one access profile in each service set. This profile is used to negotiate IKE and IPsec
security associations with dynamic peers only.
NOTE: If you configure an IKE access profile in a service set, no other service
set can share the same local-gateway address.
Also, you must configure a separate service set for each VRF. All interfaces
referenced by the ipsec-inside-interface statement within a service set must
belong to the same VRF.
Configuring or Disabling Antireplay Service
You can include the anti-replay-window-size statement at the [edit services service-set
service-set-name ipsec-vpn-options] hierarchy level to specify the size of the antireplay
window.
anti-replay-window-size bits;
This statement is useful for dynamic endpoint tunnels for which you cannot configure
the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term
term-name then] hierarchy level.
For static IPsec tunnels, this statement sets the antireplay window size for all the static
tunnels within this service set. If a particular tunnel needs a specific value for antireplay
window size, set the anti-replay-window-size statement at the [edit services ipsec-vpn
rule rule-name term term-name then] hierarchy level. If antireplay check has to be disabled
for a particular tunnel in this service set, set the no-anti-replay statement at the [edit
services ipsec-vpn rule rule-name term term-name then] hierarchy level.
NOTE: The anti-replay-window-size and no-anti-replay settings at the [edit
services ipsec-vpn rule rule-name term term-name then] hierarchy level override
the settings specified at the [edit services service-set service-set-name
ipsec-vpn-options] hierarchy level.
You can also include the no-anti-replay statement at the [edit services service-set
service-set-name ipsec-vpn-options] hierarchy level to disable IPsec antireplay service.
It occasionally causes interoperability issues for security associations.
no-anti-replay;
This statement is useful for dynamic endpoint tunnels for which you cannot configure
the no-anti-reply statement at the [edit services ipsec-vpn rule rule-name term term-name
then] hierarchy level.
For static IPsec tunnels, this statement disables the antireplay check for all the tunnels
within this service set. If antireplay check has to be enabled for a particular tunnel, then
set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name
term term-name then] hierarchy level.
1097Copyright © 2017, Juniper Networks, Inc.
Chapter 33: Configuring IPsec
To Next Page
Loading...
Need help?
General
