Configuring IPSec for Mirrored Sessions

To protect mirrored traffic that is sent from the PG to the delivery function, you can use IPSec. To have IPSec and PGCP performed on the same PIC, you create PGCP and IPSec service sets and chain these service-sets using routing-options.

To create the service sets and routing options:

1. Configure a PGCP service set. The NAT routes installed as part of PGCP service direct PGCP traffic to sp-1/0/0.10 and sp-1/0/0.20.

   [edit services service-set pgcp-svc-set]

   user@host#set pgcp-rules pgcp-rule

   user@host#set next-hop-service inside-service-interface sp-1/0/0.10

   user@host#set next-hop-service outside-service-interface sp-1/0/0.20

2. Configure an IPSec service set on the same PIC.

   [edit services service-set ipsec-svc-set]

   user@host#set next-hop-service inside-service-interface sp-1/0/0.30

   user@host#set next-hop-service outside-service-interface sp-1/0/0.40

   user@host#set ipsec-vpn-options local-gateway 1.0.0.1

   user@host#set ipsec-vpn-rules ipsec1

3. Install a static route to the delivery function (1.0.0.3) with the next-hop address of the PIC. This route redirects mirrored packets to a unit of the same service PIC that is hosting the IPSec service.

   [edit]

   user@host#set routing-options static route 1.0.0.3/32 next-hop sp-1/0/0.30

The mirrored packets that are generated on sp-1/0/0 have the destination address of the delivery function. In this case 1.0.0.3.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.