Configuring the ES PIC associates the configured SA with a logical interface. This configuration defines the tunnel itself (logical subunit, tunnel addresses, maximum transmission unit [MTU], optional interface addresses, and the name of the SA to apply to traffic).
The addresses configured as the tunnel source and destination are the addresses in the outer IP header of the tunnel.
 |
Note: The tunnel source address must be configured locally on the router, and the tunnel destination address must be a valid address for the security gateway terminating the tunnel. The M5, M10, M20, and M40 routers support the ES PIC. You can also configure IPSec on the AS PIC and MultiServices PICs. For information about how to configure IPSec on the AS PIC or MultiServices PIC, see the JUNOS Services Interfaces Configuration Guide. |
The SA must be a valid tunnel-mode SA. The interface address and destination address listed are optional. The destination address allows the user to configure a static route to encrypt traffic. If a static route uses that destination address as the next hop, traffic is forwarded through the portion of the tunnel in which encryption occurs. For more information about the ES PIC, see the JUNOS Services Interfaces Configuration Guide.
Configure an IPSec tunnel as a logical interface on the ES PIC. The logical interface specifies the tunnel through which the encrypted traffic travels. The ipsec-sa statement associates the security profile with the interface.
- [edit interfaces]
- es-0/0/0 {
-
- unit 0 {
-
- tunnel {
- source tunnel 10.5.5.5; # tunnel source
address
- destination 10.6.6.6; # tunnel
destination address
- }
-
- family inet {
- ipsec-sa ipsec-sa; # name of security
association to apply to packet
- address 10.1.1.8/32 { # local interface address inside
local VPN
- destination 10.2.2.254; # destination address inside remote
VPN
- }
- }
- }
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |