[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Configuring Service
Sets
To use dynamic SAs on the Services Router, you must create service
sets to define the following information for IPSec service:
- The local gateway. If the IKE gateway IP address is in a VPN routing
and forwarding (VRF) instance, you must configure the routing instance.
 |
You can configure Internet Key Exchange
(IKE) gateway IP addresses that are present in a VPN routing and forwarding
(VRF) instance as long as the peer is reachable through the VRF instance.
For next-hop service sets, the key management process (kmd) places the IKE
packets in the routing instance that contains the outside-service-interface value
you specify. For interface service sets, the services interface (the interface
on which the service set is applied) determines the VRF.
|
- A next-hop service set that defines which services interface to
use for all inside-service next hops and all outside-service next hops (traffic
inside the network and outside the network). Alternatively, you can create
an interface service set that defines the services interface to be used for
all IPSec traffic.
- An IPSec rule to act on input traffic, set the remote gateway
on all traffic, and reference an IKE policy.
This configuration allows you to set the remote gateway address and
perform IKE validation on all incoming traffic through the IPSec tunnel.
To configure a service set, you must complete the following tasks:
Configuring a Local
Gateway
The sample service set configuration in Table 36 configures the IPSec service set ipsec-dynamic and
sets the local gateway to 10.90.90.2.
To configure a local gateway for the service set:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 36.
- Go on to one of the following:
Table 36: Configuring a Local
Gateway
|
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
|
Navigate to the Services level in the configuration
hierarchy.
|
- In the J-Web interface, select Configuration>View
and Edit>Edit Configuration.
- Next to Services, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit services
|
|
Configure the service set ipsec-dynamic.
|
- Next to Service set, click Add new
entry.
- In the Service set name box, type ipsec-dynamic.
- Click OK.
|
Enter
set service-set ipsec-dynamic
|
|
Configure the IP address of the local gateway for the IPSec service
set to the local tunnel endpoint—for example, 10.1.15.1.
|
- In the Service set list, click ipsec-dynamic.
- Next to Ipsec vpn options, click Configure.
- In the Local gateway box, type 10.1.15.1.
- Click OK until you return to the Services
page.
|
Enter
set service-set ipsec-dynamic ipsec-vpn-options local-gateway 10.1.15.1
|
Configuring
Next-Hop Services Interfaces
The sample next-hop configuration in Table 37 adds
the next-hop services interfaces to the IPSec service set ipsec-dynamic created
in Table 36. This sample next-hop configuration
sets the inside services interface to sp-0/0/0.1001, and sets the
outside services interface (facing the remote IPSec site) to sp-0/0/0.2001.
To configure next-hop services interfaces:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 37.
- Go on to Applying IPSec Rule
to Service Sets.
Table 37: Configuring
Next-Hop Services Interfaces
|
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
|
Navigate to the Services level in the configuration
hierarchy.
|
- In the J-Web interface, select Configuration>View
and Edit>Edit Configuration.
- Next to Services, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit services
|
|
Configure the next-hop service set for the IPSec tunnel.
You must include an interface name and unit number for the inside-service
interface and the outside-service interface. By default, the J-Web interface
uses the following values:
- For the inside-service interface—sp-0/0/0.1001
- For the outside-service interface—sp-0/0/0.2001
|
- In the Service set list, click ipsec-dynamic.
- In the Service type choice box, select Next
hop service from the list.
- Next to Next hop service, click Configure.
- In the Inside service interface box, type sp-0/0/0.1001.
- In the Outside service interface box, type sp–0/0/0.2001.
- Click OK until you return to the Services
page.
|
- Enter
set service-set ipsec-dynamic next-hop-service inside-service-interface
sp-0/0/0.1001
- Enter
set service-set ipsec-dynamic next-hop-service outside-service-interface
sp-0/0/0.2001
|
Configuring Interface
Service Sets
The sample interface service set configuration in Table 38 adds
the interface service-set configuration to the IPSec service set ipsec-dynamic created
in Table 36. This sample interface service-set
configuration sets the services interface sp-0/0/0.
To configure interface service sets:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 37.
- Go on to Applying IPSec Rule
to Service Sets.
Table 38: Configuring
Interface Service Sets
|
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
|
Navigate to the Services level in the configuration
hierarchy.
|
- In the J-Web interface, select Configuration>View
and Edit>Edit Configuration.
- Next to Services, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit services
|
|
Configure the interface service set and specify sp-0/0/0 as
the services interface to be used for IPSec traffic.
|
- In the Service set list, click ipsec-dynamic.
- In the Service type choice box, select Interface
service from the list.
- Next to Interface service, click Configure.
- In the Service interface box, type sp-0/0/0.
- Click OK until you return to the Services
page.
|
Enter
set service-set ipsec-dynamic interface-service service-interface
sp-0/0/0
|
Applying IPSec Rule
to Service Sets
The sample configuration in Table 39 configures
the service set ipsec-dynamic configured in Table 36 to
use the IPSec rule ipsec-dynamic-rule defined in Table 34.
To apply an IPSec rule to a service set:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 39.
- If you are finished configuring the router, commit the
configuration.
- Go on to the optional task Configuring a NAT Pool.
- To check the configuration, see Verifying the IPSec Tunnel Configuration.
Table 39: Applying
IPSec Rule to Service Sets
|
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
|
Navigate to the Services level in the configuration
hierarchy.
|
- In the J-Web interface, select Configuration>View
and Edit>Edit Configuration.
- Next to Services, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit services
|
|
Apply the IPsec rule ipsec-dynamic-rule to all traffic through
the service set.
|
- In the Service set list, click ipsec-dynamic.
- In the Ipsec vpn rules choice box, select Ipsec
vpn rules.
- Next to Ipsec vpn rules, click Add new
entry.
- In the Rule name box, type ipsec-dynamic-rule.
- Click OK.
|
Enter
set service-set ipsec-dynamic ipsec-vpn-rules ipsec-dynamic-rule
|
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]