IPsec VPN Configuration On Cisco IOS XE - Part 5 - Route Based VPN With VRF And Dynamic Routing (OSPF)

Santosh SalunkeNetwork Security Lead
Published:
Updated:
This article is about building a Route Based site to site VPN tunnels with VRF and dynamic routing protocol (OSPF) in Cisco CSR1000V router with IOS XE. There are two Route Based IPsec VPN tunnels configured on CSR1000V router, traffic from app server is with NAT and rest is without NAT.

This is the fifth article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ] [ Link to Part 4 ]


In the previous part, I configured simple route-based VPN tunnel with dynamic routing. In this article, I will show how to configure route-based VPN tunnel under different VRF's and configure dynamic routing protocol OSPF for routing.




This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And two sites (a and b) connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections, and OSPF area are as shown in the diagram.

Goals of this scenario are -
1) Create Route-based IPSec VPN tunnel between "dc-gw1" in DC to "site-a-gw1" in site A.
2) Create Route-based IPSec VPN tunnel between "dc-gw1" in DC to "site-b-gw1" in site B.
3) Traffic between "app1" server to "user" will be NATed. We have to configure "inside" and "outside" NAT.
4) Keep traffic between DC to sites in different VRF.
5) Configure dynamic routing between DC and Site routers.

 



Router IOS version used for this setup are -
dc-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
site-a-gw1 and site-b-gw1 =
 Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)




I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.

Interface And Route Configuration On DC Router = "dc-gw1"


interface GigabitEthernet1
platform ring rx 256
ip address 10.0.0.2 255.255.255.252
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip vrf forwarding app
ip address 100.0.10.1 255.255.255.0
ip nat inside
negotiation auto

interface GigabitEthernet3
platform ring rx 256
ip vrf forwarding storage
ip address 100.0.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route vrf app 172.17.10.0 255.255.255.0 172.20.10.2


Interface And Route Configuration On site A Router = "site-a-gw1"


interface GigabitEthernet0/0
ip address 20.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto

interface GigabitEthernet1/0
ip address 192.168.10.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 20.0.0.1


Interface And Route Configuration On site B Router = "site-b-gw1"


interface GigabitEthernet0/0
ip address 30.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto

interface GigabitEthernet1/0
ip address 192.168.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 30.0.0.1


Next is  Route-based IPsec VPN configuration for DC router and site routers.

IPsec VPN Configuration On DC Router = "dc-gw1"


crypto keyring site-a
pre-shared-key address 20.0.0.2 key acme
crypto keyring site-b
pre-shared-key address 30.0.0.2 key acme

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile tunnel-to-site-a
set transform-set AES-256-SHA

crypto ipsec profile tunnel-to-site-b
set transform-set AES-256-SHA

interface Tunnel1
description Tunnel to Site A
ip vrf forwarding app
ip address 172.20.10.1 255.255.255.252
ip mtu 1400
ip nat outside
tunnel source 10.0.0.2
tunnel mode ipsec ipv4
tunnel destination 20.0.0.2
tunnel protection ipsec profile tunnel-to-site-a

interface Tunnel2
description Tunnel to Site B
ip vrf forwarding storage
ip address 172.20.20.1 255.255.255.252
ip mtu 1400
tunnel source 10.0.0.2
tunnel mode ipsec ipv4
tunnel destination 30.0.0.2
tunnel protection ipsec profile tunnel-to-site-b


IPsec VPN Configuration On site A Router = "site-a-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key acme address 10.0.0.2

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel1
description Tunnel to DC
ip address 172.20.10.2 255.255.255.252
ip mtu 1400
tunnel source 20.0.0.2
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile tunnel-to-dc


IPsec VPN Configuration On site B Router = "site-b-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key acme address 10.0.0.2

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel2
description Tunnel to DC
ip address 172.20.20.2 255.255.255.252
ip mtu 1400
tunnel source 30.0.0.2
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile tunnel-to-dc


This completes our goals 1 and 2 and we have VPN tunnels between DC and sites. The next part is about implementing NAT on DC router.

This NAT will change App server IP from 100.0.10.10 to 172.16.10.10

I did not use the "ip nat outside" command for this NAT, because I want to keep traffic between Storage server to Site-A user without NAT.


ip nat pool source-nat-pool 172.16.10.10 172.16.10.10 prefix-length 30

ip access-list extended source-nat-acl
permit ip host 100.0.10.10 host 172.17.10.10 log

route-map source-nat-routemap permit 10
match ip address source-nat-acl

ip nat inside source route-map source-nat-routemap pool source-nat-pool vrf app


And this NAT configuration will change site user IP from 172.17.10.10 to 192.168.10.10.


ip nat outside source static 192.168.10.10 172.17.10.10 vrf app


And here are the ping commands to generate traffic.


app1> ping 172.17.10.10
84 bytes from 172.17.10.10 icmp_seq=1 ttl=62 time=41.505 ms
84 bytes from 172.17.10.10 icmp_seq=2 ttl=62 time=27.504 ms
84 bytes from 172.17.10.10 icmp_seq=3 ttl=62 time=61.508 ms
84 bytes from 172.17.10.10 icmp_seq=4 ttl=62 time=103.513 ms
84 bytes from 172.17.10.10 icmp_seq=5 ttl=62 time=145.019 ms

app1> ping 192.168.20.10
*100.0.10.1 icmp_seq=1 ttl=255 time=2.001 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.10.1 icmp_seq=2 ttl=255 time=1.500 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.10.1 icmp_seq=3 ttl=255 time=1.000 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.10.1 icmp_seq=4 ttl=255 time=1.001 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.10.1 icmp_seq=5 ttl=255 time=1.000 ms (ICMP type:3, code:1, Destination host unreachable)

app1> ping 192.168.10.10
192.168.10.10 icmp_seq=1 timeout
192.168.10.10 icmp_seq=2 timeout
192.168.10.10 icmp_seq=3 timeout
192.168.10.10 icmp_seq=4 timeout
192.168.10.10 icmp_seq=5 timeout

storag> ping 192.168.20.10
84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=69.009 ms
84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=31.004 ms
84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=42.006 ms
84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=113.514 ms
84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=73.510 ms

storag> ping 192.168.10.10
*100.0.20.1 icmp_seq=1 ttl=255 time=1.000 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.20.1 icmp_seq=2 ttl=255 time=1.501 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.20.1 icmp_seq=3 ttl=255 time=1.501 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.20.1 icmp_seq=4 ttl=255 time=1.500 ms (ICMP type:3, code:1, Destination host unreachable)
*100.0.20.1 icmp_seq=5 ttl=255 time=3.000 ms (ICMP type:3, code:1, Destination host unreachable)


This traffic created NAT translation table entries as below.


dc-gw1#sh ip nat translations vrf app
Pro  Inside global         Inside local          Outside local         Outside global
---  ---                   ---                   172.17.10.10          192.168.10.10
icmp 172.16.10.10:39269    100.0.10.10:39269     172.17.10.10:39269    192.168.10.10:39269
icmp 172.16.10.10:39525    100.0.10.10:39525     172.17.10.10:39525    192.168.10.10:39525
icmp 172.16.10.10:40037    100.0.10.10:40037     172.17.10.10:40037    192.168.10.10:40037
icmp 172.16.10.10:39781    100.0.10.10:39781     172.17.10.10:39781    192.168.10.10:39781
icmp 172.16.10.10:39013    100.0.10.10:39013     172.17.10.10:39013    192.168.10.10:39013
Total number of translations: 6


These ping results and NAT translation entries show connections between app server in DC and user computer in sites.


Please note that:

1) When a packet generated by app server it does have a source IP  100.0.10.10, when this packet reaches DC router, it gets changed into 172.16.10.10.


2) The same packet generated by app server it does have destination IP  172.17.10.10  when this packet reaches DC router, it gets changed into 192.168.10.10.


3) After both inside (source IP) and outside (destination IP) are changed, this packet enters VPN tunnel. This completes our goals 3 and we have NAT configured on DC router.


4) In this scenario, we have "app" and "storage" VRF configured in DC router. This will separate traffic originated or destined to servers.


5) VRF "app" is for application servers and VRF "storage" is for storage servers. These VRF's are configured on DC server-side interface of router and VPN tunnel interfaces. Therefore traffic from app server is allowed towards "Site A" and traffic from storage server is allowed towards "Site B".


6) NAT configuration is applied only in "app" VRF, and traffic which passes through "storage" VRF is not affected by NAT.


7) Due to these NAT configurations, ping from "app" server to NAT IP "172.17.10.10" is working. Whereas ping from "app" server to "192.168.10.10" do not work.


8) And due to VRF configurations, ping from "app" server to "Site B" host "192.168.20.10" do not work.


9) Similarly due to VRF configurations, ping from "storage" server to "Site A" host "192.168.10.10"  do not work.


These NAT and VRF configurations also affect the configuration of dynamic routing, next part is about implementing dynamic routing protocol OSPF.


OSPF Configuration On DC Router = "dc-gw1"


router ospf 10 vrf app
redistribute connected subnets route-map ospf-redistribute
redistribute static subnets route-map static-redistribute
network 172.20.10.0 0.0.0.3 area 0

router ospf 20 vrf storage
redistribute connected subnets route-map ospf-redistribute
redistribute static subnets route-map static-redistribute
network 172.20.20.0 0.0.0.3 area 0

ip route vrf app 172.16.10.0 255.255.255.0 100.0.10.10 tag 10

route-map ospf-redistribute permit 10
match interface GigabitEthernet2

route-map ospf-redistribute permit 20
match interface GigabitEthernet3

route-map static-redistribute permit 10
match tag 10


OSPF Configuration On site A Router = "site-a-gw1"


router ospf 100
log-adjacency-changes
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.3 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet1/0


OSPF Configuration On site A Router = "site-b-gw1"


router ospf 100
log-adjacency-changes
redistribute connected subnets route-map ospf-redistribute
network 172.20.20.0 0.0.0.3 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet1/0


This OSPF configuration is to distribute routes between DC router and site routers.


