To configure an IES or VPRN IPsec gateway

Note: Availability of some parameters varies depending on the NE and release; see the NE documentation for more information.

The parameters in the Local ID panel and the Certificate File and Key File parameters, if applicable, are configurable when IKEv2 is specified in the associated gateway IKE policy and the Authorization Method is set to Certificate Authentication.

Steps
 

Choose Manage→Service→Services from the NFM-P main menu. The Manage Services form opens.


Choose an IES or VPRN service and click Properties. The service properties form opens.


Click on the Interfaces tab, then on the L3 Access Interfaces tab.


Choose the L3 access interface on which you want to create the IPsec gateway and click Properties. The L3 Access Interface (Edit) form opens.

Note: The port configured on the L3 access interface must be a Tunnel Group SAP, which is the public-facing interface for an IPsec tunnel.


Click on the IPsec Gateway tab.


Click Create. The IPsec Gateway (Create) form opens.


Configure the required parameters.


To associate an IKE policy with the IPsec gateway, select an IKE policy in the IKE Policy panel.

Note: For the IPSec Gateway administrative status to be set to “Up”, the associated IKE Policy must have a IKE Transform policy configured on it.


To associate an IPsec tunnel template with the IPsec gateway, select an IPsec tunnel template in the IPsec Tunnel Template panel.


10 

To associate an IPsec client database with the IPsec gateway, select an IPsec client database in the IPsec Client DataBase panel.


11 

Select the far-end VPRN service site of the tunnel in the Secure Service Id panel.


12 

Select the tunnel interface of the far-end site in the Tunnel Interface Name panel.


13 

Configure the Local Gateway Address parameter.


14 

Configure the parameters in the Local ID panel.


15 

Configure the parameters in the Certificate panel as needed.

  1. To specify a single CA to use as a trust anchor, click Select beside the Certificate Trust Anchor parameter and select a certificate trust anchor.

  2. To specify multiple certificates and CAs, click Select beside the Trust Anchor Profile and Certificate Profile parameters, and select the appropriate profiles.

Note: If there is a problem with a Certificate File or Key File after the tunnel becomes administratively up, the Invalid Certificate File or Invalid Key File operational indicators are enabled on the States tab, and the NFM-P raises an alarm.


16 

Select a RADIUS authentication policy in the Radius Authentication Policy panel.


17 

Select a RADIUS accounting policy in the Radius Accounting Policy panel.


18 

Click on the States tab and configure the Administrative State parameter.


19 

Associate a traffic selector list with the IPsec gateway.

Use the following steps:

  1. Click on the Traffic Selector Negotiation tab.

  2. Click Create. The Traffic Selector Negotiation (Create) form opens.

  3. Select a traffic selector policy in the Traffic Selector Policy panel.

  4. Save your changes and close the form.


20 

On IES and VPRN L3 access interface IPsec gateways, you can lease a local IP address from a pool in a local DHCPv4 or DHCPv6 server defined in the VPRN routing instance or NE base routing instance. To lease an IP address from an external DHCP server, see Step 21.

To configure the local address assignment for the IKEv2 remote access tunnel on an IES or VPRN L3 access interface IPsec gateway:

  1. Click on the Local Address Assignment tab.

  2. Configure the Administrative State parameter.

  3. Select the DHCP server name in the IPv4 and IPv6 panels.

    Note:

    After the tunnel is established and the address is leased, you can view the lease on the Leases tab on the Local DHCP Server (Edit) form. On the VPRN Site (Edit) form, click on the RADIUS/DHCP/Diameter tab and select the required DHCPv4 server to open the Local DHCP Server (Edit) form. You can filter the leases by choosing IPsec from the Client Type column header.

    On the NE base routing instance, navigate to Routing→NE→Routing Instance, right click and choose Properties. Click on the Local DHCP Servers tab.

    See To configure a local DHCPv4 server on a VPRN site and To configure a local DHCPv6 server on a VPRN site for information about configuring a local DHCPv4 or DHCPv6 server on a VPRN site. See To configure a local DHCPv4 server on a routing instance and To configure a local DHCPv6 server on a routing instance for information about configuring a local DHCPv4 or DHCPv6 server on a base routing instance.


21 

Lease an IP address for the IPsec gateway from an external DHCPv4 server.

Use the following steps:

  1. Click on the DHCP Address Assignment tab and click Create. The Internal DHCPv4 Address Assignment form opens.

  2. Configure the Gi Address and either the Router or Service ID parameters.

  3. Specify up to eight DHCPv4 servers in the DHCP Servers panel.

  4. Save and close the form.


22 

Lease an IP address for the IPsec gateway from an external DHCPv6 server.

Use the following steps:

  1. Click on the DHCPv6 Address Assignment tab and click Create. The Internal DHCPv6 Address Assignment form opens.

  2. Configure the Link Address and either the Router or Service ID parameters.

  3. Specify up to eight DHCPv6 servers in the DHCP Servers panel.

  4. Save and close the form.


23 

Close the forms.

End of steps