Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

Example: Configuring Statically Assigned Tunnels

Following is the configuration of the provider edge (PE) router, demonstrating the usage of next-hop service sets and dynamic SA configuration:

[edit interfaces]
so-0/0/0 {no-keepalives;encapsulation cisco-hdlc;unit 0 {family inet {address 10.6.6.6/32;}}}
so-2/2/0 {description "teller so-0/2/0";no-keepalives;encapsulation cisco-hdlc;unit 0 {family inet {address 10.21.1.1/16;}}}
sp-3/1/0 {unit 0 {family inet {address 10.7.7.7/32;}}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}}
[edit policy-options]
policy-statement vpn-export {then {community add vpn-comm;accept;}}
policy-statement vpn-import {term a {from community vpn-comm;then accept;}}
community vpn-comm members target:100:20;[edit routing-instances]
vrf {instance-type vrf;interface sp-3/1/0.1; # Inside sp interfaceinterface so-0/0/0.0;route-distinguisher 192.168.0.1:1;vrf-import vpn-import;vrf-export vpn-export;routing-options {static {route 10.0.0.0/0 next-hop so-0/0/0.0;route 10.11.11.1/32 next-hop so-0/0/0.0;route 10.8.8.1/32 next-hop sp-3/1/0.1;}}}
[edit services]
ipsec-vpn {rule rule-1 {term term-1 {then {remote-gateway 10.21.2.1;dynamic {ike-policy ike-policy;}}}match-direction input;}ike {policy ike-policy {pre-shared-key ascii-text "$9$ExmcSeMWxdVYBI";}}}
service-set service-set-1 {ipsec-vpn {local-gateway 10.21.1.1;}ipsec-vpn-rules rule-1;next-hop-service {inside-service-interface sp-3/1/0.1;outside-service-interface sp-3/1/0.2;}}

Following is an example for configuring multiple link-type tunnels to static peers using a single next-hop style service set:

services ipsec-vpn {rule demo-rule {term term-0 {from {ipsec-inside-interface sp-0/0/0.1;}then {remote-gateway 10.2.2.2;dynamic {ike-policy demo-ike-policy;}}}term term-1 {from {ipsec-inside-interface sp-0/0/0.3;}then {remote-gateway 10.3.3.3;dynamic {ike-policy demo-ike-policy;}}}}match-direction input;}
services {service-set demo-service-set {next-hop-service {inside-service-interface sp-0/0/0.1;outside-service-interface sp-0/0/0.2;}ipsec-vpn-options {local-gateway 10.1.1.1;}ipsec-rules demo-rule;}}
interfaces sp-0/0/0 {unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}unit 3 {family inet;service-domain inside;}unit 4 {family inet;service-domain inside;}}

Published: 2013-02-15

Supported Platforms

Published: 2013-02-15

Previous Page Next Page