I had configured the route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF.  This also avoids distribution of subnets configured on Internet side interfaces.


There is another route map to distribute NAT IP subnet, this route map configured to choose specific routes with 'tag 10' and distribute in OSPF through 'redistribute static' command.


DC router have two VRF's, therefore, OSPF configuration has two processes one for each VRF.


Routes Learned By Router = "dc-gw1"


dc-gw1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.20.1      0   FULL/  -        00:00:31    172.20.20.2     Tunnel2
192.168.10.1      0   FULL/  -        00:00:31    172.20.10.2     Tunnel1

dc-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.0.0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/30 is directly connected, GigabitEthernet1
L        10.0.0.2/32 is directly connected, GigabitEthernet1

dc-gw1#sh ip route vrf app

Routing Table: app
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        100.0.10.0/24 is directly connected, GigabitEthernet2
L        100.0.10.1/32 is directly connected, GigabitEthernet2
172.16.0.0/24 is subnetted, 1 subnets
S        172.16.10.0 [1/0] via 100.0.10.10
172.17.0.0/24 is subnetted, 1 subnets
S        172.17.10.0 [1/0] via 172.20.10.2
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.20.10.0/30 is directly connected, Tunnel1
L        172.20.10.1/32 is directly connected, Tunnel1
O E2  192.168.10.0/24 [110/20] via 172.20.10.2, 00:50:02, Tunnel1

dc-gw1#sh ip route vrf storage

Routing Table: storage
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        100.0.20.0/24 is directly connected, GigabitEthernet3
L        100.0.20.1/32 is directly connected, GigabitEthernet3
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.20.20.0/30 is directly connected, Tunnel2
L        172.20.20.1/32 is directly connected, Tunnel2
O E2  192.168.20.0/24 [110/20] via 172.20.20.2, 00:49:06, Tunnel2
dc-gw1#


Routes Learned By Router = "site-a-gw1"


site-a-gw1#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 20.0.0.1 to network 0.0.0.0

100.0.0.0/24 is subnetted, 1 subnets
O E2    100.0.10.0 [110/20] via 172.20.10.1, 00:17:33, Tunnel1
20.0.0.0/30 is subnetted, 1 subnets
C       20.0.0.0 is directly connected, GigabitEthernet0/0
C    192.168.10.0/24 is directly connected, GigabitEthernet1/0
172.16.0.0/24 is subnetted, 1 subnets
O E2    172.16.10.0 [110/20] via 172.20.10.1, 00:17:34, Tunnel1
172.20.0.0/30 is subnetted, 1 subnets
C       172.20.10.0 is directly connected, Tunnel1
S*   0.0.0.0/0 [1/0] via 20.0.0.1


Routes Learned By Router = "site-b-gw1"


site-b-gw1#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 30.0.0.1 to network 0.0.0.0

100.0.0.0/24 is subnetted, 1 subnets
O E2    100.0.20.0 [110/20] via 172.20.20.1, 00:01:48, Tunnel2
172.20.0.0/30 is subnetted, 1 subnets
C       172.20.20.0 is directly connected, Tunnel2
C    192.168.20.0/24 is directly connected, GigabitEthernet1/0
30.0.0.0/30 is subnetted, 1 subnets
C       30.0.0.0 is directly connected, GigabitEthernet0/0
S*   0.0.0.0/0 [1/0] via 30.0.0.1


Please note that:


1) Routes learned by site A router includes DC Server subnet (100.0.10.0/24), NAT subnet (172.16.10.0/24), site LAN subnet (192.168.10.0/24) and tunnel IP subnet (172.20.10.0/30).


2) Routes learned by site B router includes DC Server subnet (100.0.20.0/24) and site LAN subnet (192.168.10.0/24) .


3) All three routers are not publishing subnets configured on their Internet side interface, because these interfaces are not configured in the route map.


4) On DC router in "global" VRF there are only routes of Internet side interfaces. On the other hand routes of DC side interfaces, tunnel interfaces and NAT subnet are in their respective VRF's.


This is the end of Part 5 of this series. We have seen sample configuration of basic route-based VPN setup with dynamic routing protocol OSPF inside VRF's. Anyone who is working on VPN setup using Cisco routers with IOS XE may use this configuration.

In the next article, we will be configuring Route Based VPN tunnels with a redundant router in DC.

Link to the next article in this series = Part 6 - Route Based VPN With Redundant Routers in DC (HUB)

I hope you find this helpful.


0
2,303 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.