[c-nsp] IPSEC Remote access to MPLS VPN

Ge Moua moua0100 at umn.edu
Wed Feb 22 00:38:37 EST 2012 

See below for exemplar for vrf-aware ra-vpn on IOS:

!! c7206vxr / npe-g1 / vam2+
!
ip vrf VRF-LITE_RA-VPN
  description (VRF Lite) RA-VPN to (MPLS VRF) "RA-VPN" for remote access 
vpn applications
  rd 200:1000

aaa authorization network aaa-list local group 
AAA-AUTHORIZATION_GROUP-LIST_LOCAL
aaa authentication login AAA-AUTHENTICATION_LIST_LOCAL local

ip local pool IP-POOL_RA-VPN 192.168.50.177 192.168.50.188

access-list 100 remark ## [START] Extended ACL 100 ##
access-list 100 remark ## Facilitate Split-Tunneling for Remote Access 
IPSec Clients to "RA-VRF" VRF ##
access-list 100 remark ## Match Egress Traffic Sourced from "RA-VPN" VRF 
& Enable Crypto Encryption ##
access-list 100 remark ## Bypass Crypto for Non-matching Egress Traffic 
& Punt to Clear-Text ##
access-list 100 permit ip 172.16.48.0 0.0.15.255 any
access-list 100 permit ip 172.16.1.0 0.0.1.255 any
access-list 100 remark ## [END] Extended ACL 100 ##

crypto isakmp client configuration group CRYPTO-GROUP_RA-VPN-CENTSEC
  key <removed.
  dns <ip_addr_1> <ip_addr_2>
  domain <domain_suffix>
  pool IP-POOL_RA-VPN
  acl 100
  netmask 255.255.255.248

crypto isakmp profile ISAKMP-PROFILE_RA-VPN
    description ## Crypto ISAKMP Profile (VRF-Aware IPSec) * RA IPSec 
VPN to "RA-VPN" VRF ##
    vrf RA-VPN
    match identity group CRYPTO-GROUP_RA-VPN
    !
    client authentication list AAA-AUTHENTICATION_LIST_LOCAL
    isakmp authorization list AAA-AUTHORIZATION_GROUP-LIST_LOCAL
    !
    client configuration address initiate
    client configuration address respond

crypto dynamic-map CRYPTO-DYNAMIC-MAP_RA-VPN 1
  set transform-set TRANSFORM-SET_3DES-SHA
  set isakmp-profile ISAKMP-PROFILE_RA-VPN
  reverse-route

crypto map CRYPTO-MAP_RA-VPN 1 ipsec-isakmp dynamic 
CRYPTO-DYNAMIC-MAP_RA-VPN

!
interface GigabitEthernet0/1.791
  description VRF-aware IPSec front-door VRF termination
  encapsulation dot1Q 791
  ip vrf forwarding RA-VPN
  ip address <ip_addr> <subnet_mask>
  ip flow ingress
  logging event subif-link-status
  snmp trap link-status
  standby delay reload 120
  standby version 2
  standby 791 ip <hsrp_vip>
  standby 791 preempt
  standby 791 name HA-FVRF_RA-VPN
  standby 791 track GigabitEthernet0/2.3565
  crypto map CRYPTO-MAP_RA-VPN redundancy HA-FVRF_RA-VPN
  !
  no shut

interface GigabitEthernet0/2.3565
  description VRF-aware IPSec inside VRF decryption
  encapsulation dot1Q 3565
  ip vrf forwarding RA-VPN
  ip address <ip_addr> <subnet_mask>
  ip flow ingress
  logging event subif-link-status
  snmp trap link-status
  standby delay reload 120
  standby version 2
  standby 3565 ip <hsrp_vip>
  standby 3565 preempt
  standby 3565 name HA-IVRF_RA-VPN
  standby 3565 track GigabitEthernet0/1.791
  !
  no shut

