Monday, 5 December 2011

VRF aware IPSEC with NAT using only one WAN (outside) interface

If you need to terminate all customers (or users, or any other remote parties) on only one WAN (outside) interface, for example when terminating IPSec VPN on Internet facing interface, method described in our previous post - VRF aware IPSEC with NAT, although quite useful and flexible, can't be used.
But with few changes it is possible. In configuration below a single crypto map with two entries is applied on WAN (outside facing) interface, so subinterfaces are no longer needed.
Although not directly related to this concept, additional NAT rule for translating inside LAN address on central site is also added. But this part is also quite useful, since it shows statefullness of new NAT feature. It is possible to reach central site from customers sites using both real, and natted addresses. If packets to real address are sent from customer sites, return traffic will keep real address (ip nat source static 10.10.2.1 192.168.192.1 vrf Central_VRF will not be used). If NATed address is used, NAT will of course do its job. So there is different behavior for same packet coming from central LAN towards customer sites, depending part of which session it is (it depends did the customer sent a packet to real or natted IP address).
Special care needs to be made with VRFs in many commands below. With any small misconfiguration it will not work.

Central site router:
ip vrf Central_VRF
rd 100:100
!
ip vrf Customer_A_VRF
rd 100:101
!
ip vrf Customer_B_VRF
rd 100:102
!
ip vrf WAN
rd 100:99
!
crypto keyring Customer_A_CRYPTO_KEYRING vrf WAN
pre-shared-key address 192.168.1.11 key abc123
crypto keyring Customer_B_CRYPTO_KEYRING vrf WAN
pre-shared-key address 192.168.1.12 key abc123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile Customer_A_ISAKMP_PROFILE
vrf Customer_A_VRF
keyring Customer_A_CRYPTO_KEYRING
match identity address 192.168.1.11 255.255.255.255 WAN
crypto isakmp profile Customer_B_ISAKMP_PROFILE
vrf Customer_B_VRF
keyring Customer_B_CRYPTO_KEYRING
match identity address 192.168.1.12 255.255.255.255 WAN
!
crypto ipsec transform-set Customer_A_TRANSFORM_SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set Customer_B_TRANSFORM_SET esp-aes 256 esp-sha-hmac
!
crypto map WAN_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.11
set transform-set Customer_A_TRANSFORM_SET
set isakmp-profile Customer_A_ISAKMP_PROFILE
match address Customer_A_CRYPTO_ACL
crypto map WAN_CRYPTO_MAP 20 ipsec-isakmp
set peer 192.168.1.12
set transform-set Customer_B_TRANSFORM_SET
set isakmp-profile Customer_B_ISAKMP_PROFILE
match address Customer_B_CRYPTO_ACL
!
interface GigabitEthernet0/1
description WAN
ip vrf forwarding WAN
ip address 192.168.1.2 255.255.255.240
ip nat enable
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map WAN_CRYPTO_MAP
!
interface GigabitEthernet0/2
description To_Central_LAN
ip vrf forwarding Central_VRF
ip address 10.10.1.1 255.255.255.0
ip nat enable
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
ip nat source static 10.10.2.1 192.168.192.1 vrf Central_VRF
ip nat source static 192.168.10.1 10.10.101.1 vrf Customer_A_VRF
ip nat source static 192.168.10.1 10.10.102.1 vrf Customer_B_VRF
ip route vrf Central_VRF 192.168.192.1 255.255.255.255 10.10.1.2
ip route vrf Central_VRF 10.10.2.1 255.255.255.255 10.10.1.2
ip route vrf Central_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1 192.168.1.11
ip route vrf Central_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1 192.168.1.12
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1 192.168.1.11
ip route vrf Customer_A_VRF 192.168.192.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_A_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1 192.168.1.12
ip route vrf Customer_B_VRF 192.168.192.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
!
ip access-list extended Customer_A_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.192.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Customer_B_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.192.0 0.0.0.255 192.168.10.0 0.0.0.255

Friday, 18 November 2011

VRF aware IPSEC with NAT

(If you need to terminate all customers (or users, or any other remote parties) on only one WAN (outside) interface, for example when terminating IPSec VPN on Internet facing interface, see also VRF aware IPSEC with NAT using only one WAN (outside) interface)

If it is required to terminate multiple IPsec connections from multiple customers on same router, and customer address spaces are overlapping, one solution is VRF aware IPsec together with VRF aware NAT functionality using new ip nat enable syntax.
Each customer is connected to central site using its own private link that is through 802.1q connected to separate subinterface dedicated to each customer on WAN interface on central router.
In this example both customer sites arrive to central site using same IP address from their LAN: 192.168.10.1
This IP address is NAT-ed to 10.10.101.1 for customer A, and to 10.10.102.1 for customer B.
This allows central site to differentiate packets sent from different customers with same source IP address, and to be able to correctly route packets back.

