[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring IPSec Service Sets

The next-hop service set defines which services interface to use for all inside-service next hops and all outside-service next hops (traffic inside the network and outside the network). The unit numbers used to define the next-hop interfaces must match exactly the unit numbers used in the interfaces configuration.

When you configure an IPSec service set, you must also configure the local gateway. You then configure an IPSec rule to set the remote gateway on all traffic, configure a security association (SA) with a static IKE key, and configure another rule to act on input traffic. This configuration allows you to set the remote gateway address and perform IKE validation on all incoming traffic through the IPSec tunnel.

Finally, you apply the entire service set.

To configure IPSec service sets:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 105.
  3. Go on to Configuring an IPSec Stateful Firewall Filter Rule.

Table 105: Configuring IPSec Service Sets

Configure the next-hop service set for the IPSec tunnel.

  1. From the top of the configuration hierarchy, click Services.
  2. In the Service sets field, click Add new entry.
  3. In the Service set name field, type the name of the service set. The name can be any unique string.
  4. In the Service type choice field, select Next hop service from the list.
  5. In the Nested configuration field, click Next hop service.
  6. In the Inside service interface field, type the services interface, including unit number, for the inside-service interface—for example, sp-0/0/0.1001.
  7. Click OK.
  8. In the Nested configuration field, click Next hop service.
  9. In the Outside service interface field, type the services interface, including the unit number—for example, sp–0/0/0.2002.
  10. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services

  2. Set the inside-service interface:

    set service-set service-set-name next-hop-service inside-service-interface sp-0/0/0.1001

  3. Set the outside-service interface:

    set service-set service-set-name next-hop-service outside-service-interface sp-0/0/0.2001

Configure the local gateway for the IPSec service set.

  1. In the Ipsec vpn options field, click Configure.
  2. In the Local gateway box, type the IP address of the local tunnel endpoint, in dotted decimal notation—for example, 1.1.1.1.

Set the local gateway address for the service set:

set service-set service-set-name ipsec-vpn-options local-gateway 1.1.1.1

Configure IPSec rules to set the remote gateway on all traffic to 2.2.2.2.

Because the rule applies to all traffic, you must only configure the action (or then statement) for the term.

  1. From the top of the configuration hierarchy, click Services>Ipsec-vpn.
  2. In the Rule field, click Add new entry.
  3. In the Rule name field, type the name of the rule. The rule name can be any unique string.
  4. In the term field, click Add new entry.
  5. In the Term name field, type the name of the term. It can be any unique string.
  6. To configure an action, click Then.
  7. In the Remote gateway field, type the remote gateway address, in dotted decimal notation—for example, 2.2.2.2.
  8. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn

  2. Configure a rule with a term that sets the remote gateway to 2.2.2.2:

    set rule rule-name term term-name then remote-gateway 2.2.2.2

Configure an security association with a static IKE key.

The IKE key is a preshared key and must be configured exactly the same way at both the local and remote endpoints of the IPSec tunnel.

The IKE key is configured as ike policy and then applied using the dynamic statement.

  1. From the top of the configuration hierarchy, select Services>Ipsec-vpn>Ike.
  2. In the Policy field, click Add new entry.
  3. In the Name box, type the name of the IKE policy. It can be any unique string.
  4. Click Pre-shared key.
  5. In the Key choice field, select Ascii text from the list.
  6. In the Ascii text box, enter the IKE key in plain text.
  7. Click OK.
  8. Navigate to the IPSec rule configured previously. From the top of the configuration hierarchy, click Services>Ipsec-vp>rule-name >term term-name>then.
  9. Click Dynamic.
  10. In the Ike-policy box, type the name of the IKE policy you configured.
  11. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn ike

  2. Configure the IKE pre-shared key in ASCII text format:

    set policy policy-name pre-shared-key ascii-text ike-key

  3. Navigate to the IPSec rule configured previously. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn rule-name term term-name then.

  4. Configure a dynamic security association that applies the IKE policy:

    set dynamic ike-policy policy-name

Configure the IPSec rule so that it acts on input traffic.

  1. From the top of the configuration hierarchy, click Services>Ipsec-vpn>Rule> rule-name.
  2. In the Match direction field, select Input from the list.
  3. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn rule rule-name

  2. Set the match direction for the rule:

    set match-direction input

Apply the IPSec rule to all traffic through the previously configured service set.
  1. From the top of the configuration hierarchy, click Services>Service-set> service-set-name.
  2. In the Ipsec vpn rules choice field, select Ipsec vpn rules from the list.
  3. In the Ipsec vpn rules field, click Add new entry.
  4. In the Rule name box, type the name of the previously configured IPSec rule.
  5. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services service-set service-set-name

  2. Apply the IPSec rule previously configured:

    set ipsec-vpn-rules rule-name

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]