[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring IPsec to Protect H.248 Messages or Mirrored Sessions in Tunnel Mode

Figure 1 shows a sample configuration that protects H.248 messages using IPsec tunnel mode.

Figure 1: Protecting H.248 Messages Using IPsec Tunnel Mode

Image g017427.gif

To configure IPsec to protect H.248 messages as shown in Figure 1:

  1. Configure the service PIC that you want IPsec to use. IPsec can use the same service PIC that the BGF uses, or it can have a dedicated service PIC.

    Assign logical interfaces to be assigned to a service-interface-pool for incoming traffic to the IPsec tunnel and outgoing traffic from the IPsec tunnel. For example:

    [edit interfaces sp-3/3/0]
    unit 0 {
        family inet;
    }
    unit 10 {
        family inet;
        }
    unit 20 {
        family inet;
        }
    unit 50 {
        description IPsec-tunnel-incoming;
        family inet;
        }
    unit 60 {
        description IPsec-tunnel-outgoing;
        family inet;
        }
    
  2. Create a service interface pool containing the logical interfaces for IPsec tunnel traffic.
    [edit services service-interface-pool pool ipsec-pool-1]
    interface sp-3/3/0.10;
    interface sp-3/3/0.20;
    interface sp-3/3/0.50;
    interface sp-3/3/0.60;
  3. Configure a service set that has the following characteristics:

    • Next-hop service that contains the service interface pool of the inside and outside interfaces that you configured for IPsec.
    • The local IP address for IPsec traffic.
    • The IPsec rule or rule set applied to the tunnel. This is a rule or rule set that you configure at the [edit services ipsec-vpn] hierarchy level.
    [edit services service-set ipsec-tunnel-for-bgf]
    next-hop-service {
        ;
        service-interface-pool int-pool-1;
    }
    ipsec-vpn-options {
        local-gateway 192.168.10.1;
    }
    ipsec-vpn-rules rule-ike;
  4. Configure a static route to the gateway controller with the IPsec interface as the next hop. The gateway controller is the H.248 gateway; that is, the border gateway control (BCF).
    [edit routing-options]
    static {
        route 10.0.0.150/32 next-hop sp-3/3/0.50;
    }
    

Published: 2010-04-13

[an error occurred while processing this directive]