To complete the configuration, you need to reference the IKE access profile configured at the [edit access] hierarchy level. To do this, include the ike-access-profile statement at the [edit services service-set name ipsec-vpn-options] hierarchy level:
- [edit services]
- service-set name {
-
- next-hop-service {
- inside-service-interface interface-name;
- outside-service-interface interface-name;
- }
-
- ipsec-vpn-options {
- local-gateway address;
-
ike-access-profile profile-name;
- }
- }
The ike-access-profile statement must reference the same name as the profile statement you configured for IKE access at the [edit access] hierarchy level. You can reference only one access profile in each service set. This profile is used to negotiate IKE and IPSec security associations with dynamic peers only.
 |
Note: If you configure an IKE access profile in a service set, no other service set can share the same local-gateway address. Also, you must configure a separate service set for each VRF. All interfaces referenced by the ipsec-inside-interface statement within a service set must belong to the same VRF. |
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |