[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring IPSec Service Sets

The next-hop service set defines which services interface to use for all inside-service next hops and all outside-service next hops (traffic inside the network and outside the network). The unit numbers used to define the next-hop interfaces must match exactly the unit numbers used in the interfaces configuration.

When you configure an IPSec service set, you must also configure the local gateway. You then configure an IPSec rule to set the remote gateway on all traffic, configure a security association (SA) with a static IKE key, and configure another rule to act on input traffic. This configuration allows you to set the remote gateway address and perform IKE validation on all incoming traffic through the IPSec tunnel.

Finally, you apply the entire service set.

To configure IPSec service sets:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 29.
  3. Go on to Configuring an IPSec Stateful Firewall Filter Rule.

Table 29: Configuring IPSec Service Sets

Configure the next-hop service set for the IPSec tunnel.

Use any unique string for the service set name.

You must include an interface name and unit number for the inside-service interface and the outside-service interface. By default, J-Web Quick Configuration uses the following values:

  • For the inside-service interface—sp-0/0/0.1001
  • For the outside-service interface—sp-0/0/0.2002
  1. From the top of the configuration hierarchy, click Services.
  2. Next to Service sets, click Add new entry.
  3. In the Service set name box, type the name of the service set.
  4. In the Service type choice box, select Next hop service from the list.
  5. In the Nested configuration box, click Next hop service.
  6. In the Inside service interface box, type sp-0/0/0.1001.
  7. Click OK.
  8. In the Nested configuration box, click Next hop service.
  9. In the Outside service interface box, type sp–0/0/0.2002.
  10. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services

  2. Set the inside-service interface:

    set service-set service-set-name next-hop-service inside-service-interface sp-0/0/0.1001

  3. Set the outside-service interface:

    set service-set service-set-name next-hop-service outside-service-interface sp-0/0/0.2002

Configure the IP address of the local gateway for the IPSec service set to the local tunnel endpoint—for example, 1.1.1.1.
  1. Next to Ipsec vpn options, click Configure.
  2. In the Local gateway box, type 1.1.1.1.

Set the local gateway address for the service set:

set service-set service-set-name ipsec-vpn-options local-gateway 1.1.1.1

Configure IPSec rules to set the IP address of the remote gateway—for example, 2.2.2.2—on all traffic.

Use any unique string for the rule name.

Because the rule applies to all traffic, you must only configure the action (or then statement) for the term. Use any unique string for the term name.
  1. From the top of the configuration hierarchy, click Services>Ipsec-vpn.
  2. Next to Rule, click Add new entry.
  3. In the Rule name box, type the name of the rule.
  4. Next to the term, click Add new entry.
  5. In the Term name box, type the name of the term.
  6. To configure an action, click Then.
  7. In the Remote gateway box, type 2.2.2.2.
  8. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn

  2. Configure a rule with a term that sets the remote gateway to 2.2.2.2:

    set rule rule-name term term-name then remote-gateway 2.2.2.2

Configure a security association with a static IKE key.

The IKE key is a preshared key and must be configured exactly the same way at both the local and remote endpoints of the IPSec tunnel.

The IKE key is configured as ike policy and then applied with the dynamic statement. Use any unique string for the IKE policy name.
  1. From the top of the configuration hierarchy, select Services>Ipsec-vpn>Ike.
  2. Next to Policy, click Add new entry.
  3. In the Name box, type the name of the IKE policy.
  4. Click Pre-shared key.
  5. In the Key choice box, select Ascii text from the list.
  6. In the Ascii text box, type the IKE key in plain text.
  7. Click OK.
  8. Navigate to the IPSec rule configured previously. From the top of the configuration hierarchy, click Services>Ipsec-vp>rule-name >term term-name>then.
  9. Click Dynamic.
  10. In the Ike-policy box, type the name of the IKE policy you configured.
  11. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn ike

  2. Configure the IKE pre-shared key in ASCII text format:

    set policy policy-name pre-shared-key ascii-text ike-key

  3. Navigate to the IPSec rule configured previously. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn rule-name term term-name then.

  4. Configure a dynamic security association that applies the IKE policy:

    set dynamic ike-policy policy-name

Configure the IPSec rule so that it acts on input traffic.

  1. From the top of the configuration hierarchy, click Services>Ipsec-vpn>Rule> rule-name.
  2. In the Match direction box, select Input from the list.
  3. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services ipsec-vpn rule rule-name

  2. Set the match direction for the rule:

    set match-direction input

Apply the IPSec rule to all traffic through the previously configured service set.
  1. From the top of the configuration hierarchy, click Services>Service-set> service-set-name.
  2. In the Ipsec vpn rules choice box, select Ipsec vpn rules from the list.
  3. Next to Ipsec vpn rules, click Add new entry.
  4. In the Rule name box, type the name of the previously configured IPSec rule.
  5. Click OK.
  1. From the top of the configuration hierarchy, enter

    edit services service-set service-set-name

  2. Apply the IPSec rule previously configured:

    set ipsec-vpn-rules rule-name

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]