This chapter describes how to configure the IPSec to MPLS and GRE+IPSec into MPLS service models for the Cisco Network-Based IPSec VPN Release 1.5 .
Configuring the IPSec to MPLS Service Model
In the IPSec to MPLS configuration, the service provider has an existing MPLS backbone and operates an MPLS VPN that interconnects all customer sites. This includes remote customer sites that are part of the MPLS VPN.
This configuration enables secure off-net access to MPLS VPNs through IPSec. It allows MPLS providers to extend access to their on-net MPLS VPNs to include worldwide Internet access. Customers who wish to deploy a dynamic routing model can use GRE combined with IPSec (see Configuring GRE+IPSec to MPLS Service Model).
A remote customer site initiates an IPSec session from the CE that terminates on a unique interface on the aggregating Cisco 7200 PE. The Cisco 7200 PE then maps the site from the interface to its respective VPN.
Each VPN is associated with one or more VPN routing or forwarding instances (VRFs). A VRF consists of an IP routing table, a derived Cisco express forwarding (CEF) table and a set of interfaces that use this forwarding table. VRF provides multiple routing instances with each instance independent of others within an IPSec aggregator. You can associate the VRF with one or more VPNs.
As a provider edge (PE) router on the MPLS network, the Cisco 7200 series router advertises the connected routes to the remote PEs containing the same VPN.
Before You Begin
The procedures provided here are specific to configuring IPSec to MPLS and are based on the following assumptions:
1. That the following setup and configuration tasks have already been completed:
Setup of the core MPLS network
Setup of the customer VPN
Configuration of the links between the PE and the CE
Customer-specific information is complete
2. That you have a good understanding of the architecture and features you are using and that you have selected the means you will use to implement those features (for example, which of several strategies to use for address management or for user authentication and authorization).
IPSec to MPLS Configuration Checklist
This section deals with configuring the router to function as both the IPSec Aggregator and the PE router.
Procedures for competing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.
Note Read the Release Notes, which supplement and, if different, take precedence over information here.
Configure the addressed preshared key to be used during IKE authentication.
Task 5: Configure ISAKMP Policy for Phase 1 Negotiations
Command
Purpose
Step 1
crypto isakmp policy priority
Configure an IKE policy.
Step 2
encryption {des | 3des | aes | aes 192 | aes 256}
Specify the encryption algorithm within an IKE policy.
Step 3
authentication {rsa-sig | rsa-encr | pre-share}
Specify the authentication method within an IKE policy.
Task 6: Configure DPD Keepalives
Command
Purpose
crypto isakmp keepalive secs retries
Allow the gateway to send dead peer detection (DPD) messages to the router.
Task 7: Configure Client Group for Local Authorization
Command
Purpose
Step 1
crypto isakmp client configuration group {group-name | default}
Specify which group's policy profile will be defined.
Step 2
key name
Configure the IKE preshared key for group policy attribute definition.
Step 3
pool (name)
Configure a local pool address.
Task 8: Configure ISAKMP Profile for VPN Sites
Command
Purpose
crypto isakmp profile profile-name
Define an ISAKMP profile for a VPN.
Task 9: Configure Dynamic VRF Association for VPN Sites
Command
Purpose
Step 1
vrf name
Associate the on-demand address pool with a VPN routing and forwarding instance (VRF) name.
Step 2
keyring keyring-name
Associate a keyring with an isakmp profile.
Step 3
match identity address address [mask] [fvrf]
Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.
Task 10: Configure ISAKMP Profile for VPN Clients
Command
Purpose
Step 1
crypto isakmp profile profile-name
Define an ISAKMP profile for a VPN.
Step 2
vrf name
Associate the on-demand address pool with a VPN routing and VRF name.
Note The Remote sites can be configured to match each peer. This is configured using sequence numbers in
the crypto map definition. The peer can be matched on IP address or the hostname. The IP address match
list for traffic to be encrypted is also defined for each peer. In the case of VPN clients, the dynamic profile
defined earlier is used to match the clients.
Task 11: Configure Dynamic VRF Association for VPN Clients
Command
Purpose
Step 1
vrf name
Associate the on-demand address pool with a VPN routing and VRF name. See vrf for information on using this command.
Step 2
match identity group-name
Match an acceptable Phase 1 identity from a peer to a Unity group.
Task 12: Configure XAUTH, Group Authorization, and Mode-Config
Command
Purpose
Step 1
client authentication list list-name
Configure IKE extended authentication (Xauth) on your router. The list-name must match the list-name defined during authentication, authorization, and accounting (AAA) configuration
Step 2
isakmp authorization list list-name
Configure group authorization IKE querying of AAA for tunnel attributes in aggressive mode.
