Versions Compared

Old Version 3

changes.mady.by.user Ole Ernst

Saved on

compared with

New Version Current

changes.mady.by.user Martin Zimmerling

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.

...

Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.

Cisco CMTS configuration

Code Block
! limit esp and isakmp to <cloud-ip> address
ip access-list extended IPSEC-IN
 permit esp host <cloud-ip> host <cmts-ip>
 permit udp host <cloud-ip> host <cmts-ip> eq isakmp
 permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp
 deny esp any host <cmts-ip>
 deny udp any host <cmts-ip> eq isakmp
 deny udp any host <cmts-ip> eq non500-isakmp
 permit ip any any

! networks to be tunneled
ip access-list extended NMS-NETS
 remark CM-IPs
 permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255
 remark CPE-PRIV-IPs
 permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255
 remark MTA-IPs
 permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255

crypto isakmp policy 1
 encryption aes 256
 authentication pre-share
 group 5
crypto isakmp key <secret> address <cloud-ip>

crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac

crypto map NMS-CMAP 10 ipsec-isakmp
 set peer <cloud-ip>
 set transform-set NMS-TS
 set pfs group5
 match address NMS-NETS

! choose the interface with the public ip address <cmts-ip>
interface GigabitEthernet0/1
 ip access-group IPSEC-IN in
 crypto map NMS-CMAP

Linux setup and configuration

Code Block
languagebash
# if you are logged in with your normal user you have to become root now
sudo su -

# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22 
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0:0
BOOTPROTO=static
DEVICE=eth0:0
ONBOOT=yes
IPADDR=172.20.0.1
NETMASK=255.255.255.0
EOF

# disable automatic updating of /etc/resolv.conf
cat << EOF >> install strongswam/etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=127.0.0.1
PEERDNS=no
EOF

# clear resolv.conf once
echo "" > /etc/resolv.conf

# install strongswan
yum install -y strongswan

# add ipsec config and use the internal IP of your instance for the <cloud-ip>
cat << EOF >> /etc/strongswan/ipsec.conf
conn cmts-cm
        left=<cloud-ip>
        leftsubnet=172.20.0.0/22
        leftid=<cloud-ip>
        leftfirewall=yes
        right=<cmts-ip>
        rightsubnet=10.0.0.0/19
        rightid=<cmts-ip>
        auto=addstart
        ike=aes256-sha-modp1536
        esp=aes256-sha1-modp1536
        keyexchange=ikev1
        authby=secret

conn cmts-cpepriv
        also=cmts-cm
        rightsubnet=100.64.0.0/22

conn cmts-mta
        also=cmts-cm
        rightsubnet=100.96.0.0/22
EOF

# add pre-shared key
echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets

# enablerestart strongswannetwork
systemctl enable strongswan

Setup, test and teardown of IPsec tunnels

Code Block
languagebash
# add dummy interface, since strongswan expects packets from/to 172.20.0.0/22
ip link add name dummy0 type dummy
ip addr add 172.20.0.1/22 dev dummy0
ip link set dev dummy0 up

# startrestart network.service

# enable strongswan
systemctl startenable strongswan

#systemctl start all ipsec tunnels/associations strongswan up cmts-cm
strongswan up cmts-cpepriv
strongswan up cmts-mta

# get routes - note that they originate from 172.20.0.1, thus going through the tunnel
ip r get 10.0.31.254
  10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.64.3.254
  100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.96.3.254
  100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1

# ping all bundle interface ip addresses
ping -c1 10.0.31.254
  PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data.
  64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms
ping -c1 100.64.3.254
  PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data.
  64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms
ping -c1 100.96.3.254
  PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data.
  64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms

# teardown all ipsec tunnels/associations
strongswan down cmts-mta
strongswan down cmts-cpepriv
strongswan down cmts-cm

# stop strongswan
systemctl stop strongswan

# remove dummy interface 
ip link del dummy0