To configure a Services Router to transport traffic across a secure IPsec connection, you can define the IPsec tunnel with security associations (SAs), services interfaces, IPsec tunnel endpoints, and IPsec rules to direct traffic to the tunnel.
In a network consisting of Services Routers, you can define manual SAs or dynamic SAs. Manual SAs require you to configure all security parameters of the security association, such as authentication and encryptions algorithms, encryptions keys, and the protocols, in the Services Routers at the tunnel endpoints. Dynamic SAs require you to configure the IKE protocol to manage the negotiation and exchange of encryption keys.
For a security association, you can optionally define NAT pools to hide IP addresses from the Internet.
This section contains the following topics: