[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Service Sets

To use dynamic SAs on the Services Router, you must create service sets to define the following information for IPsec service:

The local gateway. If the IKE gateway IP address is in a VPN routing and forwarding (VRF) instance, you must configure the routing instance.

Note: You can configure Internet Key Exchange (IKE) gateway IP addresses that are present in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through the VRF instance. For next-hop service sets, the key management process (kmd) places the IKE packets in the routing instance that contains the outside-service-interface value you specify. For interface service sets, the services interface (the interface on which the service set is applied) determines the VRF.

A next-hop service set that defines which services interface to use for all inside-service next hops and all outside-service next hops (traffic inside the network and outside the network). Alternatively, you can create an interface service set that defines the services interface to be used for all IPsec traffic.
An IPsec rule to act on input traffic, set the remote gateway on all traffic, and reference an IKE policy.

This configuration allows you to set the remote gateway address and perform IKE validation on all incoming traffic through the IPsec tunnel.

To configure a service set, you must complete the following tasks:

Configure a gateway. See Configuring a Local Gateway
Define a services interface. See either of the following tasks:
- Configuring Next-Hop Services Interfaces
- Configuring Interface Service Sets
Apply a rule. See Applying IPsec Rules to Service Sets

The sample service set configuration in Table 36 configures the IPsec service set ipsec-dynamic and sets the local gateway to 10.90.90.2.

To configure a local gateway for the service set:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 36.
Go on to one of the following:
- Configuring Next-Hop Services Interfaces
- Configuring Interface Service Sets

Table 36: Configuring a Local Gateway

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Services level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Services, click Configure or Edit.	From the [edit] hierarchy level, enter edit services
Configure the service set ipsec-dynamic.	Next to Service set, click Add new entry. In the Service set name box, type ipsec-dynamic. Click OK.	Enter set service-set ipsec-dynamic
Configure the IP address of the local gateway for the IPsec service set to the local tunnel endpoint—for example, 10.1.15.1.	In the Service set list, click ipsec-dynamic. Next to Ipsec vpn options, click Configure. In the Local gateway box, type 10.1.15.1. Click OK until you return to the Services page.	Enter set service-set ipsec-dynamic ipsec-vpn-options local-gateway 10.1.15.1

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services level in the configuration hierarchy.

In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
Next to Services, click Configure or Edit.

From the [edit] hierarchy level, enter

edit services

Configure the service set ipsec-dynamic.

Next to Service set, click Add new entry.
In the Service set name box, type ipsec-dynamic.
Click OK.

Enter

set service-set ipsec-dynamic

Configure the IP address of the local gateway for the IPsec service set to the local tunnel endpoint—for example, 10.1.15.1.

In the Service set list, click ipsec-dynamic.
Next to Ipsec vpn options, click Configure.
In the Local gateway box, type 10.1.15.1.
Click OK until you return to the Services page.

Enter

set service-set ipsec-dynamic ipsec-vpn-options local-gateway 10.1.15.1

The sample next-hop configuration in Table 37 adds the next-hop services interfaces to the IPsec service set ipsec-dynamic created in Table 36. This sample next-hop configuration sets the inside services interface to sp-0/0/0.1001, and sets the outside services interface (facing the remote IPsec site) to sp-0/0/0.2001.

To configure next-hop services interfaces:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 37.
Go on to Applying IPsec Rules to Service Sets.

Table 37: Configuring Next-Hop Services Interfaces

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Services level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Services, click Configure or Edit.	From the [edit] hierarchy level, enter edit services
Configure the next-hop service set for the IPsec tunnel. You must include an interface name and unit number for the inside-service interface and the outside-service interface. By default, the J-Web interface uses the following values: For the inside-service interface—sp-0/0/0.1001 For the outside-service interface—sp-0/0/0.2001	In the Service set list, click ipsec-dynamic. In the Service type choice box, select Next hop service from the list. Next to Next hop service, click Configure. In the Inside service interface box, type sp-0/0/0.1001. In the Outside service interface box, type sp–0/0/0.2001. Click OK until you return to the Services page.	Enter set service-set ipsec-dynamic next-hop-service inside-service-interface sp-0/0/0.1001 Enter set service-set ipsec-dynamic next-hop-service outside-service-interface sp-0/0/0.2001

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services level in the configuration hierarchy.

