The essential difference between the two configurations is the change in the match
direction and the static routes’ next hop, pointing to either the NAT engine’s inside or
outside interface.
Related
Documentation
Network Address Translation Overview on page 999•
• Network Address Port Translation Overview on page 1001
• IPsec for ACX Series Overview on page 1087
• Enabling Inline Services Interface on ACX Series on page 1008
• Understanding Service Sets on page 1028
• Service Filters in ACX Series on page 1035
• Network Address Translation Address Overload in ACX Series on page 1001
• Network Address Translation Rules Overview on page 1004
• Configuring Service Sets for Network Address Translation on page 1030
• Configuring Queuing and Scheduling on Inline Services Interface on page 1040
Configuring IPsec Service Sets
IPsec service sets require additional specifications that you configure at the [edit services
service-set service-set-name ipsec-vpn-options] hierarchy level:
[edit services service-set service-set-name ipsec-vpn-options]
anti-replay-window-size bits;
ike-access-profile profile-name;
local-gateway (address | interface);
no-anti-replay;
Configuration of these statements is described in the following sections:
•
Configuring the Local Gateway Address for IPsec Service Sets on page 1095
•
Configuring IKE Access Profiles for IPsec Service Sets on page 1096
•
Configuring or Disabling Antireplay Service on page 1097
Configuring the Local Gateway Address for IPsec Service Sets
If you configure an IPsec service set, you must configure a local-gateway statement by
either configuring a local IPv4 address or a logical interface.
If the Internet Key Exchange (IKE) gateway IP address is in inet.0 (the default situation),
you configure the following statement:
local-gateway (address | interface) ;
You can configure all the link-type tunnels that share the same local gateway address
in a single next-hop-style service set. The value you specify for the inside-service-interface
statement at the [edit services service-set service-set-name] hierarchy level need not
match the ipsec-inside-interface value, which you configure at the [editservicesipsec-vpn
1095Copyright © 2017, Juniper Networks, Inc.
Chapter 33: Configuring IPsec
To Next Page
Loading...
Need help?
General
