Configure Global Parameters on Fabric IPsec Gateway VM

About this task

Perform this procedure to configure IPsec source IP address, Local Area Network (LAN ) interface IP and gateway IP address, maximum transmission unit (MTU) value, and so on globally, on the Fabric IPsec Gateway Virtual Machine (VM).

Note

You must perform this procedure only after the VM boots up.

Procedure

Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note

Type CTRL+Y to exit the console.
Configure IPsec source IP address for a Fabric Extend (FE) tunnel for IPsec in decoupled mode:

set global ipsec-tunnel-src-ip {A.B.C.D/X}
Assign VLAN ID to the configured IPsec source IP address:

set global ipsec-tunnel-src-vlan <2-4059>
Configure the LAN interface IP address on the first Ethernet interface (eth0) of Fabric IPsec Gateway VM:

set global lan-intf-ip {A.B.C.D/X}
Assign VLAN ID to the configured LAN interface IP address:

set global lan-intf-vlan <2-4059>
Configure the LAN interface gateway IP address on the VOSS switch:

set global lan-intf-gw-ip {A.B.C.D}
Configure the logical interface gateway IP address, to add routes for FE tunnels that need Fragmentation:

set global fe-tunnel-gw-ip {A.B.C.D}
Configure the logical interface source IP address for the FE tunnel:

set global fe-tunnel-src-ip {A.B.C.D}

Note

The logical interface source IP address must be same as the source IP address configured on the VOSS switch.
Configure the global MTU value:
set global mtu <mtu-value>
Note
- The switch applies the global MTU value, if you do not configure MTU during the IPsec tunnel configuration.
- If an IPsec tunnel is not using the fragmentation and reassembly capabilities, the default MTU value is 1950.
Configure the Wide Area Network (WAN) interface gateway IP address, which is the next hop for IPsec tunnels.

set global wan-intf-gw-ip {A.B.C.D}
Configure the virtual reassembly interface IP address:

set global virtual-reassembly-intf-ip {A.B.C.D/X}

Note

You must configure the virtual reassembly interface IP address to use the fragmentation and reassembly service.
Assign VLAN ID to the configured virtual reassembly interface IP address:

set global virtual-reassembly-intf-vlan <2-4059>
Disable IPsec on all configured tunnels:

set global ipsec-disable
Set IPsec log level:

set global ipsec-log-level <-1-5>

Example

Configuring global parameters on Fabric IPsec Gateway VM to configure an IPsec tunnel between two switches:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

  <cr>
FIGW> set global ipsec-tunnel-src-ip 192.0.2.10/24
FIGW> set global ipsec-tunnel-src-vlan 101
FIGW> set global lan-intf-ip 192.0.2.20/24
FIGW> set global lan-intf-vlan 30
FIGW> set global lan-intf-gw-ip 192.0.2.30
FIGW> set global fe-tunnel-src-ip 192.0.2.40
FIGW> set global wan-intf-gw-ip 192.0.2.50
FIGW> set global mtu 1950

Variable Definitions

The following table defines parameters for the set global command.


Variable	Value
ipsec-tunnel-src-ip `{A.B.C.D/X}`	Specifies the source IP address and subnet mask for IPsec tunnel.
ipsec-tunnel-src-vlan `<2-4059>`	Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is the default VLAN and you cannot create or delete VLAN ID 1. By default, the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the system also reserves VLAN IDs 3500 to 3998.
lan-intf-ip `{A.B.C.D/X}`	Specifies the IP address and subnet mask for Local Area Network (LAN) interface.
lan-intf-vlan `<2-4059>`	Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is the default VLAN and you cannot create or delete VLAN ID 1. By default, the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the system also reserves VLAN IDs 3500 to 3998.
lan-intf-gw-ip `{A.B.C.D}`	Specifies the gateway IP address for LAN interface.
fe-tunnel-gw-ip `{A.B.C.D}`	Specifies the gateway IP address for Fabric Extend (FE) tunnel.
fe-tunnel-src-ip `{A.B.C.D}`	Specifies the source IP address for FE tunnel.
mtu `<750-9000>`	Specifies the Maximum Transmission Unit (MTU) value. Note: If an IPsec tunnel is not using the fragmentation and reassembly capabilities, the default MTU value is 1950.
wan-intf-gw-ip `{A.B.C.D}`	Specifies the Wide Area Network (WAN) interface gateway IP address.
virtual-reassembly-intf-ip `{A.B.C.D/X}`	Specifies the virtual-reassembly interface IP address and subnet mask on the Fabric IPsec Gateway (VM). Note: You must configure the virtual reassembly interface IP address to use the fragmentation and reassembly service.
virtual-reassembly-intf-vlan `<2-4059>`	Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is the default VLAN and you cannot create or delete VLAN ID 1. By default, the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the system also reserves VLAN IDs 3500 to 3998.
ipsec-disable	Disables IPsec operationally on all tunnels in the Fabric IPsec Gateway VM.
ipsec-log-level `<-1-5>`	Specifies the IPsec log levels on Fabric IPsec Gateway VM. Following are the three levels: -1: Absolutely Silent 0-4: Log levels 5: Clear Logs