To configure an IES or VPRN IPsec gateway
Note: Availability of some parameters varies depending on the NE and release; see the NE documentation for more information.
The parameters in the Local ID panel and the Certificate File and Key File parameters, if applicable, are configurable when IKEv2 is specified in the associated gateway IKE policy and the Authorization Method is set to Certificate Authentication.
Steps
1 |
Choose Manage→Service→Services from the NFM-P main menu. The Manage Services form opens. |
2 |
Choose an IES or VPRN service and click Properties. The service properties form opens. |
3 |
Click on the Interfaces tab, then on the L3 Access Interfaces tab. |
4 |
Choose the L3 access interface on which you want to create the IPsec gateway and click Properties. The L3 Access Interface (Edit) form opens. Note: The port configured on the L3 access interface must be a Tunnel Group SAP, which is the public-facing interface for an IPsec tunnel. |
5 |
Click on the IPsec Gateway tab. |
6 |
Click Create. The IPsec Gateway (Create) form opens. |
7 |
Configure the required parameters. |
8 |
To associate an IKE policy with the IPsec gateway, select an IKE policy in the IKE Policy panel. Note: For the IPSec Gateway administrative status to be set to “Up”, the associated IKE Policy must have a IKE Transform policy configured on it. |
9 |
To associate an IPsec tunnel template with the IPsec gateway, select an IPsec tunnel template in the IPsec Tunnel Template panel. |
10 |
To associate an IPsec client database with the IPsec gateway, select an IPsec client database in the IPsec Client DataBase panel. |
11 |
Select the far-end VPRN service site of the tunnel in the Secure Service Id panel. |
12 |
Select the tunnel interface of the far-end site in the Tunnel Interface Name panel. |
13 |
Configure the Local Gateway Address parameter. |
14 |
Configure the parameters in the Local ID panel. |
15 |
Configure the parameters in the Certificate panel as needed.
Note: If there is a problem with a Certificate File or Key File after the tunnel becomes administratively up, the Invalid Certificate File or Invalid Key File operational indicators are enabled on the States tab, and the NFM-P raises an alarm. |
16 |
Select a RADIUS authentication policy in the Radius Authentication Policy panel. |
17 |
Select a RADIUS accounting policy in the Radius Accounting Policy panel. |
18 |
Click on the States tab and configure the Administrative State parameter. |
19 |
Associate a traffic selector list with the IPsec gateway. Use the following steps:
|
20 |
On IES and VPRN L3 access interface IPsec gateways, you can lease a local IP address from a pool in a local DHCPv4 or DHCPv6 server defined in the VPRN routing instance or NE base routing instance. To lease an IP address from an external DHCP server, see Step 21. To configure the local address assignment for the IKEv2 remote access tunnel on an IES or VPRN L3 access interface IPsec gateway:
|
21 |
Lease an IP address for the IPsec gateway from an external DHCPv4 server. Use the following steps:
|
22 |
Lease an IP address for the IPsec gateway from an external DHCPv6 server. Use the following steps:
|
23 |
Close the forms. End of steps |