Cloud Only: Add the CMTS-Tunnel

Owned by Robin Sachse
Last updated: Jul 18, 2019 by Martin Zimmerling
2 min read

To tunnel the traffic between the Cloud VM and the remote CMTS we use IPsec, since it is the protocol supported by most CMTS vendors. On the linux side we use strongSwan as a robust and feature-rich IPsec implementation.

In this scenario we want to tunnel the three Bundle interface IP networks:

  • 10.0.0.0/19 (CM)
  • 100.64.0.0/22 (CPEpriv)
  • 100.96.0.0/22 (MTA)

On the provisioning server side the network is:

  • 172.20.0.0/22 (Management)


Both provisioning server (<cloud-ip>) and CMTS (<cmts-ip>) have public IP addresses, over which the IPsec tunnel is established. Note that <secret> needs to be replaced by a pre-shared key (of your choosing) in the following configurations. See https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html as reference.

Cisco CMTS configuration

! limit esp and isakmp to <cloud-ip> address
ip access-list extended IPSEC-IN
 permit esp host <cloud-ip> host <cmts-ip>
 permit udp host <cloud-ip> host <cmts-ip> eq isakmp
 permit udp host <cloud-ip> host <cmts-ip> eq non500-isakmp
 deny esp any host <cmts-ip>
 deny udp any host <cmts-ip> eq isakmp
 deny udp any host <cmts-ip> eq non500-isakmp
 permit ip any any

! networks to be tunneled
ip access-list extended NMS-NETS
 remark CM-IPs
 permit ip 10.0.0.0 0.0.31.255 172.20.0.0 0.0.3.255
 remark CPE-PRIV-IPs
 permit ip 100.64.0.0 0.0.3.255 172.20.0.0 0.0.3.255
 remark MTA-IPs
 permit ip 100.96.0.0 0.0.3.255 172.20.0.0 0.0.3.255

crypto isakmp policy 1
 encryption aes 256
 authentication pre-share
 group 5
crypto isakmp key <secret> address <cloud-ip>

crypto ipsec transform-set NMS-TS esp-aes 256 esp-sha-hmac

crypto map NMS-CMAP 10 ipsec-isakmp
 set peer <cloud-ip>
 set transform-set NMS-TS
 set pfs group5
 match address NMS-NETS

! choose the interface with the public ip address <cmts-ip>
interface GigabitEthernet0/1
 ip access-group IPSEC-IN in
 crypto map NMS-CMAP

Linux setup and configuration

# if you are logged in with your normal user you have to become root now
sudo su -

# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22 
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0:0
BOOTPROTO=static
DEVICE=eth0:0
ONBOOT=yes
IPADDR=172.20.0.1
NETMASK=255.255.255.0
EOF

# disable automatic updating of /etc/resolv.conf
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=127.0.0.1
PEERDNS=no
EOF

# clear resolv.conf once
echo "" > /etc/resolv.conf

# install strongswan
yum install -y strongswan

# add ipsec config and use the internal IP of your instance for the <cloud-ip>
cat << EOF >> /etc/strongswan/ipsec.conf
conn cmts-cm
        left=<cloud-ip>
        leftsubnet=172.20.0.0/22
        leftid=<cloud-ip>
        leftfirewall=yes
        right=<cmts-ip>
        rightsubnet=10.0.0.0/19
        rightid=<cmts-ip>
        auto=start
        ike=aes256-sha-modp1536
        esp=aes256-sha1-modp1536
        keyexchange=ikev1
        authby=secret

conn cmts-cpepriv
        also=cmts-cm
        rightsubnet=100.64.0.0/22

conn cmts-mta
        also=cmts-cm
        rightsubnet=100.96.0.0/22
EOF

# add pre-shared key
echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets

# restart network
systemctl restart network.service

# enable strongswan
systemctl enable strongswan
systemctl start strongswan