Step 3
client configuration address [initiate | respond]
Configure IKE mode configuration (Mode-Config).
Task 13: Configure the Transform Set for Data Encryption
Step 14 Configure dynamic cryptomap and apply transform set.
crypto dynamic-map dyna 1
set security-association idle-time 3600
set transform-set tset1
Step 15 Configure ISAKMP client profile reference.
set isakmp-profile vpn1-ez
Step 16 Configure RRI.
reverse-route
Step 17 Configure static crypto map for site.
crypto map vpn 10 IPSec-isakmp
set peer 20.1.1.1
set transform-set tset1
Step 18 Configure ISAKMP site profile reference.
set isakmp-profile vpn1
match address 101
Step 19 Configure Dynamic crypto map for clients.
crypto map vpn 1000 IPSec-isakmp dynamic dyna
!
interface Loopback0
Step 20 Configure BGP peering source interface.
ip address 99.1.1.1 255.255.255.255
!
interface FastEthernet2/0
no ip address
duplex auto
speed auto
Step 21 Configure Internet facing interfaces and corresponding crypto maps.
interface FastEthernet2/0.1
encapsulation dot1Q 10
ip address 30.1.1.2 255.255.255.0
crypto map vpn
!
interface FastEthernet2/1
no ip address
duplex auto
speed auto
Step 22 Configure the interface for tag switching.
interface FastEthernet2/1.1
encapsulation dot1Q 10
ip address 125.1.10.2 255.255.255.0
tag-switching ip
!
Step 23 Configure the IGP used in the Core for BGP Reachability.
router ospf 1
log-adjacency-changes
network 99.1.1.1 0.0.0.0 area 0
network 125.1.10.0 0.0.0.255 area 0
Step 24 Configure BGP to carry VPN routes.
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 99.1.1.3 remote-as 100
neighbor 99.1.1.3 update-source Loopback0
no auto-summary
Step 25 Configure peers to receive VPNv4 routes.
address-family vpnv4
neighbor 99.1.1.3 activate
neighbor 99.1.1.3 send-community both
no auto-summary
exit-address-family
Step 26 Configure IPv4 address-family for each VPN.
address-family ipv4 vrf vpn1
redistribute static
no auto-summary
no synchronization
exit-address-family
Step 27 Configure the pool to distribute IP addresses to VPN clients.
ip local pool hw-pool 192.168.1.1 192.168.1.254
ip classless
Step 28 Configure static routes for public IP addresses global default route.
ip route 0.0.0.0 0.0.0.0 FastEthernet2/0.1 30.1.1.1
Step 29 Configure static VPN routes if not using IGP with in the VPN.
ip route vrf vpn1 101.1.1.0 255.255.255.0 30.1.1.1 global
no ip http server
no ip http secure-server
Step 30 Configure the crypto access list to define traffic to be encrypted.
access-list 101 permit ip 101.1.2.0 0.0.0.255 101.1.1.0 0.0.0.255
Configuring GRE+IPSec to MPLS Service Model
The GRE+IPSec to MPLS configuration is an extension of IPSec to MPLS. This configuration differs from the preceding IPSec to MPLS configuration in that a GRE tunnel transports routing updates between the remote CPE and the IPSec-aggregator/PE instead of IPSec. The configuration shows GRE+IPSec for site-to-site while still supporting client termination.
Before You Begin
The procedures provided here are specific to configuring GRE+IPSec to MPLS and are based on the following assumptions:
1. That the following setup and configuration tasks have already been completed:
Setup of the core MPLS network.
Setup of the customer VPN
Configuration of the links between the PE and the CE.
Customer-specific information is complete.
2. That you have a good understanding of the architecture and features you are using and that you have selected the means you will use to implement those features (for example, which of several strategies you will use for address management or for user authentication and authorization).
GRE+IPSec to MPLS Configuration Checklist
This section deals with configuring the router to function as both the IPSec Aggregator and the PE router.
Procedures for competing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.
Table 2-2 GRE+IPSec to MPLS Configuration Checklist
Configure the addressed preshared key to be used during IKE authentication.
Task 5: Configure ISAKMP Policy for Phase 1 Negotiations
Command
Purpose
Step 1
crypto isakmp policy priority
Configure an IKE policy.
Step 2
encryption {des | 3des | aes | aes 192 | aes 256}
Specify the encryption algorithm within an IKE policy.
Step 3
authentication {rsa-sig | rsa-encr | pre-share}
Specify the authentication method within an IKE policy.
