Branch to HQ over IPSec

samaris · ‎12-28-2021

i all.

I have an IPSec VPN between cisco 4431 in branch office and HQ (build on huawei cloud).

How could I route all the traffic from branch to HQ through the VPN?

"Device" in cloud doesn't support route based VPN and I can't configure huawei cloud with 0.0.0.0 as a local subnet.

It there any solutions or vendor giudes for such deployments?

Could GRE help with traffic routing?

The scheme is : Branch Office (cisco 4431) ---ipsec vpn ------HQ (huawei cloud)------Internet

All the traffice from branch must go to Internet through the HQ.

Georg Pauwen · ‎12-28-2021

Hello,

what do you have configured, a VTI ? Crypto map ? Post the running configuration of your 4431...

samaris · ‎12-28-2021

Hello, Georg.

It is crypto map. running config :

Current configuration : 9066 bytes
!
! Last configuration change at 10:13:32 MSK Wed Dec 29 2021 by admin
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
service call-home
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname xxx
!
boot-start-marker
boot system flash isr4400-universalk9.17.03.04a.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip domain name xxx
ip dhcp conflict resolution
!
ip dhcp pool WIFI-CORP
network 10.1.2.0 255.255.255.0
default-router 10.1.2.1
dns-server 10.0.1.31 10.0.1.155
address 10.1.2.66 hardware-address 0182.f775.e817.93
!
ip dhcp pool WIFI-GUEST
network 10.1.3.0 255.255.255.0
default-router 10.1.3.1
!
ip dhcp pool CAS
network 10.1.7.0 255.255.255.224
default-router 10.1.7.1
dns-server 10.0.1.31 10.0.1.155
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-4224506021
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4224506021
revocation-check none
rsakeypair TP-self-signed-4224506021
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!

!
!
no license feature hseck9
license udi pid ISR4431/K9 sn FOC25400P44
license boot level securityk9
memory free low-watermark processor 69075
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxx privilege 15 secret 9 xxx

!
redundancy
mode none
!
crypto ikev2 proposal CLOUD
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy CLOUD
proposal CLOUD
!
crypto ikev2 keyring CLOUDKEY
peer CLOUD
address 37.18.115.46
pre-shared-key xxx
!
!

!
crypto ikev2 profile CLOUD
match identity remote address 37.18.115.46 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local CLOUDKEY
!

!
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map CLOUD 10 ipsec-isakmp
set peer 37.18.115.46
set transform-set TS
set ikev2-profile CLOUD
match address VPN-SBERCLOUD

!
interface Loopback0
ip address 10.1.1.225 255.255.255.255
!
interface GigabitEthernet0/0/0
description LAN
ip address 10.1.1.241 255.255.255.240
ip nat inside
ip ospf 1 area 0.0.0.0
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
description CAS_SERVER
ip address 10.1.7.1 255.255.255.224
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/3
description INTERNET
ip address 213.79.107.186 255.255.255.252
ip nat outside
load-interval 30
negotiation auto
crypto map CLOUD
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router ospf 1
router-id 10.1.1.225
redistribute connected
redistribute static
default-information originate
!
router bgp 65001
bgp log-neighbor-changes
neighbor 213.79.107.185 remote-as 8732
!
ip http server
ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0
ip nat inside source list LAN_NAT interface GigabitEthernet0/0/3 overload
!
!
ip access-list extended LAN_NAT
10 deny ip 10.1.0.0 0.0.7.255 10.0.0.0 0.0.255.255
20 deny ip 10.1.0.0 0.0.7.255 192.168.200.0 0.0.7.255
90 permit ip 10.1.7.0 0.0.0.31 any
100 permit ip 10.1.2.0 0.0.0.255 any
ip access-list extended VPN-SBERCLOUD
10 permit ip 10.1.0.0 0.0.7.255 10.0.0.0 0.0.255.255
ip access-list extended VPN-VAVILOVA
10 permit ip 10.1.0.0 0.0.7.255 192.168.200.0 0.0.7.255
!
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 15 0
transport input ssh
transport output all
line vty 5 15
transport input ssh
transport output all
!

!
!
end

Georg Pauwen · ‎12-29-2021

Hello,

--> How could I route all the traffic from branch to HQ through the VPN?

What traffic (which local subnets) do you want to be routed to the HQ (through the VPN) ? What about Internet traffic from the Branch, does that have to go though the VPN as well (and exit to the Internet at the HQ) ?

samaris · ‎01-12-2022

What traffic (which local subnets) do you want to be routed to the HQ (through the VPN) ? 10.1.8.0/24

What about Internet traffic from the Branch, does that have to go though the VPN as well (and exit to the Internet at the HQ) ? Yes, traffic from the Branch has to go to Internet through HQ (throough VPN)

MHM Cisco World · ‎12-28-2021

...

samaris · ‎12-28-2021

MHM Cisco World, could you provide me with more details or examples about dynamic map?

MHM Cisco World · ‎12-29-2021

....