This is the fourth article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ]
In the previous part, I configured simple route-based VPN tunnel. In this article, I will show how to build a route-based VPN tunnel with dynamic routing protocol OSPF.
This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And two sites (a and b) connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections and OSPF area are as shown in the diagram.
Goals of this scenario are -
1) Create Route-based IPSec VPN tunnel between "dc-gw1" in DC to "site-a-gw1" in site A.
2) Create Route-based IPSec VPN tunnel between "dc-gw1" in DC to "site-b-gw1" in site B.
3) Traffic between "app1" server to "user" will be NATed. We have to configure "inside" and "outside" NAT.
4) Configure dynamic routing between DC and Site routers.
Router IOS version used for this setup are -
dc-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
site-a-gw1 and site-b-gw1 = Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.
Interface And Route Configuration On DC Router = "dc-gw1"
interface GigabitEthernet1 platform ring rx 256 ip address 10.0.0.2 255.255.255.252 negotiation auto interface GigabitEthernet2 platform ring rx 256 ip address 100.0.10.1 255.255.255.0 ip nat inside negotiation auto interface GigabitEthernet3 platform ring rx 256 ip address 100.0.20.1 255.255.255.0 ip nat inside negotiation auto ip route 0.0.0.0 0.0.0.0 10.0.0.1 ip route 172.17.10.0 255.255.255.0 172.20.10.2 |
Interface And Route Configuration On site A Router = "site-a-gw1"
interface GigabitEthernet0/0 ip address 20.0.0.2 255.255.255.252 duplex full speed 1000 media-type gbic negotiation auto interface GigabitEthernet1/0 ip address 192.168.10.1 255.255.255.0 negotiation auto ip route 0.0.0.0 0.0.0.0 20.0.0.1 |
Interface And Route Configuration On site B Router = "site-b-gw1"
interface GigabitEthernet0/0 ip address 30.0.0.2 255.255.255.252 duplex full speed 1000 media-type gbic negotiation auto interface GigabitEthernet1/0 ip address 192.168.20.1 255.255.255.0 negotiation auto ip route 0.0.0.0 0.0.0.0 30.0.0.1 |
Next is Route-based IPsec VPN configuration for DC router and site routers.
IPsec VPN Configuration On DC Router = "dc-gw1"
crypto keyring site-a pre-shared-key address 20.0.0.2 key acme crypto keyring site-b pre-shared-key address 30.0.0.2 key acme crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile tunnel-to-site-a set transform-set AES-256-SHA crypto ipsec profile tunnel-to-site-b set transform-set AES-256-SHA interface Tunnel1 description Tunnel to Site A ip address 172.20.10.1 255.255.255.252 ip mtu 1400 ip nat outside tunnel source 10.0.0.2 tunnel mode ipsec ipv4 tunnel destination 20.0.0.2 tunnel protection ipsec profile tunnel-to-site-a interface Tunnel2 description Tunnel to Site B ip address 172.20.20.1 255.255.255.252 ip mtu 1400 tunnel source 10.0.0.2 tunnel mode ipsec ipv4 tunnel destination 30.0.0.2 tunnel protection ipsec profile tunnel-to-site-b |
IPsec VPN Configuration On site A Router = "site-a-gw1"
crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 10.0.0.2 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile tunnel-to-dc set transform-set AES-256-SHA interface Tunnel1 description Tunnel to DC ip address 172.20.10.2 255.255.255.252 ip mtu 1400 tunnel source 20.0.0.2 tunnel destination 10.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile tunnel-to-dc |
IPsec VPN Configuration On site B Router = "site-b-gw1"
crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 10.0.0.2 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile tunnel-to-dc set transform-set AES-256-SHA interface Tunnel2 description Tunnel to DC ip address 172.20.20.2 255.255.255.252 ip mtu 1400 tunnel source 30.0.0.2 tunnel destination 10.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile tunnel-to-dc |
This completes our goals 1 and 2 and we have VPN tunnels between DC and sites. The next part is about implementing NAT on DC router.
