Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring IPsec Service Sets

    IPsec service sets require additional specifications that you configure at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:

    [edit services service-set service-set-name ipsec-vpn-options]
    anti-replay-window-size bits;
    ike-access-profile profile-name;
    local-gateway (address | interface);
    no-anti-replay;

    Configuration of these statements is described in the following sections:

    Configuring the Local Gateway Address for IPsec Service Sets

    If you configure an IPsec service set, you must configure a local-gateway statement by either configuring a local IPv4 address or a logical interface.

    If the Internet Key Exchange (IKE) gateway IP address is in inet.0 (the default situation), you configure the following statement:

    local-gateway (address | interface) ;

    You can configure all the link-type tunnels that share the same local gateway address in a single next-hop-style service set. The value you specify for the inside-service-interface statement at the [edit services service-set service-set-name] hierarchy level need not match the ipsec-inside-interface value, which you configure at the [edit services ipsec-vpn rule rule-name term term-name from] hierarchy level. For more information about IPsec configuration, see Configuring IPsec Rules.

    IKE Addresses in VRF Instances

    You can configure Internet Key Exchange (IKE) gateway IP addresses that are present in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through the VRF instance.

    For next-hop service sets, the key management process (kmd) places the IKE packets in the routing instance that contains the outside-service-interface value you specify, as in this example:

    routing-instances vrf-nxthop {
    instance-type vrf;
    interface si-0/0/0.2;
    ...
    }
    services service-set service-set-1 {
    next-hop-service {
    inside-service-interface si-0/0/0.1;
    outside-service-interface si-0/0/0.2;
    }
    ...
    }

    For interface service sets, the service-interface statement determines the VRF, as in this example:

    routing-instances vrf-intf {
    instance-type vrf;
    interface si-0/0/0.3;
    interface ge-1/2/0.1; # interface on which service set is applied
    ...
    }
    services service-set service-set-2 {
    interface-service {
    service-interface si-0/0/0.3;
    }
    ...
    }

    Configuring IKE Access Profiles for IPsec Service Sets

    For dynamic endpoint tunneling only, you need to reference the IKE access profile configured at the [edit access] hierarchy level. To do this, include the ike-access-profile statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:

    [edit services service-set service-set-name ipsec-vpn-options]
    ike-access-profile profile-name;

    The ike-access-profile statement must reference the same name as the profile statement you configured for IKE access at the [edit access] hierarchy level. You can reference only one access profile in each service set. This profile is used to negotiate IKE and IPsec security associations with dynamic peers only.

    Note: If you configure an IKE access profile in a service set, no other service set can share the same local-gateway address.

    Also, you must configure a separate service set for each VRF. All interfaces referenced by the ipsec-inside-interface statement within a service set must belong to the same VRF.

    Configuring or Disabling Antireplay Service

    You can include the anti-replay-window-size statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to specify the size of the antireplay window.

    anti-replay-window-size bits;

    This statement is useful for dynamic endpoint tunnels for which you cannot configure the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

    For static IPsec tunnels, this statement sets the antireplay window size for all the static tunnels within this service set. If a particular tunnel needs a specific value for antireplay window size, set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. If antireplay check has to be disabled for a particular tunnel in this service set, set the no-anti-replay statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

    Note: The anti-replay-window-size and no-anti-replay settings at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level override the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

    You can also include the no-anti-replay statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to disable IPsec antireplay service. It occasionally causes interoperability issues for security associations.

    no-anti-replay;

    This statement is useful for dynamic endpoint tunnels for which you cannot configure the no-anti-reply statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

    For static IPsec tunnels, this statement disables the antireplay check for all the tunnels within this service set. If antireplay check has to be enabled for a particular tunnel, then set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

    Note: Setting the anti-replay-window-size and no-anti-replay statements at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level overrides the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

    Modified: 2017-09-13