To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.
In this scenario we want to tunnel the three Bundle interface IP networks:
- 10.0.0.0/19 (CM)
- 100.64.0.0/22 (CPEpriv)
- 100.96.0.0/22 (MTA)
On the provisioning server side the network is:
- 172.20.0.0/22 (Management)
Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations.
Cisco CMTS configuration
! limit esp and isakmp to <cloud-ip> address ip access-list extended IPSEC-IN permit esp host <cloud-ip> host <cmts-ip> permit udp host <cloud-ip> host <cmts-ip> eq isakmp permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp deny esp any host <cmts-ip> deny udp any host <cmts-ip> eq isakmp deny udp any host <cmts-ip> eq non500-isakmp permit ip any any ! networks to be tunneled ip access-list extended NMS-NETS remark CM-IPs permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255 remark CPE-PRIV-IPs permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255 remark MTA-IPs permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255 crypto isakmp policy 1 encryption aes 256 authentication pre-share group 5 crypto isakmp key <secret> address <cloud-ip> crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac crypto map NMS-CMAP 10 ipsec-isakmp set peer <cloud-ip> set transform-set NMS-TS set pfs group5 match address NMS-NETS ! choose the interface with the public ip address <cmts-ip> interface GigabitEthernet0/1 ip access-group IPSEC-IN in crypto map NMS-CMAP
Linux setup and configuration
# install strongswan yum install strongswan # add ipsec config cat << EOF >> /etc/strongswan/ipsec.conf conn cmts-cm left=<cloud-ip> leftsubnet=172.20.0.0/22 leftid=<cloud-ip> leftfirewall=yes right=<cmts-ip> rightsubnet=10.0.0.0/19 rightid=<cmts-ip> auto=add ike=aes256-sha-modp1536 esp=aes256-sha1-modp1536 keyexchange=ikev1 authby=secret conn cmts-cpepriv also=cmts-cm rightsubnet=100.64.0.0/22 conn cmts-mta also=cmts-cm rightsubnet=100.96.0.0/22 EOF # add pre-shared key echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets # enable strongswan systemctl enable strongswan
Setup, test and teardown of IPsec tunnels
# add dummy interface, since strongswan expects packets from/to 172.20.0.0/22 ip link add name dummy0 type dummy ip addr add 172.20.0.1/22 dev dummy0 ip link set dev dummy0 up # start strongswan systemctl start strongswan # start all ipsec tunnels/associations strongswan up cmts-cm strongswan up cmts-cpepriv strongswan up cmts-mta # get routes - note that they originate from 172.20.0.1, thus going through the tunnel ip r get 10.0.31.254 10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1 ip r get 100.64.3.254 100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1 ip r get 100.96.3.254 100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1 # ping all bundle interface ip addresses ping -c1 10.0.31.254 PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data. 64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms ping -c1 100.64.3.254 PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data. 64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms ping -c1 100.96.3.254 PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data. 64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms # teardown all ipsec tunnels/associations strongswan down cmts-mta strongswan down cmts-cpepriv strongswan down cmts-cm # stop strongswan systemctl stop strongswan # remove dummy interface ip link del dummy0