Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring Dynamically Assigned Tunnels
The following examples are based on this network configuration (see Figure 3):
- A local network N-1 behind security gateway SG-1, a Juniper Networks router terminating static as well as dynamic peer endpoints. The tunnel termination address on SG-1 is 10.1.1.1 and the local network address is 172.16.1.0/24.
- Two remote peer routers that obtain addresses from an ISP pool and run RFC-compliant IKE. Remote network N-2 has address 172.16.2.0/24 and resides behind security gateway SG-2 with tunnel termination address 10.2.2.2. Remote network N-3 has address 172.16.3.0/24 and resides behind security gateway SG-3 with tunnel termination address 10.3.3.3.
Figure 3: IPsec Dynamic Endpoint Tunneling Topology
The examples in this section show the following configurations:
- Configuring a Next-Hop Style Service Set with Link-Type Tunnels
- Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels
 | Note: All the configurations are given for the Juniper Networks router terminating dynamic endpoint connections. |
Configuring a Next-Hop Style Service Set with Link-Type Tunnels
access {profile demo-access-profile client * {ike {allowed-proxy-pair {remote 0.0.0.0/0 local 0.0.0.0/0; # ANY to ANY}pre-shared-key {ascii-text keyfordynamicpeers;}interface-id demo-ipsec-interface-id;}}services {service-set demo-service-set {next-hop-service {inside-service-interface sp-1/0/0.1;outside-service-interface sp-1/0/0.2;}ipsec-vpn-options {local-gateway 10.1.1.1;ike-access-profile demo-ike-access-profile;}}}}
| Note: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly. |
interfaces {sp-0/0/0 {unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}unit 3 {family inet;service-domain inside;dial-options {ipsec-interface-id demo-ipsec-interface-id;dedicated;}}unit 4 {family inet;service-domain inside;dial-options {ipsec-interface-id demo-ipsec-interface-id;dedicated;}}}}
The following results are obtained:
- Reverse routes inserted after successful negotiation:
None
- Routes learned by routing protocol:
172.16.2.0/24
172.16.3.0/24
- Dynamic implicit rules created after successful negotiation: rule: junos-dynamic-rule-0term: term-0local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2source-address : 0.0.0.0/0destination-address : 0.0.0.0/0ipsec-inside-interface: sp-0/0/0.3term: term-1local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3source-address : 0.0.0.0/0destination-address : 0.0.0.0/0ipsec-inside-interface: sp-0/0/0.4match-direction: input
Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels
access {profile demo-access-profile client * {ike {allowed-proxy-pair {remote 172.16.2.0/24 local 172.16.1.0/24; #N-2 <==>
#N-1remote 172.16.3.0/24 local 172.16.1.0/24; #N-3 <==>
#N-1}pre-shared-key {ascii-text keyfordynamicpeers;}interface-id demo-ipsec-interface-id;}}}services {service-set demo-service-set {next-hop-service {inside-service-interface sp-1/0/0.1;outside-service-interface sp-1/0/0.2;}ipsec-vpn-options {local-gateway 10.1.1.1;}ike-access-profile demo-ike-access-profile;}}
| Note: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly. |
interfaces {sp-0/0/0 {unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}unit 3 {family inet;service-domain inside;dial-options {ipsec-interface-id demo-ipsec-interface-id;mode shared;}}}}# VRF configuration, if not inet.0routing-instances {demo-vrf {instance-type vrf;interface sp-0/0/0.1;interface sp-0/0/0.3;.....}}
The following results are obtained:
- Reverse routes injected after successful negotiation:demo-vrf.inet.0: .... # Routing instance172.11.0.0/24 *[Static/1].. > via sp-0/0/0.3172.12.0.0/24 *[Static/1].. > via sp-0/0/0.3
- Dynamic implicit rules created after successful negotiation:rule: junos-dynamic-rule-0term: term-0local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2source-address : 172.16.1.0/24destination-address : 172.16.2.0/24ipsec-inside-interface: sp-0/0/0.3term: term-1local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3source-address : 172.16.1.0/24destination-address : 172.16.3.0/24ipsec-inside-interface: sp-0/0/0.3match-direction: input
