<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

IPsec VPN Configuration On Cisco IOS XE - Part 3 - Route Based VPN

Published on
3,564 Points
564 Views
Last Modified:
This article is about building a Route Based site to site VPN tunnels in Cisco CSR1000V router with IOS XE.
There are two Route Based IPsec VPN tunnels configured on CSR1000V router, traffic from app server is with NAT and rest is without NAT.

This is the third article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ]


In the previous two parts, I configured simple policy-based VPN tunnels. In this article, I will show how to build a route-based VPN tunnel.


This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And two sites (a and b) connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses and device connections are shown in the diagram.



Goals of this scenario are -
1) Create Route-based IPSec VPN tunnel between "dc-gw1" in DC to "site-a-gw1" in site A.
2) Create Route-based IPSec VPN tunnel between "dc-gw1" in DC to "site-b-gw1" in site B.
3) Traffic between "app1" server to "user" will be NATed. We have to configure "inside" and "outside" NAT.



Router IOS version used for this setup are -

dc-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
site-a-gw1 and site-b-gw1 = Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)




I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.


Interface And Route Configuration On DC Router = "dc-gw1"


interface GigabitEthernet1
platform ring rx 256
ip address 10.0.0.2 255.255.255.252
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip address 100.0.20.1 255.255.255.0 secondary
ip address 100.0.10.1 255.255.255.0
ip nat inside
negotiation auto

ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 172.17.10.0 255.255.255.0 172.20.10.2
ip route 192.168.10.0 255.255.255.0 172.20.10.2
ip route 192.168.20.0 255.255.255.0 172.20.20.2


Interface And Route Configuration On site A Router = "site-a-gw1"


interface GigabitEthernet0/0
ip address 20.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto

interface GigabitEthernet1/0
ip address 192.168.10.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 20.0.0.1
ip route 100.0.20.0 255.255.255.0 172.20.10.1
ip route 172.16.10.0 255.255.255.0 172.20.10.1


Interface And Route Configuration On site B Router = "site-b-gw1"


interface GigabitEthernet0/0
ip address 30.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto

interface GigabitEthernet1/0
ip address 192.168.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 30.0.0.1
ip route 100.0.10.0 255.255.255.0 172.20.20.1
ip route 100.0.20.0 255.255.255.0 172.20.20.1


Next is  Route-based IPsec VPN configuration for DC router and site routers.

IPsec VPN Configuration On DC Router = "dc-gw1"


crypto keyring site-a
pre-shared-key address 20.0.0.2 key acme

crypto keyring site-b
pre-shared-key address 30.0.0.2 key acme

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile tunnel-to-site-a
set transform-set AES-256-SHA

crypto ipsec profile tunnel-to-site-b
set transform-set AES-256-SHA

interface Tunnel1
description Tunnel to Site A
ip address 172.20.10.1 255.255.255.252
ip nat outside
tunnel source 10.0.0.2
tunnel mode ipsec ipv4
tunnel destination 20.0.0.2
tunnel protection ipsec profile tunnel-to-site-a

interface Tunnel2
description Tunnel to Site B
ip address 172.20.20.1 255.255.255.252
tunnel source 10.0.0.2
tunnel mode ipsec ipv4
tunnel destination 30.0.0.2
tunnel protection ipsec profile tunnel-to-site-b


IPsec VPN Configuration On site A Router = "site-a-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 10.0.0.2

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel1
description Tunnel to DC
ip address 172.20.10.2 255.255.255.252
tunnel source 20.0.0.2
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile tunnel-to-dc


IPsec VPN Configuration On site B Router = "site-b-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 10.0.0.2

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel2
description Tunnel to DC
ip address 172.20.20.2 255.255.255.252
tunnel source 30.0.0.2
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile tunnel-to-dc


This completes our goals 1 and 2 and we have VPN tunnels between DC and sites. The next part is about implementing NAT on DC router.

This NAT will change App server IP from 100.0.10.10 to 172.16.10.10

I did not use the "ip nat outside" command for this NAT, because I want to keep traffic between Storage server to site-A user without NAT.


ip nat pool source-nat-pool 172.16.10.10 172.16.10.10 prefix-length 30

ip access-list extended source-nat-acl
permit ip host 100.0.10.10 host 172.17.10.10 log

route-map source-nat-routemap permit 10
match ip address source-nat-acl

ip nat inside source route-map source-nat-routemap pool source-nat-pool


And this NAT configuration will change site user IP from 172.17.10.10 to 192.168.10.10.


ip nat outside source static 192.168.10.10 172.17.10.10


And here are the ping commands to generate traffic.


app1> ping 192.168.20.10
84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=41.008 ms
84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=38.508 ms
84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=50.510 ms
84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=39.508 ms
84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=33.006 ms

app1> ping 192.168.10.10
192.168.10.10 icmp_seq=1 timeout
192.168.10.10 icmp_seq=2 timeout
192.168.10.10 icmp_seq=3 timeout
192.168.10.10 icmp_seq=4 timeout
192.168.10.10 icmp_seq=5 timeout

app1> ping 172.17.10.10
84 bytes from 172.17.10.10 icmp_seq=1 ttl=62 time=32.006 ms
84 bytes from 172.17.10.10 icmp_seq=2 ttl=62 time=48.510 ms
84 bytes from 172.17.10.10 icmp_seq=3 ttl=62 time=30.506 ms
84 bytes from 172.17.10.10 icmp_seq=4 ttl=62 time=27.005 ms
84 bytes from 172.17.10.10 icmp_seq=5 ttl=62 time=34.507 ms


This traffic created NAT translation table entries as below.


dc-gw1#sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  ---                   ---                   172.17.10.10          192.168.10.10
icmp 172.16.10.10:61400    100.0.10.10:61400     172.17.10.10:61400    192.168.10.10:61400
icmp 172.16.10.10:61656    100.0.10.10:61656     172.17.10.10:61656    192.168.10.10:61656
icmp 172.16.10.10:62168    100.0.10.10:62168     172.17.10.10:62168    192.168.10.10:62168
icmp 172.16.10.10:61144    100.0.10.10:61144     172.17.10.10:61144    192.168.10.10:61144
icmp 172.16.10.10:61912    100.0.10.10:61912     172.17.10.10:61912    192.168.10.10:61912
Total number of translations: 6


These ping results and NAT translation entries show connections between app server in DC and user computer in site sites.

Please note that:

1) When a packet generated by app server it does have a source IP  100.0.10.10, when this packet reaches DC router, it gets changed into 172.16.10.10.


2) The same packet generated by app server it does have destination IP  172.17.10.10, when this packet reaches DC router, it gets changed into 192.168.10.10.


3) After both inside (source IP) and outside (destination IP) are changed, this packet enters VPN tunnel.

This is the end of Part 3 of this series, we have seen basic route-based VPN setup and its sample configuration. Anyone who is working on VPN setup using Cisco routers with IOS XE may use this configuration.

In the next article, we will be configuring Route Based VPN tunnels with a dynamic routing protocol.

Link to the next article in this series = Part 4 - Route Based VPN With Dynamic Routing (OSPF)

I hope you find this helpful.

0
0 Comments

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month