To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.
...
Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.
Cisco CMTS configuration
Code Block |
---|
! limit esp and isakmp to <cloud-ip> address
ip access-list extended IPSEC-IN
permit esp host <cloud-ip> host <cmts-ip>
permit udp host <cloud-ip> host <cmts-ip> eq isakmp
permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp
deny esp any host <cmts-ip>
deny udp any host <cmts-ip> eq isakmp
deny udp any host <cmts-ip> eq non500-isakmp
permit ip any any
! networks to be tunneled
ip access-list extended NMS-NETS
remark CM-IPs
permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255
remark CPE-PRIV-IPs
permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255
remark MTA-IPs
permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255
crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
crypto isakmp key <secret> address <cloud-ip>
crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac
crypto map NMS-CMAP 10 ipsec-isakmp
set peer <cloud-ip>
set transform-set NMS-TS
set pfs group5
match address NMS-NETS
! choose the interface with the public ip address <cmts-ip>
interface GigabitEthernet0/1
ip access-group IPSEC-IN in
crypto map NMS-CMAP |
...
Code Block |
---|
|
# if you are logged in with your normal user you have to become root now
sudo su -
# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0:0
BOOTPROTO=static
DEVICE=eth0:0
ONBOOT=yes
IPADDR=172.20.0.1
NETMASK=255.255.255.0
EOF
# disable automatic updating of /etc/resolv.conf
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=127.0.0.1
PEERDNS=no
EOF
# clear resolv.conf once
echo "" > /etc/resolv.conf
# install strongswan
yum install -y strongswan
# add ipsec config and use the internal IP of your instance for the <cloud-ip>
cat << EOF >> /etc/strongswan/ipsec.conf
conn cmts-cm
left=<cloud-ip>
leftsubnet=172.20.0.0/22
leftid=<cloud-ip>
leftfirewall=yes
right=<cmts-ip>
rightsubnet=10.0.0.0/19
rightid=<cmts-ip>
auto=addstart
ike=aes256-sha-modp1536
esp=aes256-sha1-modp1536
keyexchange=ikev1
authby=secret
conn cmts-cpepriv
also=cmts-cm
rightsubnet=100.64.0.0/22
conn cmts-mta
also=cmts-cm
rightsubnet=100.96.0.0/22
EOF
# add pre-shared key
echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets
# enablerestart strongswannetwork
systemctl enable strongswan |
Setup, test and teardown of IPsec tunnels
Code Block |
---|
|
# add dummy interface, since strongswan expects packets from/to 172.20.0.0/22
ip link add name dummy0 type dummy
ip addr add 172.20.0.1/22 dev dummy0
ip link set dev dummy0 up
# startrestart network.service
# enable strongswan
systemctl startenable strongswan
# start all ipsec tunnels/associations
strongswan up cmts-cm
strongswan up cmts-cpepriv
strongswan up cmts-mta
# get routes - note that they originate from 172.20.0.1, thus going through the tunnel
ip r get 10.0.31.254
10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.64.3.254
100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.96.3.254
100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
# ping all bundle interface ip addresses
ping -c1 10.0.31.254
PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data.
64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms
ping -c1 100.64.3.254
PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data.
64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms
ping -c1 100.96.3.254
PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data.
64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms
# teardown all ipsec tunnels/associations
strongswan down cmts-mta
strongswan down cmts-cpepriv
strongswan down cmts-cm
# stop strongswan
systemctl stop strongswan
# remove dummy interface
ip link del dummy0systemctl start strongswan |