Choose Manage→Service→Services from the NFM-P main menu. The Manage Services form opens.

Select a VPRN service and click Properties. The VPRN Service (Edit) form opens.

Click on the Interfaces tab. The TMS Interfaces tab is displayed.

Click on the Tunnel Interfaces tab.

Choose a tunnel interface and click Properties. The Tunnel Interface (Edit) form opens.

Click on the IPsec Tunnels tab.

Note: The IPsec Tunnels tab is displayed only when a port is assigned to the tunnel interface.

Click Create. The IPsec Tunnel (Create) form opens.

Configure the required parameters.

Select a security policy in the Security Policy ID panel.

To ensure that no multiple tunnels are created with same security policy, enable the Strict Match parameter.

Note: Strict Match parameter must be set at the same time Security Policy ID is set.

Configure the required parameters in the Tunnel Endpoints panel.

Configure the required parameters in the IP Fragmentation panel.

Configure the required parameters in the ICMPv6 Generation panel.

If you set the Keying parameter to Dynamic in Step 8, configure dynamic keying.

Use the following steps:

1. Click on the Dynamic Keying tab.

2. Select an IPsec transform in the Transform ID 1 to Transform ID 4 panels.

3. Select an IKE policy in the IKE Policy panel.

4. Configure the Pre-shared Key and Auto-Establish parameters.

5. Configure the parameters in the Local ID panel.

   Note:

   The parameters in the Local ID panel, and the Certificate File and Key File parameters, are configurable when IKEv2 is specified in the IKE policy associated with the tunnel, and the Authorization Method is set to Certificate Authentication.

6. To specify a single certificate trust anchor, certificate file, and key file where available:

   1. Configure the Certificate File and Key File parameters.

   2. Click Select beside the Certificate Trust Anchor parameter to select a CA profile.

   Note:

   If there is a problem with the Certificate File or the Key File after the tunnel becomes administratively up, the Invalid Certificate File or Invalid Key File operational indicators are enabled on the States tab, and the NFM-P raises an alarm.

7. To specify multiple certificate trust anchors, certificate files, and key files, click Select beside the Trust Anchor Profile and Certificate Profile parameters to select the appropriate profiles.

   Note:

   If there is a problem with a Certificate File or Key File after the tunnel becomes administratively up, the Invalid Certificate File or Invalid Key File operational indicators are enabled on the States tab, and the NFM-P raises an alarm.

If you set the Keying parameter to Manual in Step 8, configure manual keying.

Use the following steps:

1. Click on the Manual Keying tab.

2. Click Create. The IPsec Security Association (Create) form opens.

3. Select a security policy entry in the Security Policy Entry panel.

4. Configure the required parameters.

5. Select a transform policy in the Transform panel.

6. Save your changes and close the form.

Configure BFD.

Use the following steps:

1. Click on the BFD tab.

2. Configure the required parameters.

3. Select a BFD service in the BFD Service panel.

4. Select an interface in the Interface panel.

5. Configure the Destination Address parameter.

Click on the States tab.

Configure the Administrative State parameter.

Configure static tunnel destination IP addresses.

Use the following steps:

1. Click on the Dest-IP Addresses tab and click Create. The IPsec Tunnel Dest-IP Address (Create) form opens.

2. Configure the required parameters.

3. Save your changes and close the form.

Save your changes and close the forms.

End of steps