TODO Ole Ernst To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.
In this scenario we want to tunnel the three Bundle interface IP networks:
- 10.0.0.0/19 (CM)
- 100.64.0.0/22 (CPEpriv)
- 100.96.0.0/22 (MTA)
On the provisioning server side the network is:
- 172.20.0.0/22 (Management)
Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations.
Cisco CMTS configuration
| Code Block |
|---|
! limit esp and isakmp to <cloud-ip> address
ip access-list extended IPSEC-IN
permit esp host <cloud-ip> host <cmts-ip>
permit udp host <cloud-ip> host <cmts-ip> eq isakmp
permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp
deny esp any host <cmts-ip>
deny udp any host <cmts-ip> eq isakmp
deny udp any host <cmts-ip> eq non500-isakmp
permit ip any any
! networks to be tunneled
ip access-list extended NMS-NETS
remark CM-IPs
permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255
remark CPE-PRIV-IPs
permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255
remark MTA-IPs
permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255
crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
crypto isakmp key <secret> address <cloud-ip>
crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac
crypto map NMS-CMAP 10 ipsec-isakmp
set peer <cloud-ip>
set transform-set NMS-TS
set pfs group5
match address NMS-NETS
! choose the interface with the public ip address <cmts-ip>
interface GigabitEthernet0/1
ip access-group IPSEC-IN in
crypto map NMS-CMAP |
Linux setup and configuration
| Code Block |
|---|
|
# install strongswam
yum install strongswan
# add ipsec config
cat << EOF >> /etc/strongswan/ipsec.conf
conn cmts-cm
left=<cloud-ip>
leftsubnet=172.20.0.0/22
leftid=<cloud-ip>
leftfirewall=yes
right=<cmts-ip>
rightsubnet=10.0.0.0/19
rightid=<cmts-ip>
auto=add
ike=aes256-sha-modp1536
esp=aes256-sha1-modp1536
keyexchange=ikev1
authby=secret
conn cmts-cpepriv
also=cmts-cm
rightsubnet=100.64.0.0/22
conn cmts-mta
also=cmts-cm
rightsubnet=100.96.0.0/22
EOF
# add pre-shared key
echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets
# enable strongswan
systemctl enable strongswan |
Setup, test and teardown of IPsec tunnels
| Code Block |
|---|
|
# add dummy interface, since strongswan expects packets from/to 172.20.0.0/22
ip link add name dummy0 type dummy
ip addr add 172.20.0.1/22 dev dummy0
ip link set dev dummy0 up
# start strongswan
systemctl start strongswan
# start all ipsec tunnels/associations
strongswan up cmts-cm
strongswan up cmts-cpepriv
strongswan up cmts-mta
# get routes - note that they originate from 172.20.0.1, thus going through the tunnel
ip r get 10.0.31.254
10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.64.3.254
100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.96.3.254
100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
# ping all bundle interface ip addresses
ping -c1 10.0.31.254
PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data.
64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms
ping -c1 100.64.3.254
PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data.
64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms
ping -c1 100.96.3.254
PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data.
64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms
# teardown all ipsec tunnels/associations
strongswan down cmts-mta
strongswan down cmts-cpepriv
strongswan down cmts-cm
# stop strongswan
systemctl stop strongswan
# remove dummy interface
ip link del dummy0 |