Configuration
Figure 60 shows a local network N-1 located behind security gateway SG-1. SG-1 is a Juniper Networks routing platform terminating dynamic peer endpoints. The tunnel termination address on SG-1 is 10.7.7.2 and the local network address is 172.16.1.0/24.
A remote peer router obtains addresses from an ISP pool and runs RFC-compliant IKE. Remote network N-2 has address 172.16.2.0/24 and is located behind security gateway SG-2 with tunnel termination address 10.7.7.1.
On Router SG-1, configure an IKE access profile to accept proposals from SG-2. Apply the interface identifier from the access profile to the inside services interface and apply the IKE access profile itself to the IPSec next-hop style service set.
Router SG-1
[edit]
access {
profile ike_access {
client * { # Accepts proposals from specified peers that use the preshared key.
ike {
allowed-proxy-pair local 10.255.14.63/32 remote 10.255.14.64/32;
pre-shared-key ascii-text "$9$1hoESeLxdgoGvWoGDif5IEc"; # SECRET-DATA
interface-id test_id; # Apply this ID to the inside services interfaces.
}
}
}
}
interfaces {
fe-0/0/0 {
description "Connection to the local network";
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
so-1/0/0 {
description "Connection to SG-2";
no-keepalives;
encapsulation cisco-hdlc;
unit 0 {
family inet {
address 10.7.7.2/30;
}
}
}
sp-3/3/0 {
unit 0 {
family inet;
}
unit 3 {
dial-options {
ipsec-interface-id test_id; # Accepts dynamic endpoint tunnels.
shared;
}
service-domain inside;
}
unit 4 {
family inet;
service-domain outside;
}
}
}
services {
service-set dynamic_nh_ss { # Create a next-hop service set
next-hop-service { # for the dynamic endpoint tunnels.
inside-service-interface sp-3/3/0.3;
outside-service-interface sp-3/3/0.4;
}
ipsec-vpn-options {
local-gateway 10.7.7.2;
ike-access-profile ike_access; # Apply the IKE access profile here.
}
}
}