 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
Following is the configuration of the provider edge (PE) router, demonstrating the usage of next-hop service sets and dynamic SA configuration:
- [edit interfaces]
- so-0/0/0 {
- no-keepalives;
- encapsulation cisco-hdlc;
-
- unit 0 {
-
- family inet {
- address 10.6.6.6/32;
- }
- }
- }
- so-2/2/0 {
- description "teller so-0/2/0";
- no-keepalives;
- encapsulation cisco-hdlc;
-
- unit 0 {
-
- family inet {
- address 10.21.1.1/16;
- }
- }
- }
- sp-3/1/0 {
-
- unit 0 {
-
- family inet {
- address 10.7.7.7/32;
- }
- }
-
- unit 1 {
- family inet;
- service-domain inside;
- }
-
- unit 2 {
- family inet;
- service-domain outside;
- }
- }
- [edit policy-options]
- policy-statement vpn-export {
-
- then {
- community add vpn-comm;
- accept;
- }
- }
- policy-statement vpn-import {
-
- term a {
- from community vpn-comm;
- then accept;
- }
- }
- community vpn-comm members target:100:20;
- [edit routing-instances]
- vrf {
- instance-type vrf;
- interface sp-3/1/0.1; # Inside sp interface
- interface so-0/0/0.0;
- route-distinguisher 192.168.0.1:1;
- vrf-import vpn-import;
- vrf-export vpn-export;
-
- routing-options {
-
- static {
- route 10.0.0.0/0 next-hop so-0/0/0.0;
- route 10.11.11.1/32 next-hop so-0/0/0.0;
- route 10.8.8.1/32 next-hop sp-3/1/0.1;
- }
- }
- }
- [edit services]
- ipsec-vpn {
-
- rule rule-1 {
-
- term term-1 {
-
- then {
- remote-gateway 10.21.2.1;
-
- dynamic {
- ike-policy ike-policy;
- }
- }
- }
- match-direction input;
- }
-
- ike {
-
- policy ike-policy {
- pre-shared-key ascii-text "$9$ExmcSeMWxdVYBI";
- }
- }
- }
- service-set service-set-1 {
-
- ipsec-vpn {
- local-gateway 10.21.1.1;
- }
- ipsec-vpn-rules rule-1;
-
- next-hop-service {
- inside-service-interface sp-3/1/0.1;
- outside-service-interface sp-3/1/0.2;
- }
- }
Following is an example for configuring multiple link-type tunnels to static peers using a single next-hop style service set:
- services ipsec-vpn {
-
- rule demo-rule {
-
- term term-0 {
-
- from {
- ipsec-inside-interface sp-0/0/0.1;
- }
-
- then {
- remote-gateway 10.2.2.2;
-
- dynamic {
- ike-policy demo-ike-policy;
- }
- }
- }
-
- term term-1 {
-
- from {
- ipsec-inside-interface sp-0/0/0.3;
- }
-
- then {
- remote-gateway 10.3.3.3;
-
- dynamic {
- ike-policy demo-ike-policy;
- }
- }
- }
- }
- match-direction input;
- }
- services {
-
- service-set demo-service-set {
-
- next-hop-service {
- inside-service-interface sp-0/0/0.1;
- outside-service-interface sp-0/0/0.2;
- }
-
- ipsec-vpn-options {
- local-gateway 10.1.1.1;
- }
- ipsec-rules demo-rule;
- }
- }
- interfaces sp-0/0/0 {
-
- unit 0 {
- family inet;
- }
-
- unit 1 {
- family inet;
- service-domain inside;
- }
-
- unit 2 {
- family inet;
- service-domain outside;
- }
-
- unit 3 {
- family inet;
- service-domain inside;
- }
-
- unit 4 {
- family inet;
- service-domain inside;
- }
- }
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |