[c-nsp] IPSEC Remote access to MPLS VPN

ar ar_djp at yahoo.com
Wed Feb 22 07:28:28 EST 2012 

thanks Ge.
can you share also the client router config? 

many thanks again.






________________________________
 From: Ge Moua <moua0100 at umn.edu>
To: cisco-nsp at puck.nether.net 
Cc: ar_djp at yahoo.com 
Sent: Wednesday, February 22, 2012 1:38 PM
Subject: Re: [c-nsp] IPSEC Remote access to MPLS VPN
 

See below for exemplar for vrf-aware ra-vpn on IOS:

!! c7206vxr / npe-g1 / vam2+
!
ip vrf VRF-LITE_RA-VPN
 description (VRF Lite) RA-VPN to (MPLS VRF) "RA-VPN" for remote
    access vpn applications
 rd 200:1000

aaa authorization network aaa-list local group
    AAA-AUTHORIZATION_GROUP-LIST_LOCAL
aaa authentication login AAA-AUTHENTICATION_LIST_LOCAL local

ip local pool IP-POOL_RA-VPN 192.168.50.177 192.168.50.188

access-list 100 remark ## [START] Extended ACL 100 ##
access-list 100 remark ## Facilitate Split-Tunneling for Remote
    Access IPSec Clients to "RA-VRF" VRF ##
access-list 100 remark ## Match Egress Traffic Sourced from "RA-VPN"
    VRF & Enable Crypto Encryption ##
access-list 100 remark ## Bypass Crypto for Non-matching Egress
    Traffic & Punt to Clear-Text ##
access-list 100 permit ip 172.16.48.0 0.0.15.255 any
access-list 100 permit ip 172.16.1.0 0.0.1.255 any
access-list 100 remark ## [END] Extended ACL 100 ##

crypto isakmp client configuration group CRYPTO-GROUP_RA-VPN-CENTSEC
 key <removed.
 dns <ip_addr_1> <ip_addr_2>
 domain <domain_suffix>
 pool IP-POOL_RA-VPN
 acl 100
 netmask 255.255.255.248

crypto isakmp profile ISAKMP-PROFILE_RA-VPN
   description ## Crypto ISAKMP Profile (VRF-Aware IPSec) * RA IPSec
    VPN to "RA-VPN" VRF ##
   vrf RA-VPN
   match identity group CRYPTO-GROUP_RA-VPN
   !
   client authentication list AAA-AUTHENTICATION_LIST_LOCAL
   isakmp authorization list AAA-AUTHORIZATION_GROUP-LIST_LOCAL
   !
   client configuration address initiate
   client configuration address respond

crypto dynamic-map CRYPTO-DYNAMIC-MAP_RA-VPN 1
 set transform-set TRANSFORM-SET_3DES-SHA
 set isakmp-profile ISAKMP-PROFILE_RA-VPN
 reverse-route

crypto map CRYPTO-MAP_RA-VPN 1 ipsec-isakmp dynamic
    CRYPTO-DYNAMIC-MAP_RA-VPN

!
interface GigabitEthernet0/1.791
 description VRF-aware IPSec front-door VRF termination
 encapsulation dot1Q 791
 ip vrf forwarding RA-VPN
 ip address <ip_addr> <subnet_mask>
 ip flow ingress
 logging event subif-link-status
 snmp trap link-status
 standby delay reload 120
 standby version 2
 standby 791 ip <hsrp_vip>
 standby 791 preempt
 standby 791 name HA-FVRF_RA-VPN
 standby 791 track GigabitEthernet0/2.3565
 crypto map CRYPTO-MAP_RA-VPN redundancy HA-FVRF_RA-VPN
 !
 no shut

interface GigabitEthernet0/2.3565
 description VRF-aware IPSec inside VRF decryption
 encapsulation dot1Q 3565
 ip vrf forwarding RA-VPN
 ip address <ip_addr> <subnet_mask>
 ip flow ingress
 logging event subif-link-status
 snmp trap link-status
 standby delay reload 120
 standby version 2
 standby 3565 ip <hsrp_vip>
 standby 3565 preempt
 standby 3565 name HA-IVRF_RA-VPN
 standby 3565 track GigabitEthernet0/1.791
 !
 no shut

!! route & return path to orginating ipsec clients from
    front-door VRF RA-VPN !!
!
ip route vrf RA-VPN 0.0.0.0 0.0.0.0 <fvrf_next_hop> name
    "Dest: Default Route * Next-Hop: <node_name> * Descr:
    (VRF-Lite) RA-VPN to (MPLS VRF) 'RA-VPN'"
!
!! route to inside VRF RA-VPN !!
ip route vrf RA-VPN 172.16.48.0 255.255.240.0 192.168.140.118 name
    "Dest: /20 CIDR Summary Route * Next-Hop: <node_name> * Descr:
    'RA-VPN' MPLS VRF"
ip route vrf RA-VPN 172.16.0.0 255.255.254.0 192.168.140.118 name
    "Dest: /23 CIDR Summary Route * Next-Hop: <node_name> * Descr:
    'RA-VPN' MPLS VRF"



--
Regards,
Ge Moua University of Minnesota Alumnus
Email: moua0100 at umn.edu --
On 2/15/12 3:21 AM, Ge Moua wrote: 
+ hw_platforms
>    * 7206 vxr / npe-g1 / vam2+
>    * 18xx ISR / 28xx ISR / 28xx ISR2
>+ sw
>    * 12.4 (x) T
>    * 15.x (x) T
>
>The only significant problem we ran into was for the use case of
      RRI there was a bug that didn't populate the next-hop correctly
      and this had to be manually specified; hopefully cisco has fixed
      this by now:
>http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg41606 
>
>Give me some time to scrub the configs and I'll send them off-line
      to you.
>
>
>--
Regards,
Ge Moua University of Minnesota Alumnus
Email: moua0100 at umn.edu --
>On 2/15/12 3:07 AM, ar wrote: 
>Hi Ge.
>>
>>
>>Thanks for your response.
>>What platform did you use? 7200 also?
>>Can you share your template?
>>I'll try the following:
>>    -site to site
>>    - remote access using vpn client software (Cisco/microsoft)
>>    - SSL VPN if possible
>>
>>
>>
>>
>>________________________________
>> From: Ge Moua <moua0100 at gmail.com>
>>To: ar_djp at yahoo.com 
>>Sent: Wednesday, February 15, 2012 12:52 AM
>>Subject: Re: [c-nsp] IPSEC Remote access to MPLS VPN
>> 
>>We did all of the requirements you mentioned at the Univ
              of Minn.
>>
>>As you mentioned, the documentation is out there but not
              nicely in one area of Cisco CCO land.
>>
>>You're looking down the right path with vrf-aware IPSec. 
              We experimented with both flavors:
>>* full blown mpls/bgp/vrf (6VPE / 4VPE)
>>* vrf-lite
>>
>>In the end we thought doing the vrf-lite option then
              mapping these to 6VPE / 4VPE mpls-bgp provided the best
              options for functionality & config flexibility:
>>* well defined front-door vrf to inside-vrf mapping
              (native ip)
>>* native ip termination for front-door vrf (vs. 6vpe /
              4vpe will be ldp/mpls at front-door vrf & limited to
              default table unless you start dealing with complexity of
              route-leaking RD/RT; violated KISS in my opinion).
>>
>>Contact me off-list and I'll share config exemplars for
              what you are looking for.
>>
>>--
>>Regards,
>>Ge Moua
>>
>>University of Minnesota Alumnus
>>Email: moua0100 at umn.edu
>>--
>>
>>
>>On 2/15/12 2:09 AM, ar wrote:
>>> Hi Guys.
>>> 
>>> I would like to setup a remote access IPSEC/SSL VPN
              then maps to MPLS VPN/VRFs.
>>> I'm thinking of using 7206VXR as the concentrator/PE
              for this.
>>> Remote clients will use cisco/microsoft vpn clients.
>>> Site-to-site vpn will be supported too.
>>> 
>>> 
>>> Anyone has good documentation for configuration?
>>> I'm reading vrf-aware ipsec but it seems to lack more
              configurations options.
>>> 
>>> Any comments?
>>> 
>>> thanks
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>

More information about the cisco-nsp mailing list