Technical Documentation

Option: Configuring Multiple Routed Tunnels in a Single Next-Hop Service Set

To save you time and simplify your configurations, an enhancement to the JUNOS Software enables you to configure several routed IPSec tunnels within a single next-hop service set. To configure, establish multiple services interfaces as inside interfaces by including the service-domain inside statement at the [edit interfaces sp-fpc/pic/port unit logical-unit-number] hierarchy level. Then, include the ipsec-inside-interface statement at the [edit services ipsec-vpn rule rule-name term term-name from] hierarchy level.

Note: The full IPSec and IKE proposals and policies are not shown in the following example for the sake of brevity. For more information on proposals and policies, see Configuring IKE Dynamic SAs.

[edit]interfaces {sp-3/3/0 {unit 3 {family inet;service-domain inside;}unit 4 {family inet;service-domain outside;}unit 5 {family inet;service-domain inside;}}}services {service-set link_type_ss_1 {next-hop-service {inside-service-interface sp-3/3/0.3;outside-service-interface sp-3/3/0.4;}ipsec-vpn-options {local-gateway 10.8.7.2;}ipsec-vpn-rules link_rule_1;}ipsec-vpn {rule link_rule_1 {term 1 {from {ipsec-inside-interface sp-3/3/0.3;}then {remote-gateway 10.10.7.3;backup-remote-gateway 10.8.7.1;dynamic {ike-policy main_mode_ike_policy;ipsec-policy dynamic_ipsec_policy;}}}term 2 {from {ipsec-inside-interface sp-3/3/0.5;}then {remote-gateway 10.12.7.5;dynamic {ike-policy main_mode_ike_policy;ipsec-policy dynamic_ipsec_policy;}}}match-direction input;}}}

To confirm that your configuration is working, issue the show services ipsec-vpn ipsec security-associations command. Notice that each IPSec inside interface that you assigned to each IPSec tunnel is included in the output of this command.


user@router> show services ipsec-vpn ipsec security-associations
Service set: link_type_ss_1

  Rule: link_rule_1, Term: 1, Tunnel index: 1
  Local gateway: 10.8.7.2, Remote gateway: 10.8.7.1
  IPSec inside interface: sp-3/3/0.3
    Direction SPI         AUX-SPI     Mode       Type     Protocol
    inbound   3216392497  0           tunnel     dynamic  ESP
    outbound  398917249   0           tunnel     dynamic  ESP

  Rule: link_rule_1, Term: 2, Tunnel index: 2
  Local gateway: 10.8.7.2, Remote gateway: 10.12.7.5
  IPSec inside interface: sp-3/3/0.5
    Direction SPI         AUX-SPI     Mode       Type     Protocol
    inbound   762146783   0           tunnel     dynamic  ESP
    outbound  319191515   0           tunnel     dynamic  ESP

Published: 2010-04-15