[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring IPsec Manual Security Associations

To configure a manual security association (SA) in a Services Router, you must configure an IPsec-VPN rule and specify all the parameters such as authentication and encryptions algorithms, protocols, security parameter index (SPI), and the authentication and encryption keys required for the security association on the Services Routers at both tunnel endpoints. The sample configuration in Table 29 configures a manual SA that applies to all inbound traffic on a Services Router.

Repeat the same procedure to define another rule for oubound traffic with the same parameters. Configure a manual SA with the same parameters, authentication and encryption keys, and security parameter index (SPI) on the Services Router at the other endpoint of the tunnel.

To configure a manual SA:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 29.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify that IPsec is configured correctly, see Verifying the IPsec Tunnel Configuration.

Table 29: Configuring IPsec Manual SAs

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services>Ipsec vpn level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Services, click Configure or Edit.
  3. Next to Ipsec vpn, click Configure.

From the [edit] hierarchy level, enter

edit services ipsec-vpn

Configure a rule—for example, manualSARule—that applies to all incoming traffic.
  1. Next to Rule, click Add new entry.
  2. In the Rule name box, type manualSARule.
  3. In the Match direction box, select input.

Enter

set rule manualSARule match-direction input

Configure a term¯—for example, manualSATerm—for the rule, and the remote gateway for the IPsec tunnel—for example, 10.90.90.1.
  1. Next to Term, click Add new entry.
  2. In the Term name box, type manualSATerm.
  3. Next to Then, select the check box, and click Configure.
  4. In the Remote gateway box, type 10.90.90.1.
  1. Enter

    edit rule manualSARule

  2. Enter

    set term manualSATerm then remote-gateway 10.90.90.1

Configure the manual SA, and specify the direction of traffic to which the SA is applicable—for example, bidirectional.
  1. In the Sa choice box, select Manual.
  2. Next to Manual, click Configure.
  3. Next to Direction, click Add new entry.
  4. In the Direction box, select bidirectional.
  1. Enter

    edit term manualSATerm then

  2. Enter

    set manual direction bidirectional

Configure the security parameter index (SPI)—for example, 1024—and the IPsec protocol—for example, esp.
  1. In the Spi box, type 1024.
  2. In the Protocol box, select esp.
  1. Enter

    edit manual direction bidirectional

  2. Enter

    set spi 1024 protocol esp

Configure the authentication algorithm—for example, hmac-md5-96—and an authentication key—for example, juniper—to be used while establishing the manual SA.
  1. Next to Authentication, click Configure.
  2. In the Algorithm box, select hmac-md5-96.
  3. Next to Key, click Configure.
  4. In the Key choice box, select Ascii text.
  5. In the Ascii text box, type juniper.
  6. Click OK until you return to the Direction page.

Enter

set authentication algorithm hmac-md5-96 key ascii-text juniper

Configure an encryption algorithm—for example, 3des-cbc—and an encryption key—for example, juniper123.
  1. Next to Encryption, click Configure.
  2. In the Algorithm box, select 3des-cbc.
  3. Next to Key, click Configure.
  4. In the Key choice box, select Ascii text.
  5. In the Ascii text box, type juniper123.
  6. Click OK until you return to the Ipsec vpn page.

Enter

set encryption algorithm 3des-cbc key ascii-text juniper123

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]