[c-nsp] IPSEC Remote access to MPLS VPN
Ge Moua
moua0100 at umn.edu
Wed Feb 22 00:38:37 EST 2012
See below for exemplar for vrf-aware ra-vpn on IOS:
!! c7206vxr / npe-g1 / vam2+
!
ip vrf VRF-LITE_RA-VPN
description (VRF Lite) RA-VPN to (MPLS VRF) "RA-VPN" for remote access
vpn applications
rd 200:1000
aaa authorization network aaa-list local group
AAA-AUTHORIZATION_GROUP-LIST_LOCAL
aaa authentication login AAA-AUTHENTICATION_LIST_LOCAL local
ip local pool IP-POOL_RA-VPN 192.168.50.177 192.168.50.188
access-list 100 remark ## [START] Extended ACL 100 ##
access-list 100 remark ## Facilitate Split-Tunneling for Remote Access
IPSec Clients to "RA-VRF" VRF ##
access-list 100 remark ## Match Egress Traffic Sourced from "RA-VPN" VRF
& Enable Crypto Encryption ##
access-list 100 remark ## Bypass Crypto for Non-matching Egress Traffic
& Punt to Clear-Text ##
access-list 100 permit ip 172.16.48.0 0.0.15.255 any
access-list 100 permit ip 172.16.1.0 0.0.1.255 any
access-list 100 remark ## [END] Extended ACL 100 ##
crypto isakmp client configuration group CRYPTO-GROUP_RA-VPN-CENTSEC
key <removed.
dns <ip_addr_1> <ip_addr_2>
domain <domain_suffix>
pool IP-POOL_RA-VPN
acl 100
netmask 255.255.255.248
crypto isakmp profile ISAKMP-PROFILE_RA-VPN
description ## Crypto ISAKMP Profile (VRF-Aware IPSec) * RA IPSec
VPN to "RA-VPN" VRF ##
vrf RA-VPN
match identity group CRYPTO-GROUP_RA-VPN
!
client authentication list AAA-AUTHENTICATION_LIST_LOCAL
isakmp authorization list AAA-AUTHORIZATION_GROUP-LIST_LOCAL
!
client configuration address initiate
client configuration address respond
crypto dynamic-map CRYPTO-DYNAMIC-MAP_RA-VPN 1
set transform-set TRANSFORM-SET_3DES-SHA
set isakmp-profile ISAKMP-PROFILE_RA-VPN
reverse-route
crypto map CRYPTO-MAP_RA-VPN 1 ipsec-isakmp dynamic
CRYPTO-DYNAMIC-MAP_RA-VPN
!
interface GigabitEthernet0/1.791
description VRF-aware IPSec front-door VRF termination
encapsulation dot1Q 791
ip vrf forwarding RA-VPN
ip address <ip_addr> <subnet_mask>
ip flow ingress
logging event subif-link-status
snmp trap link-status
standby delay reload 120
standby version 2
standby 791 ip <hsrp_vip>
standby 791 preempt
standby 791 name HA-FVRF_RA-VPN
standby 791 track GigabitEthernet0/2.3565
crypto map CRYPTO-MAP_RA-VPN redundancy HA-FVRF_RA-VPN
!
no shut
interface GigabitEthernet0/2.3565
description VRF-aware IPSec inside VRF decryption
encapsulation dot1Q 3565
ip vrf forwarding RA-VPN
ip address <ip_addr> <subnet_mask>
ip flow ingress
logging event subif-link-status
snmp trap link-status
standby delay reload 120
standby version 2
standby 3565 ip <hsrp_vip>
standby 3565 preempt
standby 3565 name HA-IVRF_RA-VPN
standby 3565 track GigabitEthernet0/1.791
!
no shut
!! route & return path to orginating ipsec clients from front-door VRF
RA-VPN !!
!
ip route vrf RA-VPN 0.0.0.0 0.0.0.0 <fvrf_next_hop> name "Dest: Default
Route * Next-Hop: <node_name> * Descr: (VRF-Lite) RA-VPN to (MPLS VRF)
'RA-VPN'"
!
