[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Next-Hop Service Sets

On the Services Router, you create service sets that define IPSec-specific information to configure IPSec. When you configure a service set for IPSec, you must configure:

This configuration allows you to set the remote gateway address and perform IKE validation on all incoming traffic through the IPSec tunnel.

The sample service set configuration in Table 36 configures the IPSec service set ipsec-dynamic, sets the local gateway to 10.90.90.2, sets the inside services interface to sp-0/0/0.1001, sets the outside services interface (facing the remote IPSec site) to sp-0/0/0.2001, and configures the service set to use the IPSec rule ipsec-dynamic-rule defined in Table 34.

The IPSec configuration also includes an IPSec proposal and policy, which this sample configuration does not demonstrate. If you do not explicitly configure an IPSec proposal and policy, the default values are used.

To configure interface service sets:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 36.
  3. If you are finished configuring the router, commit the configuration.
  4. Go on to the optional task Configuring a NAT Pool.
  5. To check the configuration, see Verifying the IPSec Tunnel Configuration.

Table 36: Configuring Interface Service Sets

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Services, click Configure or Edit.

From the [edit] hierarchy level, enter

edit services

Configure the service set ipsec-dynamic.
  1. Next to Service set, click Add new entry.
  2. In the Service set name box, type ipsec-dynamic.
  3. Click OK.

Enter

set service-set ipsec-dynamic

Configure the IP address of the local gateway for the IPSec service set to the local tunnel endpoint—for example, 10.1.15.1.
  1. In the Service set list, click ipsec-dynamic.
  2. Next to Ipsec vpn options, click Configure.
  3. In the Local gateway box, type 10.1.15.1.
  4. Click OK.

Enter

set service-set ipsec-dynamic ipsec-vpn-options local-gateway 10.1.15.1

Configure the next-hop service set for the IPSec tunnel.

You must include an interface name and unit number for the inside-service interface and the outside-service interface. By default, the J-Web interface uses the following values:

  • For the inside-service interface—sp-0/0/0.1001
  • For the outside-service interface—sp-0/0/0.2001
  1. In the Service type choice box, select Next hop service from the list.
  2. Next to Next hop service, click Configure.
  3. In the Inside service interface box, type sp-0/0/0.1001.
  4. In the Outside service interface box, type sp–0/0/0.2001.
  5. Click OK.
  1. Enter

    set service-set ipsec-dynamic next-hop-service inside-service-interface sp-0/0/0.1001

  2. Enter

    set service-set ipsec-dynamic next-hop-service outside-service-interface sp-0/0/0.2001

Apply the IPsec rule ipsec-dynamic-rule to all traffic through the service set.
  1. In the Ipsec vpn rules choice box, select Ipsec vpn rules.
  2. Next to Ipsec vpn rules, click Add new entry.
  3. In the Rule name box, type ipsec-dynamic-rule.
  4. Click OK.

Enter

set service-set ipsec-dynamic ipsec-vpn-rules ipsec-dynamic-rule

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]