The following are configuration tasks of IKEv2 remote-access tunnel:
Create an ike-policy with any auth-method.
Configure the tunnel-template or ipsec-transform. This is the same as configuring a dynamic LAN-to-LAN tunnel.
Configure a private VPRN service and a private tunnel interface with an address on the interface. The internal address assigned to the client must come from the subnet on the private interface.
Configure a local DHCPv4 or DHCPv6 server with address pool that from which the internal address to be assigned from.
Configure public IES/VPRN service and ipsec-gw under public tunnel SAP.
Configure the local address assignment under ipsec-gw.
The following output shows an example using cert-auth:
config>system>security>pki# info
----------------------------------------------
ca-profile "smallcell-root" create
cert-file "smallcell-root-ca.cert"
revocation-check crl-optional
no shutdown
exit
----------------------------------------------
config>ipsec# info
----------------------------------------------
ike-policy 3 create
ike-version 2
auth-method cert-auth
nat-traversal
ike-transform 1
exit
ipsec-transform 1 create
exit
ike-transform 1 create
exit
cert-profile "segw-mlab" create
entry 1 create
cert SeGW-MLAB.cert
key SeGW-MLAB.key
exit
no shutdown
exit
trust-anchor-profile "sc-root" create
trust-anchor "smallcell-root"
exit
tunnel-template 1 create
transform 1
exit
----------------------------------------------
config>service>ies# info
----------------------------------------------
interface "pub" create
address 172.16.100.253/24
tos-marking-state untrusted
sap tunnel-1.public:100 create
ipsec-gw "rw"
default-secure-service 400 interface "priv"
default-tunnel-template 1
ike-policy 3
local-address-assignment
ipv6
address-source router 400 dhcp-server "d6" pool "1"
exit
no shutdown
exit
local-gateway-address 172.16.100.1
cert
trust-anchor-profile "sc-root"
cert-profile "segw-mlab"
status-verify
default-result good
exit
exit
local-id type fqdn value segwmobilelab.nokia.com
no shutdown
exit
exit
exit
no shutdown
----------------------------------------------
config>service>vprn# info
----------------------------------------------
dhcp6
local-dhcp-server "d6" create
use-pool-from-client
pool "1" create
options
dns-server 2001:db8:::808:808
exit
exclude-prefix 2001:db8:beef::101/128
prefix 2001:db8::beef::/96 failover access-driven pd wan-host create
exit
exit
no shutdown
exit
exit
route-distinguisher 400:1
interface "priv" tunnel create
ipv6
address 2001:db8::beef::101/96
exit
sap tunnel-1.private:200 create
exit
exit
no shutdown