[an error occurred while processing this directive][an error occurred while processing this directive]

Example: Configuring Statically Assigned Tunnels

Following is the configuration of the provider edge (PE) router, demonstrating the usage of next-hop service sets and dynamic SA configuration:

[edit interfaces]so-0/0/0 {no-keepalives;encapsulation cisco-hdlc;unit 0 {family inet {address 10.6.6.6/32;}}}so-2/2/0 {description "teller so-0/2/0";no-keepalives;encapsulation cisco-hdlc;unit 0 {family inet {address 10.21.1.1/16;}}}sp-3/1/0 {unit 0 {family inet {address 10.7.7.7/32;}}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}}[edit policy-options]policy-statement vpn-export {then {community add vpn-comm;accept;}}policy-statement vpn-import {term a {from community vpn-comm;then accept;}}community vpn-comm members target:100:20;[edit routing-instances]vrf {instance-type vrf;interface sp-3/1/0.1; # Inside sp interfaceinterface so-0/0/0.0;route-distinguisher 192.168.0.1:1;vrf-import vpn-import;vrf-export vpn-export;routing-options {static {route 10.0.0.0/0 next-hop so-0/0/0.0;route 10.11.11.1/32 next-hop so-0/0/0.0;route 10.8.8.1/32 next-hop sp-3/1/0.1;}}}[edit services]ipsec-vpn {rule rule-1 {term term-1 {then {remote-gateway 10.21.2.1;dynamic {ike-policy ike-policy;}}}match-direction input;}ike {policy ike-policy {pre-shared-key ascii-text "$9$ExmcSeMWxdVYBI";}}}service-set service-set-1 {ipsec-vpn {local-gateway 10.21.1.1;}ipsec-vpn-rules rule-1;next-hop-service {inside-service-interface sp-3/1/0.1;outside-service-interface sp-3/1/0.2;}}

Following is an example for configuring multiple link-type tunnels to static peers using a single next-hop style service set:

services ipsec-vpn {rule demo-rule {term term-0 {from {ipsec-inside-interface sp-0/0/0.1;}then {remote-gateway 10.2.2.2;dynamic {ike-policy demo-ike-policy;}}}term term-1 {from {ipsec-inside-interface sp-0/0/0.3;}then {remote-gateway 10.3.3.3;dynamic {ike-policy demo-ike-policy;}}}}match-direction input;}services {service-set demo-service-set {next-hop-service {inside-service-interface sp-0/0/0.1;outside-service-interface sp-0/0/0.2;}ipsec-vpn-options {local-gateway 10.1.1.1;}ipsec-rules demo-rule;}}interfaces sp-0/0/0 {unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}unit 3 {family inet;service-domain inside;}unit 4 {family inet;service-domain inside;}}

Published: 2010-04-28

[an error occurred while processing this directive]