When you configure the encryption interface, you associate the configured SA with a logical interface. This configuration defines the tunnel, including the logical unit, tunnel addresses, maximum transmission unit (MTU), optional interface addresses, and the name of the IPSec SA to apply to traffic. To configure an encryption interface, include the following statements at the [edit interfaces es-fpc/pic/port unit logical-unit-number] hierarchy level:
-
family inet {
-
ipsec-sa ipsec-sa; # name of security association to apply to packet
-
address address { # local interface address inside local VPN
-
destination address; # destination address inside remote VPN
- }
-
tunnel {
-
source source-address;
-
destination destination-address;
- }
The addresses configured as the tunnel source and destination are the addresses in the outer IP header of the tunnel.
 |
Note: You must configure the tunnel source address locally on the router, and the tunnel destination address must be a valid address for the security gateway terminating the tunnel. The ES Physical Interface Card (PIC) is supported on M-series and T-series routing platforms. |
The SA must be a valid tunnel-mode SA. The interface address and destination address listed are optional. The destination address allows the user to configure a static route to encrypt traffic. If a static route uses that destination address as the next hop, traffic is forwarded through the portion of the tunnel in which encryption occurs.