TODO Ole Ernst To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.
In this scenario we want to tunnel the three Bundle interface IP networks:
- 10.0.0.0/19 (CM)
- 100.64.0.0/22 (CPEpriv)
- 100.96.0.0/22 (MTA)
On the provisioning server side the network is:
- 172.20.0.0/22 (Management)
Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.
Cisco CMTS configuration
Code Block |
---|
! limit esp and isakmp to <cloud-ip> address
ip access-list extended IPSEC-IN
permit esp host <cloud-ip> host <cmts-ip>
permit udp host <cloud-ip> host <cmts-ip> eq isakmp
permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp
deny esp any host <cmts-ip>
deny udp any host <cmts-ip> eq isakmp
deny udp any host <cmts-ip> eq non500-isakmp
permit ip any any
! networks to be tunneled
ip access-list extended NMS-NETS
remark CM-IPs
permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255
remark CPE-PRIV-IPs
permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255
remark MTA-IPs
permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255
crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
crypto isakmp key <secret> address <cloud-ip>
crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac
crypto map NMS-CMAP 10 ipsec-isakmp
set peer <cloud-ip>
set transform-set NMS-TS
set pfs group5
match address NMS-NETS
! choose the interface with the public ip address <cmts-ip>
interface GigabitEthernet0/1
ip access-group IPSEC-IN in
crypto map NMS-CMAP |
Linux setup and configuration
Code Block | ||
---|---|---|
| ||
# if you are logged in with your normal user you have to become root now
sudo su -
# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0:0
BOOTPROTO=static
DEVICE=eth0:0
ONBOOT=yes
IPADDR=172.20.0.1
NETMASK=255.255.255.0
EOF
# disable automatic updating of /etc/resolv.conf
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=127.0.0.1
PEERDNS=no
EOF
# clear resolv.conf once
echo "" > /etc/resolv.conf
# install strongswan
yum install -y strongswan
# add ipsec config and use the internal IP of your instance for the <cloud-ip>
cat << EOF >> /etc/strongswan/ipsec.conf
conn cmts-cm
left=<cloud-ip>
leftsubnet=172.20.0.0/22
leftid=<cloud-ip>
leftfirewall=yes
right=<cmts-ip>
rightsubnet=10.0.0.0/19
rightid=<cmts-ip>
auto=start
ike=aes256-sha-modp1536
esp=aes256-sha1-modp1536
keyexchange=ikev1
authby=secret
conn cmts-cpepriv
also=cmts-cm
rightsubnet=100.64.0.0/22
conn cmts-mta
also=cmts-cm
rightsubnet=100.96.0.0/22
EOF
# add pre-shared key
echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets
# restart network
systemctl restart network.service
# enable strongswan
systemctl enable strongswan
systemctl start strongswan |