To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.
...
Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.
Cisco CMTS configuration
Code Block |
---|
! limit esp and isakmp to <cloud-ip> address ip access-list extended IPSEC-IN permit esp host <cloud-ip> host <cmts-ip> permit udp host <cloud-ip> host <cmts-ip> eq isakmp permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp deny esp any host <cmts-ip> deny udp any host <cmts-ip> eq isakmp deny udp any host <cmts-ip> eq non500-isakmp permit ip any any ! networks to be tunneled ip access-list extended NMS-NETS remark CM-IPs permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255 remark CPE-PRIV-IPs permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255 remark MTA-IPs permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255 crypto isakmp policy 1 encryption aes 256 authentication pre-share group 5 crypto isakmp key <secret> address <cloud-ip> crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac crypto map NMS-CMAP 10 ipsec-isakmp set peer <cloud-ip> set transform-set NMS-TS set pfs group5 match address NMS-NETS ! choose the interface with the public ip address <cmts-ip> interface GigabitEthernet0/1 ip access-group IPSEC-IN in crypto map NMS-CMAP |
...