In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
Next to Services, click Configure or Edit.

From the [edit] hierarchy level, enter

edit services

Configure the next-hop service set for the IPsec tunnel.

You must include an interface name and unit number for the inside-service interface and the outside-service interface. By default, the J-Web interface uses the following values:

For the inside-service interface—sp-0/0/0.1001
For the outside-service interface—sp-0/0/0.2001

In the Service set list, click ipsec-dynamic.
In the Service type choice box, select Next hop service from the list.
Next to Next hop service, click Configure.
In the Inside service interface box, type sp-0/0/0.1001.
In the Outside service interface box, type sp–0/0/0.2001.
Click OK until you return to the Services page.

Enter
set service-set ipsec-dynamic next-hop-service inside-service-interface sp-0/0/0.1001
Enter
set service-set ipsec-dynamic next-hop-service outside-service-interface sp-0/0/0.2001

The sample interface service set configuration in Table 38 adds the interface service-set configuration to the IPsec service set ipsec-dynamic created in Table 36. This sample interface service-set configuration sets the services interface sp-0/0/0.

To configure interface service sets:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 38.
Go on to Applying IPsec Rules to Service Sets.

Table 38: Configuring Interface Service Sets

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Services level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Services, click Configure or Edit.	From the [edit] hierarchy level, enter edit services
Configure the interface service set and specify sp-0/0/0 as the services interface to be used for IPsec traffic.	In the Service set list, click ipsec-dynamic. In the Service type choice box, select Interface service from the list. Next to Interface service, click Configure. In the Service interface box, type sp-0/0/0. Click OK until you return to the Services page.	Enter set service-set ipsec-dynamic interface-service service-interface sp-0/0/0

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services level in the configuration hierarchy.

In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
Next to Services, click Configure or Edit.

From the [edit] hierarchy level, enter

edit services

Configure the interface service set and specify sp-0/0/0 as the services interface to be used for IPsec traffic.

In the Service set list, click ipsec-dynamic.
In the Service type choice box, select Interface service from the list.
Next to Interface service, click Configure.
In the Service interface box, type sp-0/0/0.
Click OK until you return to the Services page.

Enter

set service-set ipsec-dynamic interface-service service-interface sp-0/0/0

The sample configuration in Table 39 configures the service set ipsec-dynamic configured in Table 36 to use the IPsec rule ipsec-dynamic-rule defined in Table 34.

To apply an IPsec rule to a service set:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 39.
If you are finished configuring the router, commit the configuration.
Go on to the optional task Configuring a NAT Pool.
To check the configuration, see Verifying the IPsec Tunnel Configuration.

Table 39: Applying IPsec Rules to Service Sets

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Services level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Services, click Configure or Edit.	From the [edit] hierarchy level, enter edit services
Apply the IPsec rule ipsec-dynamic-rule to all traffic through the service set.	In the Service set list, click ipsec-dynamic. In the Ipsec vpn rules choice box, select Ipsec vpn rules. Next to Ipsec vpn rules, click Add new entry. In the Rule name box, type ipsec-dynamic-rule. Click OK.	Enter set service-set ipsec-dynamic ipsec-vpn-rules ipsec-dynamic-rule

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services level in the configuration hierarchy.

In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
Next to Services, click Configure or Edit.

From the [edit] hierarchy level, enter

edit services

Apply the IPsec rule ipsec-dynamic-rule to all traffic through the service set.

In the Service set list, click ipsec-dynamic.
In the Ipsec vpn rules choice box, select Ipsec vpn rules.
Next to Ipsec vpn rules, click Add new entry.
In the Rule name box, type ipsec-dynamic-rule.
Click OK.

Enter

set service-set ipsec-dynamic ipsec-vpn-rules ipsec-dynamic-rule

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]