!! route & return path to orginating ipsec clients from front-door VRF 
RA-VPN !!
!
ip route vrf RA-VPN 0.0.0.0 0.0.0.0 <fvrf_next_hop> name "Dest: Default 
Route * Next-Hop: <node_name> * Descr: (VRF-Lite) RA-VPN to (MPLS VRF) 
'RA-VPN'"
!
!! route to inside VRF RA-VPN !!
ip route vrf RA-VPN 172.16.48.0 255.255.240.0 192.168.140.118 name 
"Dest: /20 CIDR Summary Route * Next-Hop: <node_name> * Descr: 'RA-VPN' 
MPLS VRF"
ip route vrf RA-VPN 172.16.0.0 255.255.254.0 192.168.140.118 name "Dest: 
/23 CIDR Summary Route * Next-Hop: <node_name> * Descr: 'RA-VPN' MPLS VRF"


--
Regards,
Ge Moua

University of Minnesota Alumnus
Email: moua0100 at umn.edu
--


On 2/15/12 3:21 AM, Ge Moua wrote:
> + hw_platforms
>     * 7206 vxr / npe-g1 / vam2+
>     * 18xx ISR / 28xx ISR / 28xx ISR2
> + sw
>     * 12.4 (x) T
>     * 15.x (x) T
>
> The only significant problem we ran into was for the use case of RRI 
> there was a bug that didn't populate the next-hop correctly and this 
> had to be manually specified; hopefully cisco has fixed this by now:
> http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg41606 
>
>
> Give me some time to scrub the configs and I'll send them off-line to you.
>
> --
> Regards,
> Ge Moua
>
> University of Minnesota Alumnus
> Email:moua0100 at umn.edu
> --
>
> On 2/15/12 3:07 AM, ar wrote:
>> Hi Ge.
>>
>> Thanks for your response.
>> What platform did you use? 7200 also?
>> Can you share your template?
>> I'll try the following:
>>     -site to site
>>     - remote access using vpn client software (Cisco/microsoft)
>>     - SSL VPN if possible
>>
>> ------------------------------------------------------------------------
>> *From:* Ge Moua <moua0100 at gmail.com>
>> *To:* ar_djp at yahoo.com
>> *Sent:* Wednesday, February 15, 2012 12:52 AM
>> *Subject:* Re: [c-nsp] IPSEC Remote access to MPLS VPN
>>
>> We did all of the requirements you mentioned at the Univ of Minn.
>>
>> As you mentioned, the documentation is out there but not nicely in 
>> one area of Cisco CCO land.
>>
>> You're looking down the right path with vrf-aware IPSec.  We 
>> experimented with both flavors:
>> * full blown mpls/bgp/vrf (6VPE / 4VPE)
>> * vrf-lite
>>
>> In the end we thought doing the vrf-lite option then mapping these to 
>> 6VPE / 4VPE mpls-bgp provided the best options for functionality & 
>> config flexibility:
>> * well defined front-door vrf to inside-vrf mapping (native ip)
>> * native ip termination for front-door vrf (vs. 6vpe / 4vpe will be 
>> ldp/mpls at front-door vrf & limited to default table unless you 
>> start dealing with complexity of route-leaking RD/RT; violated KISS 
>> in my opinion).
>>
>> Contact me off-list and I'll share config exemplars for what you are 
>> looking for.
>>
>> --
>> Regards,
>> Ge Moua
>>
>> University of Minnesota Alumnus
>> Email: moua0100 at umn.edu <mailto:moua0100 at umn.edu>
>> --
>>
>>
>> On 2/15/12 2:09 AM, ar wrote:
>> > Hi Guys.
>> >
>> > I would like to setup a remote access IPSEC/SSL VPN then maps to 
>> MPLS VPN/VRFs.
>> > I'm thinking of using 7206VXR as the concentrator/PE for this.
>> > Remote clients will use cisco/microsoft vpn clients.
>> > Site-to-site vpn will be supported too.
>> >
>> >
>> > Anyone has good documentation for configuration?
>> > I'm reading vrf-aware ipsec but it seems to lack more 
>> configurations options.
>> >
>> > Any comments?
>> >
>> > thanks
>> > _______________________________________________
>> > cisco-nsp mailing list cisco-nsp at puck.nether.net 
>> <mailto:cisco-nsp at puck.nether.net>
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>

More information about the cisco-nsp mailing list