Configuring the Local Gateway Address

If you configure an IPSec service set, you must also configure a local IPv4 or IPv6 address by including the local-gateway statement:

• If the Internet Key Exchange (IKE) gateway IP address is in inet.0 (the default situation), you configure the following statement:

  local-gateway address;

• If the IKE gateway IP address is in a VPN routing and forwarding (VRF) instance, you configure the following statement:

  local-gateway address routing-instance instance-name;

You can configure all the link-type tunnels that share the same local gateway address in a single next-hop-style service set. The value you specify for the inside-service-interface statement at the [edit services service-set service-set-name] hierarchy level should match the ipsec-inside-interface value, which you configure at the [edit services ipsec-vpn rule rule-name term term-name from] hierarchy level. For more information about IPSec configuration, see Configuring IPSec Service Rules.

You can configure Internet Key Exchange (IKE) gateway IP addresses that are present in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through the VRF instance.

For next-hop service sets, the key management process (kmd) places the IKE packets in the routing instance that contains the outside-service-interface value you specify, as in this example:

For interface service sets, the service-interface statement determines the VRF, as in this example:

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.