Task 6: Configure DPD Keepalives
Command
Purpose
crypto isakmp keepalive secs retries
Allow the gateway to send dead peer detection (DPD) messages to the router.
Task 7: Configure Client Group for Local Authorization
Command
Purpose
Step 1
crypto isakmp client configuration group {group-name | default}
Specify which group's policy profile will be defined.
Step 2
key name
Configure the IKE preshared key for group policy attribute definition.
Step 3
pool (name)
Configure a local pool address.
Task 8: Configure ISAKMP Profile for VPN Sites
Command
Purpose
crypto isakmp profile profile-name
Define an ISAKMP profile for a VPN.
Task 9: Configure Dynamic VRF Association for VPN Sites
Command
Purpose
Step 1
vrf name
Associate the on-demand address pool with a VPN routing and forwarding instance (VRF) name.
Step 2
match identity address address [mask] [fvrf]
Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.
Task 10: Configure XAUTH, Group Authorization, and Mode-Config
Command
Purpose
Step 1
client authentication list list-name
Configure IKE extended authentication (Xauth) on your router. The list-name must match the list-name defined during AAA configuration
Step 2
isakmp authorization list list-name
Configure group authorization IKE querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode.
Step 3
client configuration address [initiate | respond]
Configure IKE mode configuration (Mode-Config).
Task 11: Configure ISAKMP Profile for GRE
Command
Purpose
Step 1
crypto isakmp profile profile-name
Define an ISAKMP profile for a VPN.
Step 2
keyringkeyring-name
Associate a keyring with an isakmp profile.
Step 3
match identity address address [mask] [fvrf]
Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.
Note You can configure the Remote sites to match each peer using sequence numbers in the crypto map
definition.You can match the peer on IP address or the hostname. The IP address match list for traffic to
be encrypted is also defined for each peer. In case of VPN clients, the dynamic profile defined earlier is
used to match the clients.
Task 12: Configure the Transform Set for Data Encryption
Create source proxy information for a crypto map entry through RRI.
Task 16: Configure Dynamic Crypto Map for Clients
Command
Purpose
crypto map map-name seq-num [IPSec-isakmp]
Create a crypto map entry that uses IKE to establish IPSec SAs for protecting the traffic specified by this crypto map entry.
Task 17: Configure GRE Tunnel to Customer Site
Command
Purpose
Step 1
interface type
Configure an interface type and enter interface configuration mode.
Step 2
ip vrf forwardingvrf-name
Associate a VPN routing and forwarding (VRF) instance with an interface or subinterface.
Step 3
ip address ip-address mask
Set an IP address for an interface.
Step 4
tunnel source {ip-address | type number}
Set source address for a tunnel interface.
Step 5
tunnel destination {hostname | ip-address}
Specify the destination for a tunnel interface.
Task 18: Configure IPSec Profile
Command
Purpose
tunnel protection ipsec-profile name
Associate a tunnel interface with an IPSec profile.
Task 19: Configure Internet-Facing Interface and Corresponding Crypto Maps
Command
Purpose
Step 1
interface type
Configure a loopback interface (emulates an interface that is always up).
Step 2
ip address ip-address mask
Set an IP address for an interface.
Step 3
encapsulation dot1q vlan-id [native]
Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 4
crypto map map-name
Apply a previously defined crypto map set to an interface.
Note Each interface services one VPN as the IPSec tunnel endpoint for both the sites and clients.
Task 20: Configure Interface for Tag Switching
Command
Purpose
Step 1
interface type
Configure a loopback interface (emulates an interface that is always up).
Step 2
ip address ip-address mask
Set an IP address for an interface.
Step 3
encapsulation dot1q vlan-id [native]
Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 4
tag-switching ip
Allow label switching of IPv4 packets.
Task 21: Configure the IGP Used in the Core
Command
Purpose
Step 1
router ospf process-id
Configure an OSPF routing process.
Step 2
log-adjacency-changes
Generate a log message.
Step 3
network ip-address wildcard-mask area area-id
Configure the interfaces on which OSPF runs and to define the area ID for those interfaces.
Task 22: Configure Routing Protocol Across GRE Tunnel
Command
Purpose
Step 1
router rip
Configure the Routing Information Protocol (RIP) routing process.
Step 2
version {1 | 2}
Specify a RIP version used globally by the router.
Task 23: Configure Address Family Definition per VRF
Command
Purpose
Step 1
address-family
Enter the address family submode for configuring routing protocols such as BGP, RIP, and static routing.
Step 2
version {1 | 2}
Specify a RIP version used globally by the router.
