Versions Compared

Old Version 14

changes.mady.by.user Torsten Schmidt

Saved on

compared with

New Version Current

changes.mady.by.user Martin Zimmerling

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.

...

Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.

Cisco CMTS configuration

Code Block
! limit esp and isakmp to <cloud-ip> address
ip access-list extended IPSEC-IN
 permit esp host <cloud-ip> host <cmts-ip>
 permit udp host <cloud-ip> host <cmts-ip> eq isakmp
 permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp
 deny esp any host <cmts-ip>
 deny udp any host <cmts-ip> eq isakmp
 deny udp any host <cmts-ip> eq non500-isakmp
 permit ip any any

! networks to be tunneled
ip access-list extended NMS-NETS
 remark CM-IPs
 permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255
 remark CPE-PRIV-IPs
 permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255
 remark MTA-IPs
 permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255

crypto isakmp policy 1
 encryption aes 256
 authentication pre-share
 group 5
crypto isakmp key <secret> address <cloud-ip>

crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac

crypto map NMS-CMAP 10 ipsec-isakmp
 set peer <cloud-ip>
 set transform-set NMS-TS
 set pfs group5
 match address NMS-NETS

! choose the interface with the public ip address <cmts-ip>
interface GigabitEthernet0/1
 ip access-group IPSEC-IN in
 crypto map NMS-CMAP

...