There are numerous parts in this setup to do wrong. Some of the possible errors are:
proxy identities not supported
IPSec policy invalidated proposal with error 32
phase 2 SA policy not acceptable

Jun 17 13:24:57.739: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 17 13:24:57.739: ISAKMP:(1009): IPSec policy invalidated proposal with error 32
Jun 17 13:24:57.739: ISAKMP:(1009): phase 2 SA policy not acceptable! (local 192.168.1.2 remote 192.168.1.1)
Profile discarded due to VRF mismatch
peer matches *none* of the profiles

Jun 18 09:24:55.763: ISAKMP:(0):: Profile User_A_ISAKMP_PROFILE discarded due to VRF mismatch * * *
Jun 18 09:24:55.763: ISAKMP:(0):: Have you put proper FVRF in "match id ip-address" command?
Jun 18 09:24:55.763: ISAKMP:(0):: peer matches *none* of the profiles
unroutable in debug ip packet output
Jun 18 13:03:31.107: IP: s=192.168.10.1 (GigabitEthernet0/1.102), d=10.10.2.1, len 100, unroutable
Important parts to make this all working are (bold in Central site router configuration below):
  • Add vrf vrf name after crypto keyring commands.
  • Add vrf name after match identity address in crypto isakmp profiles.
  • Put frontend outside interfaces in FVRF using ip vrf forwarding commands.
  • We have found 15.0-1.M7 to be more stable with this setup, but in the meantime it is possible that newer releases in 15.1 and 15.2 are also fine
  • Use two routes for each customer, one in Central VRF (with addresses NAT-ed to addresses how customer addresses are seen on Central site, one in Customer VRF (with original non-NAT-ed customer addresses - since we are using VRFs and NAT, these addresses can (and in this example are) overlapping.
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
Here are working configurations:
Central site router:
ip vrf Central_site_VRF
rd 100:100
!
ip vrf Customer_A_VRF
rd 100:101
!
ip vrf Customer_B_VRF
rd 100:102
!
crypto keyring Customer_A_CRYPTO_KEYRING vrf Customer_A_VRF
pre-shared-key address 192.168.1.1 key abc123
crypto keyring Customer_B_CRYPTO_KEYRING vrf Customer_B_VRF
pre-shared-key address 192.168.1.1 key abc123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile Customer_A_ISAKMP_PROFILE
vrf Customer_A_VRF
keyring Customer_A_CRYPTO_KEYRING
match identity address 192.168.1.1 255.255.255.255 Customer_A_VRF
crypto isakmp profile Customer_B_ISAKMP_PROFILE
vrf Customer_B_VRF
keyring Customer_B_CRYPTO_KEYRING
match identity address 192.168.1.1 255.255.255.255 Customer_B_VRF
!
crypto ipsec transform-set Customer_A_TRANSFORM_SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set Customer_B_TRANSFORM_SET esp-aes 256 esp-sha-hmac
!
crypto map Customer_A_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set Customer_A_TRANSFORM_SET
set isakmp-profile Customer_A_ISAKMP_PROFILE
match address Customer_A_CRYPTO_ACL
!
crypto map Customer_B_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set Customer_B_TRANSFORM_SET
set isakmp-profile Customer_B_ISAKMP_PROFILE
match address Customer_B_CRYPTO_ACL
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN Interface
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.101
description To_Customer_A
encapsulation dot1Q 101
ip vrf forwarding Customer_A_VRF
ip address 192.168.1.2 255.255.255.0
ip nat enable
crypto map Customer_A_CRYPTO_MAP
!
interface GigabitEthernet0/1.102
description To_Customer_B
encapsulation dot1Q 102
ip vrf forwarding Customer_B_VRF
ip address 192.168.1.2 255.255.255.0
ip nat enable
crypto map Customer_B_CRYPTO_MAP
!
interface GigabitEthernet0/2
description To_Central_site_LAN
ip vrf forwarding Central_site_VRF
ip address 10.10.1.1 255.255.255.0
ip nat enable
duplex auto
speed auto
!
ip forward-protocol nd
!
ip nat source static 192.168.10.1 10.10.101.1 vrf Customer_A_VRF
ip nat source static 192.168.10.1 10.10.102.1 vrf Customer_B_VRF
ip route vrf Central_site_VRF 10.10.2.1 255.255.255.255 10.10.1.2
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
!
ip access-list extended Customer_A_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Customer_B_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
Customer A:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set ts
match address CRYPTO_ACL
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
speed auto
crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255
Customer B (same as Customer B - to cover overlapping addresses case. It is of course possible to have different configurations, even different router or firewall vendors at customer sites):
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set ts
match address CRYPTO_ACL
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface Loopback1
ip address 192.168.10.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
speed auto
crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255

Disclaimers: This is a personal weblog. The opinions expressed here are entirely my own and not those of my employer and/or its affiliates. This material is not sponsored or endorsed by Cisco Systems, Inc. Cisco, Cisco Systems, CCIE and the CCIE Logo, CCDP, CCNA and CCDA are trademarks of Cisco Systems, Inc. and its affiliates.