...
Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.
Cisco CMTS configuration
Code Block |
---|
! limit esp and isakmp to <cloud-ip> address ip access-list extended IPSEC-IN permit esp host <cloud-ip> host <cmts-ip> permit udp host <cloud-ip> host <cmts-ip> eq isakmp permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp deny esp any host <cmts-ip> deny udp any host <cmts-ip> eq isakmp deny udp any host <cmts-ip> eq non500-isakmp permit ip any any ! networks to be tunneled ip access-list extended NMS-NETS remark CM-IPs permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255 remark CPE-PRIV-IPs permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255 remark MTA-IPs permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255 crypto isakmp policy 1 encryption aes 256 authentication pre-share group 5 crypto isakmp key <secret> address <cloud-ip> crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac crypto map NMS-CMAP 10 ipsec-isakmp set peer <cloud-ip> set transform-set NMS-TS set pfs group5 match address NMS-NETS ! choose the interface with the public ip address <cmts-ip> interface GigabitEthernet0/1 ip access-group IPSEC-IN in crypto map NMS-CMAP |
...