Friday, 18 November 2011

VRF aware IPSEC with NAT

(If you need to terminate all customers (or users, or any other remote parties) on only one WAN (outside) interface, for example when terminating IPSec VPN on Internet facing interface, see also VRF aware IPSEC with NAT using only one WAN (outside) interface)

If it is required to terminate multiple IPsec connections from multiple customers on same router, and customer address spaces are overlapping, one solution is VRF aware IPsec together with VRF aware NAT functionality using new ip nat enable syntax.
Each customer is connected to central site using its own private link that is through 802.1q connected to separate subinterface dedicated to each customer on WAN interface on central router.
In this example both customer sites arrive to central site using same IP address from their LAN: 192.168.10.1
This IP address is NAT-ed to 10.10.101.1 for customer A, and to 10.10.102.1 for customer B.
This allows central site to differentiate packets sent from different customers with same source IP address, and to be able to correctly route packets back.

There are numerous parts in this setup to do wrong. Some of the possible errors are:
proxy identities not supported
IPSec policy invalidated proposal with error 32
phase 2 SA policy not acceptable

Jun 17 13:24:57.739: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 17 13:24:57.739: ISAKMP:(1009): IPSec policy invalidated proposal with error 32
Jun 17 13:24:57.739: ISAKMP:(1009): phase 2 SA policy not acceptable! (local 192.168.1.2 remote 192.168.1.1)
Profile discarded due to VRF mismatch
peer matches *none* of the profiles

Jun 18 09:24:55.763: ISAKMP:(0):: Profile User_A_ISAKMP_PROFILE discarded due to VRF mismatch * * *
Jun 18 09:24:55.763: ISAKMP:(0):: Have you put proper FVRF in "match id ip-address" command?
Jun 18 09:24:55.763: ISAKMP:(0):: peer matches *none* of the profiles
unroutable in debug ip packet output
Jun 18 13:03:31.107: IP: s=192.168.10.1 (GigabitEthernet0/1.102), d=10.10.2.1, len 100, unroutable
Important parts to make this all working are (bold in Central site router configuration below):
  • Add vrf vrf name after crypto keyring commands.
  • Add vrf name after match identity address in crypto isakmp profiles.
  • Put frontend outside interfaces in FVRF using ip vrf forwarding commands.
  • We have found 15.0-1.M7 to be more stable with this setup, but in the meantime it is possible that newer releases in 15.1 and 15.2 are also fine
  • Use two routes for each customer, one in Central VRF (with addresses NAT-ed to addresses how customer addresses are seen on Central site, one in Customer VRF (with original non-NAT-ed customer addresses - since we are using VRFs and NAT, these addresses can (and in this example are) overlapping.
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
Here are working configurations:
Central site router:
ip vrf Central_site_VRF
rd 100:100
!
ip vrf Customer_A_VRF
rd 100:101
!
ip vrf Customer_B_VRF
rd 100:102
!
crypto keyring Customer_A_CRYPTO_KEYRING vrf Customer_A_VRF
pre-shared-key address 192.168.1.1 key abc123
crypto keyring Customer_B_CRYPTO_KEYRING vrf Customer_B_VRF
pre-shared-key address 192.168.1.1 key abc123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile Customer_A_ISAKMP_PROFILE
vrf Customer_A_VRF
keyring Customer_A_CRYPTO_KEYRING
match identity address 192.168.1.1 255.255.255.255 Customer_A_VRF
crypto isakmp profile Customer_B_ISAKMP_PROFILE
vrf Customer_B_VRF
keyring Customer_B_CRYPTO_KEYRING
match identity address 192.168.1.1 255.255.255.255 Customer_B_VRF
!
crypto ipsec transform-set Customer_A_TRANSFORM_SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set Customer_B_TRANSFORM_SET esp-aes 256 esp-sha-hmac
!
crypto map Customer_A_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set Customer_A_TRANSFORM_SET
set isakmp-profile Customer_A_ISAKMP_PROFILE
match address Customer_A_CRYPTO_ACL
!
crypto map Customer_B_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set Customer_B_TRANSFORM_SET
set isakmp-profile Customer_B_ISAKMP_PROFILE
match address Customer_B_CRYPTO_ACL
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN Interface
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.101
description To_Customer_A
encapsulation dot1Q 101
ip vrf forwarding Customer_A_VRF
ip address 192.168.1.2 255.255.255.0
ip nat enable
crypto map Customer_A_CRYPTO_MAP
!
interface GigabitEthernet0/1.102
description To_Customer_B
encapsulation dot1Q 102
ip vrf forwarding Customer_B_VRF
ip address 192.168.1.2 255.255.255.0
ip nat enable
crypto map Customer_B_CRYPTO_MAP
!
interface GigabitEthernet0/2
description To_Central_site_LAN
ip vrf forwarding Central_site_VRF
ip address 10.10.1.1 255.255.255.0
ip nat enable
duplex auto
speed auto
!
ip forward-protocol nd
!
ip nat source static 192.168.10.1 10.10.101.1 vrf Customer_A_VRF
ip nat source static 192.168.10.1 10.10.102.1 vrf Customer_B_VRF
ip route vrf Central_site_VRF 10.10.2.1 255.255.255.255 10.10.1.2
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
!
ip access-list extended Customer_A_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Customer_B_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
Customer A:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set ts
match address CRYPTO_ACL
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
speed auto
crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255
Customer B (same as Customer B - to cover overlapping addresses case. It is of course possible to have different configurations, even different router or firewall vendors at customer sites):
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set ts
match address CRYPTO_ACL
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface Loopback1
ip address 192.168.10.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
speed auto
crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255

Disclaimers: This is a personal weblog. The opinions expressed here are entirely my own and not those of my employer and/or its affiliates. This material is not sponsored or endorsed by Cisco Systems, Inc. Cisco, Cisco Systems, CCIE and the CCIE Logo, CCDP, CCNA and CCDA are trademarks of Cisco Systems, Inc. and its affiliates.