This NAT will change App server IP from 100.0.10.10 to 172.16.10.10
I did not use the "ip nat outside" command for this NAT, because I want to keep traffic between Storage server to site-A user without NAT.
ip nat pool source-nat-pool 172.16.10.10 172.16.10.10 prefix-length 30 ip access-list extended source-nat-acl permit ip host 100.0.10.10 host 172.17.10.10 log route-map source-nat-routemap permit 10 match ip address source-nat-acl ip nat inside source route-map source-nat-routemap pool source-nat-pool |
And this NAT configuration will change site user IP from 172.17.10.10 to 192.168.10.10.
ip nat outside source static 192.168.10.10 172.17.10.10 |
And here are the ping commands to generate traffic.
app1> ping 192.168.20.10 84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=53.000 ms 84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=55.000 ms 84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=68.500 ms 84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=58.000 ms 84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=556.500 ms app1> ping 192.168.10.10 192.168.10.10 icmp_seq=1 timeout 192.168.10.10 icmp_seq=2 timeout 192.168.10.10 icmp_seq=3 timeout 192.168.10.10 icmp_seq=4 timeout 192.168.10.10 icmp_seq=5 timeout app1> ping 172.17.10.10 84 bytes from 172.17.10.10 icmp_seq=1 ttl=62 time=62.013 ms 84 bytes from 172.17.10.10 icmp_seq=2 ttl=62 time=66.513 ms 84 bytes from 172.17.10.10 icmp_seq=3 ttl=62 time=58.512 ms 84 bytes from 172.17.10.10 icmp_seq=4 ttl=62 time=54.011 ms 84 bytes from 172.17.10.10 icmp_seq=5 ttl=62 time=46.009 ms |
This traffic created NAT translation table entries as below.
dc-gw1#sh ip nat translations Pro Inside global Inside local Outside local Outside global --- --- --- 172.17.10.10 192.168.10.10 icmp 172.16.10.10:53607 100.0.10.10:53607 172.17.10.10:53607 192.168.10.10:53607 icmp 172.16.10.10:53863 100.0.10.10:53863 172.17.10.10:53863 192.168.10.10:53863 icmp 172.16.10.10:54631 100.0.10.10:54631 172.17.10.10:54631 192.168.10.10:54631 icmp 172.16.10.10:54375 100.0.10.10:54375 172.17.10.10:54375 192.168.10.10:54375 icmp 172.16.10.10:54119 100.0.10.10:54119 172.17.10.10:54119 192.168.10.10:54119 Total number of translations: 6 |
These ping results and NAT translation entries show connections between app server in DC and user computer in site sites.
Please note that:
1) When a packet generated by app server it does have a source IP 100.0.10.10, when this packet reaches DC router, it gets changed into 172.16.10.10.
2) The same packet generated by app server it does have destination IP 172.17.10.10, when this packet reaches DC router, it gets changed into 192.168.10.10.
3) After both inside (source IP) and outside (destination IP) are changed, this packet enters VPN tunnel.
This completes our goals 3 and we have NAT configured on DC router. The next part is about implementing dynamic routing protocol OSPF.
OSPF Configuration On DC Router = "dc-gw1"
router ospf 100 redistribute connected subnets route-map ospf-redistribute redistribute static subnets route-map static-redistribute network 172.20.10.0 0.0.0.3 area 0 network 172.20.20.0 0.0.0.3 area 0 ip route 172.16.10.0 255.255.255.0 100.0.10.10 tag 10 ip route 172.17.10.0 255.255.255.0 172.20.10.2 route-map ospf-redistribute permit 10 match interface GigabitEthernet2 route-map ospf-redistribute permit 20 match interface GigabitEthernet3 route-map static-redistribute permit 10 match tag 10 |
OSPF Configuration On site A Router = "site-a-gw1"
router ospf 100 log-adjacency-changes redistribute connected subnets route-map ospf-redistribute network 172.20.10.0 0.0.0.3 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet1/0 |
OSPF Configuration On site A Router = "site-b-gw1"
router ospf 100 log-adjacency-changes redistribute connected subnets route-map ospf-redistribute network 172.20.20.0 0.0.0.3 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet1/0 |
This OSPF configuration is basic and have single area, it distribute routes between DC router and site routers.
I had configured route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF. This also avoids distribution of subnets configured on Internet side interfaces.
