Configuring IPsec to Protect H.248 Messages or Mirrored Sessions in Tunnel Mode
Figure 1 shows a sample configuration that protects H.248 messages using IPsec tunnel mode.
Figure 1: Protecting H.248 Messages Using IPsec Tunnel Mode
To configure IPsec to protect H.248 messages as shown in Figure 1:
- Configure the service PIC that you want IPsec
to use. IPsec can use the same service PIC that the BGF uses, or it
can have a dedicated service PIC.
Assign logical interfaces to be assigned to a service-interface-pool for incoming traffic to the IPsec tunnel and outgoing traffic from the IPsec tunnel. For example:
[edit interfaces sp-3/3/0] unit 0 { family inet; } unit 10 { family inet; } unit 20 { family inet; } unit 50 { description IPsec-tunnel-incoming; family inet; } unit 60 { description IPsec-tunnel-outgoing; family inet; } - Create a service interface pool containing the
logical interfaces for IPsec tunnel traffic.
[edit services service-interface-pool pool ipsec-pool-1] interface sp-3/3/0.10; interface sp-3/3/0.20; interface sp-3/3/0.50; interface sp-3/3/0.60;
Configure a service set that has the following characteristics:
- Next-hop service that contains the service interface pool of the inside and outside interfaces that you configured for IPsec.
- The local IP address for IPsec traffic.
- The IPsec rule or rule set applied to the tunnel. This is a rule or rule set that you configure at the [edit services ipsec-vpn] hierarchy level.
[edit services service-set ipsec-tunnel-for-bgf] next-hop-service { ; service-interface-pool int-pool-1; } ipsec-vpn-options { local-gateway 192.168.10.1; } ipsec-vpn-rules rule-ike;- Configure a static route to the gateway controller
with the IPsec interface as the next hop. The gateway controller is
the H.248 gateway; that is, the border gateway control (BCF).
[edit routing-options] static { route 10.0.0.150/32 next-hop sp-3/3/0.50; }
