The following are configuration tasks for an IKEv2 remote-access tunnel:
Create an ike-policy with one of the auth-methods that enabled the remote-access tunnel.
Configure a tunnel-template/ipsec-transform. This is the same as configuring a dynamic LAN-to-LAN tunnel.
Create a radius-authentication-policy and optionally, a radius-accounting-policy (a radius-server-policy and a radius-server must be preconfigured).
Configure a private VPRN service and private tunnel interface with an address on the interface. The internal address assigned to the client must come from the subnet on the private interface.
Configure a public IES/VPRN service and an ipsec-gw under the public tunnel SAP.
Configure the radius-authentication-policy and radius-accounting-policy (optional) under the ipsec-gw.
Certificate the related configuration if any certificate related authentication method is used.
The following shows an example using cert-radius:
config>system>security>pki# info
----------------------------------------------
ca-profile "NOKIA-ROOT" create
cert-file "NOKIA-ROOT.cert"
crl-file "NOKIA-ROOT.crl"
no shutdown
exit
----------------------------------------------
A:SeGW>config>aaa# info
----------------------------------------------
radius-server-policy "femto-aaa" create
servers
router "management"
server 1 name ‟svr-1"
exit
exit
----------------------------------------------
A:SeGW>config>router# info
----------------------------------------------
radius-server
server ‟svr-
1" address 10.10.10.1 secret "KR35xB3W4aUXtL8o3WzPD." hash2 create
exit
exit
----------------------------------------------
config>ipsec# info
----------------------------------------------
ike-policy 1 create
ike-version 2
auth-method cert-radius
ike-transform 1
exit
ipsec-transform 1 create
exit
ike-transform 1 create
exit
tunnel-template 1 create
transform 1
exit
cert-profile "c1" create
entry 1 create
cert SeGW2.cert
key SeGW2.key
exit
no shutdown
exit
trust-anchor-profile "tap-1" create
trust-anchor "NOKIA-ROOT"
exit
radius-authentication-policy "femto-auth" create
include-radius-attribute
calling-station-id
called-station-id
exit
password "DJzlyYKCefyhomnFcFSBuLZovSemMKde" hash2
radius-server-policy "femto-aaa"
exit
radius-accounting-policy "femto-acct" create
include-radius-attribute
calling-station-id
framed-ip-addr
exit
radius-server-policy "femto-aaa"
exit
----------------------------------------------
config>service>ies# info
----------------------------------------------
interface "pub" create
address 172.16.100.0/31
tos-marking-state untrusted
sap tunnel-1.public:100 create
ipsec-gw "rw"
cert
trust-anchor-profile "tap-1"
cert-profile "c1"
exit
default-secure-service 400 interface "priv"
default-tunnel-template 1
ike-policy 1
local-gateway-address 172.16.100.1
radius-accounting-policy "femto-acct"
radius-authentication-policy "femto-auth"
no shutdown
exit
exit
exit
no shutdown
----------------------------------------------
A:SeGW>config>service>vprn# info
----------------------------------------------
route-distinguisher 400:11
interface "priv" tunnel create
address 10.20.20.1/24
sap tunnel-1.private:200 create
exit
exit
interface "l1" create
address 10.9.9.9/32
loopback
exit
no shutdown
----------------------------------------------