11-10-2019 10:06 PM
I have two questions:
1. Is it possible to establish GRE tunnels using IPSec encapsulation while using a cellular interface on an ISR router
2. Is it possible to establish this connectivity while the LTE carrier dynamically assigns a private address to the ISR, and we have a static public address on the hub firewall? A private APN is not currently available, and the carrier NATs the private address to a dynamic public address elsewhere in their network.
GREs are important here, as the ISR has multiple VRFs that cannot be combined into a global VRF due to security reasons.
11-11-2019 12:44 AM
Hello,
IPSec/GRE on a cellular interface should be no problem.
As for your second question, what exactly does your topology look like ? How is the ISR connected to the firewall ?
11-11-2019 04:11 PM - edited 11-11-2019 08:05 PM
Both the firewall and the ISR are directly connected to the Internet.
The firewall has a simple Ethernet connection to the Internet, while the ISR has an LTE connection to the Internet. The cellular slot has a SIM card on a public APN.
I attempted to build a config for VRF-aware IPSec, but I've not found enough documentation to suggest it is a viable solution, especially when the LTE interface is assigned a private address by the carrier. The other issue is we have at least two VRFs on the ISR which cannot be combined to one IVRF due to a security limitation.
11-12-2019 01:37 AM
Hello,
I guess my question was how the ISR and the firewall are connected.
Either way, if the ISR is behind a NAT device (your provider's device), you need to configure NAT Traversal on the ISR by forwaring UDP 4500.
Post the full running configuration of the ISR...
11-13-2019 04:06 PM
Isn't NAT-T enabled by default?
The two devices are connected by the Internet. Nothing in between.
11-13-2019 06:03 PM - edited 11-13-2019 06:42 PM
I ran into an issue of using crypto maps on tunnels (new requirement after v15 or so), hence the reply edit. I believe I've overcome that issue.
Configs below. Note two VRFs for the two LANs.
version 16.8
!
ip vrf LAN1
!
ip vrf LAN2
!
!
!
!
!
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery disable
!
!
!
!
!
crypto isakmp policy 111
encr aes 256
authentication pre-share
group 2
lifetime 1440
crypto isakmp key xxxxxxxxxxxxx address 1.1.1.1
!
!
crypto ipsec transform-set ipsec-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set ipsec-set
!
!
!
!
interface Loopback1
ip vrf forwarding LAN1
ip address 172.16.1.1 255.255.255.255
!
interface Loopback2
ip vrf forwarding LAN2
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel1
ip vrf forwarding LAN1
ip address 10.1.1.1 255.255.255.252
ip access-group LAN1-ACL in
tunnel source Cellular0/2/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile VTI shared
!
interface Tunnel2
ip vrf forwarding LAN2
ip address 10.1.2.1 255.255.255.252
ip access-group LAN2-ACL in
tunnel source Cellular0/2/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile VTI shared
!
interface Cellular0/2/0
no ip address
dialer in-band
dialer idle-timeout 0
dialer-group 1
ipv6 enable
pulse-time 1
!
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip route vrf LAN1 0.0.0.0 0.0.0.0 Tunnel1
ip route vrf LAN2 0.0.0.0 0.0.0.0 Tunnel2
!
!
ip access-list extended LAN1-ACL
permit ip host 1.1.1.1 any
ip access-list extended LAN2-ACL
permit ip host 1.1.1.1 any
!
dialer-list 1 protocol ip permit
!
11-17-2019 07:56 PM
Hello Georg. Have you had a moment to take a look at the config at all?
11-18-2019 08:10 AM
Hello,
the config looks good as far as I can tell, but I am still not clear on what your topology looks like. Is it:
Router --> Firewall --> Internet
>
11-18-2019 03:29 PM - edited 11-18-2019 03:34 PM
Site A: C1111 Router > Internet
Site B: Firewall > Internet
I aim to connect both sites via Internet over IPSec and/or GRE.
Site A uses its LTE interface to connect to the Internet, and the LTE carrier assigns a dynamic private IP to the LTE interface.
Site B has a public address on a direct Ethernet connection to the Internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide