Versions Compared

Old Version 14

changes.mady.by.user Torsten Schmidt

Saved on

compared with

New Version 15

changes.mady.by.user Ole Ernst

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.

Cisco CMTS configuration

Code Block
! limit esp and isakmp to <cloud-ip> address
ip access-list extended IPSEC-IN
 permit esp host <cloud-ip> host <cmts-ip>
 permit udp host <cloud-ip> host <cmts-ip> eq isakmp
 permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp
 deny esp any host <cmts-ip>
 deny udp any host <cmts-ip> eq isakmp
 deny udp any host <cmts-ip> eq non500-isakmp
 permit ip any any

! networks to be tunneled
ip access-list extended NMS-NETS
 remark CM-IPs
 permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255
 remark CPE-PRIV-IPs
 permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255
 remark MTA-IPs
 permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255

crypto isakmp policy 1
 encryption aes 256
 authentication pre-share
 group 5
crypto isakmp key <secret> address <cloud-ip>

crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac

crypto map NMS-CMAP 10 ipsec-isakmp
 set peer <cloud-ip>
 set transform-set NMS-TS
 set pfs group5
 match address NMS-NETS

! choose the interface with the public ip address <cmts-ip>
interface GigabitEthernet0/1
 ip access-group IPSEC-IN in
 crypto map NMS-CMAP

...