Friday, 18 November 2011

VRF aware IPSEC with NAT

(If you need to terminate all customers (or users, or any other remote parties) on only one WAN (outside) interface, for example when terminating IPSec VPN on Internet facing interface, see also VRF aware IPSEC with NAT using only one WAN (outside) interface)

If it is required to terminate multiple IPsec connections from multiple customers on same router, and customer address spaces are overlapping, one solution is VRF aware IPsec together with VRF aware NAT functionality using new ip nat enable syntax.
Each customer is connected to central site using its own private link that is through 802.1q connected to separate subinterface dedicated to each customer on WAN interface on central router.
In this example both customer sites arrive to central site using same IP address from their LAN: 192.168.10.1
This IP address is NAT-ed to 10.10.101.1 for customer A, and to 10.10.102.1 for customer B.
This allows central site to differentiate packets sent from different customers with same source IP address, and to be able to correctly route packets back.

There are numerous parts in this setup to do wrong. Some of the possible errors are:
proxy identities not supported
IPSec policy invalidated proposal with error 32
phase 2 SA policy not acceptable
Jun 17 13:24:57.739: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 17 13:24:57.739: ISAKMP:(1009): IPSec policy invalidated proposal with error 32
Jun 17 13:24:57.739: ISAKMP:(1009): phase 2 SA policy not acceptable! (local 192.168.1.2 remote 192.168.1.1)
Profile discarded due to VRF mismatch
peer matches *none* of the profiles
Jun 18 09:24:55.763: ISAKMP:(0):: Profile User_A_ISAKMP_PROFILE discarded due to VRF mismatch * * *
Jun 18 09:24:55.763: ISAKMP:(0):: Have you put proper FVRF in "match id ip-address" command?
Jun 18 09:24:55.763: ISAKMP:(0):: peer matches *none* of the profiles
unroutable in debug ip packet output
Jun 18 13:03:31.107: IP: s=192.168.10.1 (GigabitEthernet0/1.102), d=10.10.2.1, len 100, unroutable
Important parts to make this all working are (bold in Central site router configuration below):
  • Add vrf vrf name after crypto keyring commands.
  • Add vrf name after match identity address in crypto isakmp profiles.
  • Put frontend outside interfaces in FVRF using ip vrf forwarding commands.
  • We have found 15.0-1.M7 to be more stable with this setup, but in the meantime it is possible that newer releases in 15.1 and 15.2 are also fine
  • Use two routes for each customer, one in Central VRF (with addresses NAT-ed to addresses how customer addresses are seen on Central site, one in Customer VRF (with original non-NAT-ed customer addresses - since we are using VRFs and NAT, these addresses can (and in this example are) overlapping.
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
Here are working configurations:
Central site router:
ip vrf Central_site_VRF
 rd 100:100
!
ip vrf Customer_A_VRF
 rd 100:101
!
ip vrf Customer_B_VRF
 rd 100:102
! 
crypto keyring Customer_A_CRYPTO_KEYRING vrf Customer_A_VRF
  pre-shared-key address 192.168.1.1 key abc123
crypto keyring Customer_B_CRYPTO_KEYRING vrf Customer_B_VRF
  pre-shared-key address 192.168.1.1 key abc123
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp profile Customer_A_ISAKMP_PROFILE
   vrf Customer_A_VRF
   keyring Customer_A_CRYPTO_KEYRING
   match identity address 192.168.1.1 255.255.255.255 Customer_A_VRF
crypto isakmp profile Customer_B_ISAKMP_PROFILE
   vrf Customer_B_VRF
   keyring Customer_B_CRYPTO_KEYRING
   match identity address 192.168.1.1 255.255.255.255 Customer_B_VRF
!
crypto ipsec transform-set Customer_A_TRANSFORM_SET esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set Customer_B_TRANSFORM_SET esp-aes 256 esp-sha-hmac 
!
crypto map Customer_A_CRYPTO_MAP 10 ipsec-isakmp 
 set peer 192.168.1.1
 set transform-set Customer_A_TRANSFORM_SET 
 set isakmp-profile Customer_A_ISAKMP_PROFILE
 match address Customer_A_CRYPTO_ACL
!
crypto map Customer_B_CRYPTO_MAP 10 ipsec-isakmp 
 set peer 192.168.1.1
 set transform-set Customer_B_TRANSFORM_SET 
 set isakmp-profile Customer_B_ISAKMP_PROFILE
 match address Customer_B_CRYPTO_ACL
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN Interface
 no ip address
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/1.101
 description To_Customer_A
 encapsulation dot1Q 101
 ip vrf forwarding Customer_A_VRF
 ip address 192.168.1.2 255.255.255.0
 ip nat enable
 crypto map Customer_A_CRYPTO_MAP
!
interface GigabitEthernet0/1.102
 description To_Customer_B
 encapsulation dot1Q 102
 ip vrf forwarding Customer_B_VRF
 ip address 192.168.1.2 255.255.255.0
 ip nat enable
 crypto map Customer_B_CRYPTO_MAP
!
interface GigabitEthernet0/2
 description To_Central_site_LAN
 ip vrf forwarding Central_site_VRF
 ip address 10.10.1.1 255.255.255.0
 ip nat enable
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip nat source static 192.168.10.1 10.10.101.1 vrf Customer_A_VRF
ip nat source static 192.168.10.1 10.10.102.1 vrf Customer_B_VRF
ip route vrf Central_site_VRF 10.10.2.1 255.255.255.255 10.10.1.2
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
!
ip access-list extended Customer_A_CRYPTO_ACL
 permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Customer_B_CRYPTO_ACL
 permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
Customer A:
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac 
!
crypto map CRYPTO_MAP 10 ipsec-isakmp 
 set peer 192.168.1.2
 set transform-set ts 
 match address CRYPTO_ACL
!
interface Loopback0
 ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.252
 speed auto
 crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
 permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255
Customer B (same as Customer B - to cover overlapping addresses case. It is of course possible to have different configurations, even different router or firewall vendors at customer sites):
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac 
!
crypto map CRYPTO_MAP 10 ipsec-isakmp 
 set peer 192.168.1.2
 set transform-set ts 
 match address CRYPTO_ACL
!         
!
!
interface Loopback0
 ip address 192.168.10.1 255.255.255.255
!
interface Loopback1
 ip address 192.168.10.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.252
 speed auto
 crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
 permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255
Posted by Milan Mesic at 05:14 0 comments
Labels: , , , , , , ,
Subscribe to: Posts (Atom)

Disclaimers: This is a personal weblog. The opinions expressed here are entirely my own and not those of my employer and/or its affiliates. This material is not sponsored or endorsed by Cisco Systems, Inc. Cisco, Cisco Systems, CCIE and the CCIE Logo, CCDP, CCNA and CCDA are trademarks of Cisco Systems, Inc. and its affiliates.