Labs IPsec inline-service
acx1100 IPsec inline-service
Here, we’ll define the shared IPsec service configuration.
We’ll apply a single IKE/IPsec policy to all tunnels for simplicity—though in real-world deployments, this approach isn’t considered best practice and may not be feasible.
# enable tunnel-services (we will use it for IPsec/GRE)
set chassis fpc 0 pic 0 tunnel-services bandwidth 10g
# enable inline-services for IPsec
set chassis fpc 0 pic 0 inline-services bandwidth 10g
# service interface ipsec — any tunnel will use this dedicated interface unit
set interfaces si-0/0/0 unit 0 family inet
# common IKE policy “ike-pol”
set services ipsec-vpn ike proposal ike-prop authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-prop dh-group group2
set services ipsec-vpn ike proposal ike-prop authentication-algorithm sha1
set services ipsec-vpn ike proposal ike-prop encryption-algorithm aes-128-cbc
set services ipsec-vpn ike policy ike-pol version 2
set services ipsec-vpn ike policy ike-pol proposals ike-prop
# IPsec pre-shared-key “1q2w3e” (all tunnels use the same PSK)
set services ipsec-vpn ike policy ike-pol pre-shared-key ascii-text "$9$AI04p1RhSeMLxlKoJGDmP"
set services ipsec-vpn establish-tunnels immediately
# common IPsec policy “ipsec-pol”
set services ipsec-vpn ipsec proposal ipsec-prop protocol esp
set services ipsec-vpn ipsec proposal ipsec-prop authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal ipsec-prop encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy ipsec-pol proposals ipsec-prop