rule rule-name term term-name from] hierarchy level. For more information about IPsec
configuration, see Configuring IPsec Rules.
IKE Addresses in VRF Instances
You can configure Internet Key Exchange (IKE) gateway IP addresses that are present
in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through
the VRF instance.
For next-hop service sets, the key management process (kmd) places the IKE packets
in the routing instance that contains the outside-service-interface value you specify, as
in this example:
routing-instances vrf-nxthop {
instance-type vrf;
interface si-0/0/0.2;
...
}
services service-set service-set-1 {
next-hop-service {
inside-service-interface si-0/0/0.1;
outside-service-interface si-0/0/0.2;
}
...
}
For interface service sets, the service-interface statement determines the VRF, as in this
example:
routing-instances vrf-intf {
instance-type vrf;
interface si-0/0/0.3;
interface ge-1/2/0.1; # interface on which service set is applied
...
}
services service-set service-set-2 {
interface-service {
service-interface si-0/0/0.3;
}
...
}
Configuring IKE Access Profiles for IPsec Service Sets
For dynamic endpoint tunneling only, you need to reference the IKE access profile
configured at the [edit access] hierarchy level. To do this, include the ike-access-profile
statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy
level:
[edit services service-set service-set-name ipsec-vpn-options]
ike-access-profile profile-name;
The ike-access-profile statement must reference the same name as the profile statement
you configured for IKE access at the [edit access] hierarchy level. You can reference only
Copyright © 2017, Juniper Networks, Inc.1096
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