!! route to inside VRF RA-VPN !!
ip route vrf RA-VPN 172.16.48.0 255.255.240.0 192.168.140.118 name
"Dest: /20 CIDR Summary Route * Next-Hop: <node_name> * Descr: 'RA-VPN'
MPLS VRF"
ip route vrf RA-VPN 172.16.0.0 255.255.254.0 192.168.140.118 name "Dest:
/23 CIDR Summary Route * Next-Hop: <node_name> * Descr: 'RA-VPN' MPLS VRF"
--
Regards,
Ge Moua
University of Minnesota Alumnus
Email: moua0100 at umn.edu
--
On 2/15/12 3:21 AM, Ge Moua wrote:
> + hw_platforms
> * 7206 vxr / npe-g1 / vam2+
> * 18xx ISR / 28xx ISR / 28xx ISR2
> + sw
> * 12.4 (x) T
> * 15.x (x) T
>
> The only significant problem we ran into was for the use case of RRI
> there was a bug that didn't populate the next-hop correctly and this
> had to be manually specified; hopefully cisco has fixed this by now:
> http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg41606
>
>
> Give me some time to scrub the configs and I'll send them off-line to you.
>
> --
> Regards,
> Ge Moua
>
> University of Minnesota Alumnus
> Email:moua0100 at umn.edu
> --
>
> On 2/15/12 3:07 AM, ar wrote:
>> Hi Ge.
>>
>> Thanks for your response.
>> What platform did you use? 7200 also?
>> Can you share your template?
>> I'll try the following:
>> -site to site
>> - remote access using vpn client software (Cisco/microsoft)
>> - SSL VPN if possible
>>
>> ------------------------------------------------------------------------
>> *From:* Ge Moua <moua0100 at gmail.com>
>> *To:* ar_djp at yahoo.com
>> *Sent:* Wednesday, February 15, 2012 12:52 AM
>> *Subject:* Re: [c-nsp] IPSEC Remote access to MPLS VPN
>>
>> We did all of the requirements you mentioned at the Univ of Minn.
>>
>> As you mentioned, the documentation is out there but not nicely in
>> one area of Cisco CCO land.
>>
>> You're looking down the right path with vrf-aware IPSec. We
>> experimented with both flavors:
>> * full blown mpls/bgp/vrf (6VPE / 4VPE)
>> * vrf-lite
>>
>> In the end we thought doing the vrf-lite option then mapping these to
>> 6VPE / 4VPE mpls-bgp provided the best options for functionality &
>> config flexibility:
>> * well defined front-door vrf to inside-vrf mapping (native ip)
>> * native ip termination for front-door vrf (vs. 6vpe / 4vpe will be
>> ldp/mpls at front-door vrf & limited to default table unless you
>> start dealing with complexity of route-leaking RD/RT; violated KISS
>> in my opinion).
>>
>> Contact me off-list and I'll share config exemplars for what you are
>> looking for.
>>
>> --
>> Regards,
>> Ge Moua
>>
>> University of Minnesota Alumnus
>> Email: moua0100 at umn.edu <mailto:moua0100 at umn.edu>
>> --
>>
>>
>> On 2/15/12 2:09 AM, ar wrote:
>> > Hi Guys.
>> >
>> > I would like to setup a remote access IPSEC/SSL VPN then maps to
>> MPLS VPN/VRFs.
>> > I'm thinking of using 7206VXR as the concentrator/PE for this.
>> > Remote clients will use cisco/microsoft vpn clients.
>> > Site-to-site vpn will be supported too.
>> >
>> >
>> > Anyone has good documentation for configuration?
>> > I'm reading vrf-aware ipsec but it seems to lack more
>> configurations options.
>> >
>> > Any comments?
>> >
>> > thanks
>> > _______________________________________________
>> > cisco-nsp mailing list cisco-nsp at puck.nether.net
>> <mailto:cisco-nsp at puck.nether.net>
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
More information about the cisco-nsp
mailing list