[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring IPSec

On the Services Router, you create service sets that define IPSec-specific information to configure IPSec. When you configure a service set for IPSec, you must configure:

The local gateway
A next-hop service set that defines which services interface to use for all inside-service next hops and all outside-service next hops (traffic inside the network and outside the network)
An IPSec rule to act on input traffic, set the remote gateway on all traffic, and reference an IKE policy

This configuration allows you to set the remote gateway address and perform IKE validation on all incoming traffic through the IPSec tunnel.

The sample service set configuration in Table 31 configures the IPSec service set ipsec-dynamic, sets the local gateway to 10.1.15.1, sets the inside services interface to sp-0/0/0.1001, sets the outside services interface (facing the remote IPSec site) to sp-0/0/0.2001, and configures the service set to use the IPSec rule ike-rule defined in Table 29.

The IPSec configuration also includes an IPSec proposal and policy, which this sample configuration does not demonstrate. If you do not explicitly configure an IPSec proposal and policy, the default values are used.

To configure IPSec:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 31.
If you are finished configuring the router, commit the configuration.
Go on to any of the following optional tasks:
- Configuring an IPSec Stateful Firewall Filter Rule.
- Configuring a NAT Pool
To check the configuration, see Verifying the IPSec Tunnel Configuration.

Table 31: Configuring IPSec

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Services level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Services, click Configure or Edit.	From the [edit] hierarchy level, enter edit services
Configure the service set ipsec-dynamic.	Next to Service set, click Add new entry. In the Service set name box, type ipsec-dynamic. Click OK.	Enter set service-set ipsec-dynamic
Configure the IP address of the local gateway for the IPSec service set to the local tunnel endpoint—for example, 10.1.15.1.	In the Service set list, click ipsec-dynamic. Next to Ipsec vpn options, click Configure. In the Local gateway box, type 10.1.15.1. Click OK.	Enter set service-set ipsec-dynamic ipsec-vpn-options local-gateway 10.1.15.1
Configure the next-hop service set for the IPSec tunnel. You must include an interface name and unit number for the inside-service interface and the outside-service interface. By default, the J-Web interface uses the following values: For the inside-service interface—sp-0/0/0.1001 For the outside-service interface—sp-0/0/0.2001	In the Service type choice box, select Next hop service from the list. Next to Next hop service, click Configure. In the Inside service interface box, type sp-0/0/0.1001. In the Outside service interface box, type sp–0/0/0.2001. Click OK.	Enter set service-set ipsec-dynamic next-hop-service inside-service-interface sp-0/0/0.1001 Enter set service-set ipsec-dynamic next-hop-service outside-service-interface sp-0/0/0.2001
Apply the IPsec rule ike-rule to all traffic through the service set.	In the Ipsec vpn rules choice box, select Ipsec vpn rules. Next to Ipsec vpn rules, click Add new entry. In the Rule name box, type ike-rule. Click OK.	Enter set service-set ipsec-dynamic ipsec-vpn-rules ike-rule

[Contents] [Prev] [Next] [Index] [Report an Error]