Task 24: Redistribute VPN Routes Learned Through BGP
Command
Purpose
Step 1
redistribute protocol
Redistribute routes from one routing domain into another routing domain.
Step 2
network ip-address
Specify a list of networks for the Routing Information Protocol (RIP) routing process.
Step 3
no auto-summary
Disable the default behavior of automatic summarization of subnet routes into network-level routes.
Step 4
exit-address-family
Exit from the address family configuration submode.
Task 25: Configure BGP to Carry VPN Routes
Command
Purpose
Step 1
router bgp as-number
Configure the BGP routing process.
Step 2
no synchronization
Disable the synchronization between BGP and your Interior Gateway Protocol (IGP) system.
Step 3
bgp log-neighbor-changes
Enable logging of BGP neighbor resets.
Step 4
neighbor {ip-address | peer-group-name} remote-as number
Add an entry to the BGP neighbor table.
Step 5
no auto-summary
Disable the default behavior of automatic summarization of subnet routes into network-level routes.
Task 26: Configure Peers to Receive VPNv4 Routes
Command
Purpose
Step 1
address-family
Enter the address family submode for configuring routing protocols such as BGP, RIP, and static routing.
Step 2
neighbor {ip-address | peer-group-name} activate
Enable the exchange of information with a neighboring router.
Step 3
no auto-summary
Disable the default behavior of automatic summarization of subnet routes into network-level routes.
Step 4
exit-address-family
Exit from the address family configuration submode.
Task 27: Configure IPv4 Address-Family for Each VPN
Command
Purpose
Step 1
address-family
Enter the address family submode for configuring routing protocols such as BGP, RIP, and static routing.
Step 2
redistribute protocol
Redistribute routes from one routing domain into another routing domain.
Step 3
no auto-summary
Disable the default behavior of automatic summarization of subnet routes into network-level routes.
Step 4
no synchronization
Disable the synchronization between BGP and your Interior Gateway Protocol (IGP) system.
Step 5
exit-address-family
Exit from the address family configuration submode.
Task 28: Redistribute Routes Learned Over GRE Into VPN
Command
Purpose
Step 1
redistribute protocol
Redistribute routes from one routing domain into another routing domain.
Step 2
no auto-summary
Disable the default behavior of automatic summarization of subnet routes into network-level routes.
Step 3
no synchronization
Disable the synchronization between BGP and your Interior Gateway Protocol (IGP) system.
Step 4
exit-address-family
Exit from the address family configuration submode.
Task 29: Configure Pool to Distribute IP Addresses to VPN Clients
Command
Purpose
Step 1
ip local pool {default | pool-name low-ip-address [high-ip-address]}
Configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
Step 2
ip classless
Configure the router to send any packets it receives that are destined for a subnet of a network that has no network default route to the best supernet route possible.
Task 30: Configure Global Default Route
Command
Purpose
ip route network-number network-mask {ip-address | interface-name} [distance] [name name]
Establish static routes and define the next hop for large-scale dial-out.
GRE+IPSec to MPLS Configuration Sample
Figure 2-2 illustrates the following GRE+IPSec IPSec to MPLS configuration.
Figure 2-2 . GRE+IPSec IPSec to MPLS configuration
Building configuration...
Current configuration : 4093 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname pe2
username cisco password 0 cisco
aaa new-model
!
Step 1 Configure authentication and authorization lists for clients to RADIUS.
aaa authentication login localist local
aaa authorization network localist local
aaa session-id common
ip subnet-zero
no ip domain lookup
Step 2 Configure VRFs.
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 100:1
Step 3 Configure CEF.
ip cef
mpls label protocol ldp
mpls ldp logging neighbor-changes
tag-switching ip default-route
Step 4 Configure Keyring/VPN.
crypto keyring gre
pre-shared-key address 20.1.2.1 key cisco123
!
Step 5 Configure the ISAKMP policy for Phase 1 negotiations.
crypto isakmp policy 1
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
Step 6 Configure the DPD keepalives.
crypto isakmp keepalive 30
crypto isakmp xauth timeout 30
Step 7 Configure client group for local authorization.
crypto isakmp client configuration group ezvpn
key cisco123
pool hw-pool
Step 8 Configure ISAKMP profile for VPN clients.
crypto isakmp profile vpn1-ez
Step 9 Configure dynamic VRF association for VPN clients.
vrf vpn1
match identity group ezvpn
Step 10 Configure XAUTH, group authorization, and mode-config.
IPSec to MPLS Configuration
GRE+IPSec IPSec to MPLS configuration