There is another route map to distribute NAT IP subnet, this route map configured to choose specific routes with 'tag 10' and distribute in OSPF through 'redistribute static' command.
Routes Learned By Router = "dc-gw1"
dc-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.20.1 0 FULL/ - 00:00:35 172.20.20.2 Tunnel2 192.168.10.1 0 FULL/ - 00:00:33 172.20.10.2 Tunnel1 dc-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.0.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/30 is directly connected, GigabitEthernet1 L 10.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.1/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet3 L 100.0.20.1/32 is directly connected, GigabitEthernet3 172.16.0.0/24 is subnetted, 1 subnets S 172.16.10.0 [1/0] via 100.0.10.10 172.17.0.0/24 is subnetted, 1 subnets S 172.17.10.0 [1/0] via 172.20.10.2 172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks C 172.20.10.0/30 is directly connected, Tunnel1 L 172.20.10.1/32 is directly connected, Tunnel1 C 172.20.20.0/30 is directly connected, Tunnel2 L 172.20.20.1/32 is directly connected, Tunnel2 O E2 192.168.10.0/24 [110/20] via 172.20.10.2, 00:40:29, Tunnel1 O E2 192.168.20.0/24 [110/20] via 172.20.20.2, 00:40:29, Tunnel2 dc-gw1# |
Routes Learned By Router = "site-a-gw1"
site-a-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.20.1 0 FULL/ - 00:00:34 172.20.10.1 Tunnel1 site-a-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 20.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.10.1, 00:44:11, Tunnel1 O E2 100.0.20.0 [110/20] via 172.20.10.1, 00:44:11, Tunnel1 20.0.0.0/30 is subnetted, 1 subnets C 20.0.0.0 is directly connected, GigabitEthernet0/0 C 192.168.10.0/24 is directly connected, GigabitEthernet1/0 172.16.0.0/24 is subnetted, 1 subnets O E2 172.16.10.0 [110/20] via 172.20.10.1, 00:35:27, Tunnel1 172.20.0.0/30 is subnetted, 2 subnets O 172.20.20.0 [110/2000] via 172.20.10.1, 00:44:11, Tunnel1 C 172.20.10.0 is directly connected, Tunnel1 O E2 192.168.20.0/24 [110/20] via 172.20.10.1, 00:44:01, Tunnel1 S* 0.0.0.0/0 [1/0] via 20.0.0.1 |
Routes Learned By Router = "site-b-gw1"
site-b-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.20.1 0 FULL/ - 00:00:38 172.20.20.1 Tunnel2 site-b-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 30.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.20.1, 00:45:04, Tunnel2 O E2 100.0.20.0 [110/20] via 172.20.20.1, 00:45:04, Tunnel2 O E2 192.168.10.0/24 [110/20] via 172.20.20.1, 00:44:56, Tunnel2 172.16.0.0/24 is subnetted, 1 subnets O E2 172.16.10.0 [110/20] via 172.20.20.1, 00:36:19, Tunnel2 172.20.0.0/30 is subnetted, 2 subnets C 172.20.20.0 is directly connected, Tunnel2 O 172.20.10.0 [110/2000] via 172.20.20.1, 00:45:06, Tunnel2 C 192.168.20.0/24 is directly connected, GigabitEthernet1/0 30.0.0.0/30 is subnetted, 1 subnets C 30.0.0.0 is directly connected, GigabitEthernet0/0 S* 0.0.0.0/0 [1/0] via 30.0.0.1 |
Please note that:
1) Routes learned by site routers include DC Server subnets (100.0.10.0/24, 100.0.20.0/24), NAT subnet (172.16.10.0/24) and site LAN subnets 192.168.10.0/24 or 192.168.20.0/24).
2) All three routers are not publishing subnets configured on their Internet side interface, because these interfaces are not configured in route maps.
This is the end of Part 4 of this series, we have seen basic route-based VPN setup with dynamic routing protocol OSPF and its sample configuration. Anyone who is working on VPN setup using Cisco routers with IOS XE may use this configuration.
In the next article, we will be configuring Route Based VPN tunnels with a dynamic routing protocol under different VRF's.
Link to the next article in this series = Part 5 - Route Based VPN With VRF And Dynamic Routing (OSPF)
I hope you find this helpful.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)