Connectivity for MPLS VPN Implementations – Best Practice

An access circuit connects the customer’s CE router to the MPLS provider’s PE router.

A MPLS provider can offer a fully managed solution, where they will install and manage a CE router on business premises at additional cost, or an unmanaged solution, where business provide and manage their own CE router. The unmanaged service is the preferred choice. A managed service can be considered if the added value it brings outweighs the additional financial cost.

The access circuit can be any suitable WAN transport option including Gigabit Ethernet, Fast Ethernet, T3, E3 etc. When selecting the access circuit type, consideration must be given to whether it will support multiple VPNs: an Ethernet service is preferred, but a WAN service supporting frame relay is acceptable. In either case, sub-interfaces will be defined with separate VLANs or DLCIs for each VPN to be carried on the same access circuit.

For most MPLS VPN implementations, business will connect a minimum of two separate WAN hub locations to diverse MPLS provider clouds. Remote locations (i.e. any non-WAN hub site) can connect to a single provider cloud (if another WAN connection provides an alternate connection) or to both provider clouds.

Crypto Map :
crypto map external_map 4 match address external_4_cryptomap
crypto map external_map 4 set pfs
crypto map external_map 4 set peer 203.53.132.225
crypto map external_map 4 set transform-set ESP-AES-256-SHA

Crypto ACL :
access-list external_4_cryptomap extended permit ip object-group tt-NRMA-NAT 10.2.232.0 255.255.255.0
!
access-list external_4_cryptomap extended permit ip object-group 10.2.232.0 255.255.255.0 tt-NRMA-NAT

Crypto IPSec :
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Object Group :
object-group network tt-NRMA-NAT
description TT NRMA PROD NAT Address
network-object host 192.168.210.1

ACL:
access-list internal_nat_outbound_8 remark NRMA Prod
access-list internal_nat_outbound_8 extended permit ip object-group tt-internal-subnets 10.2.232.0 255.255.255.0

Dynamic Policy Nat :
nat (internal) 6 access-list internal_nat_outbound_8
global (external) 6 192.168.210.1 netmask 255.255.255.255

debug crypto isakmp

Read More

DMVPN_Example

Cisco DMVPN Configuration Template

DMVPN_Example
– Advertise MENA as 192.168.96.0/20
– 192.168.96.0 – 192.168.111.255
– 255.255.240.0

— To Do Tasks / Queries —
! — ACL to allow only : GRE, ESP, SIP (Digium), ICMP,
! — Select DMVPN Range
! Crypto ACL required????
Firewall rules – Anything? SIP will bypass the FW now and route around the FW….

– 1.) /29 for the ‘inside’ Gi0/x interface
– 2.) EIGRP on the ‘inside’ interface
– 3.) Move the default gateway (not .1 IP address),

———————————————————————-

! Base configuration
! Primary ISP connection Gi0/0
interface gi0/0
ip address 62.201.219.13x 255.255.255.224
ip access-group X2
!
! Secondary ISP connection Gi0/1
interface gi0/1
ip address 171.33.165.6x 255.255.255.248
ip access-group Xy

! Configure IP SLA to track Primary Internet access status

ip sla 10
icmp-echo 8.8.8.8
threshold 2000
frequency 30

ip sla schedule 10 start-time now life forever
!
track 10 ip sla 10 reachability

! Configure the following IP routes
! Route to Beacon

ip route 8.8.8.8 255.255.255.255 62.201.219.129

! — Primary route
ip route 0.0.0.0 0.0.0.0 62.201.219.129 track 10

! — Secondary route with administrative distance 5
ip route 0.0.0.0 0.0.0.0 171.33.165.57 5

! — DMVPN Tunnels Headend Configuration

interface Tunnel1
description *** Primary DMVPN Tunnel ***
bandwidth 5000
ip address 10.200.1.1 255.255.255.0
no ip redirects
ip mtu 1380
ip nhrp authentication !NHRP01
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip tcp adjust-mss 1340
tunnel source Gi0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
interface Tunnel2
description *** Secondary DMVPN Tunnel ***
bandwidth 1000
ip address 10.200.2.1 255.255.255.0
no ip redirects
ip mtu 1380
ip nhrp authentication !NHRP01
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
ip tcp adjust-mss 1340
tunnel source g0/1
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN

! EIGRP over tunnel interfaces
router eigrp 1
passive interface-default
prefix-list NRP-MENA-FILTER
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 2=1plus1 address 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set security-association idle-time 600
set transform-set ESP-AES128-SHA1

———————————————————————-

! —— DMVPN Client End Configuration ——-

interface Tunnel1
description *** Primary DMVPN Tunnel ***
bandwidth 5000
ip address 10.200.1.30 255.255.255.0
no ip redirects
ip mtu 1380
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nhrp authentication !NHRP01
ip nhrp map 10.200.1.1 62.201.219.130
ip nhrp map multicast 62.201.219.130
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 10.200.1.1
ip nhrp nhs 10.200.1.2 ip tcp adjust-mss 1300
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
!
interface Tunnel2
description *** Secondary DMVPN Tunnel ***
bandwidth 1000
ip address 10.200.2.30 255.255.255.0
no ip redirects
ip mtu 1380
ip nhrp authentication !NHRP01
ip nhrp map 10.200.2.1 171.33.165.60
ip nhrp map multicast 171.33.165.60
ip nhrp network-id 2
ip nhrp holdtime 600
ip nhrp nhs 10.200.2.1
ip tcp adjust-mss 1340
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN
!
!
! EIGRP over tunnel interfaces
router eigrp 1
passive interface-default
prefix-list NRP-MENA-FILTER
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 2=1plus1 address 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set security-association idle-time 600
set transform-set ESP-AES128-SHA1

———————————————————————-

Read More

VPN Setup Checkpoint

How To: Packet Capture VPN Debug on Checkpoint Gaia

VPN Setup Checkpoint
FW01> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@FW01]# vpn debug trunc
[Expert@FW01]#
[Expert@FW01]# vpn debug off
[Expert@FW01]# ls
[Expert@FW01]# cd $FWDIR
[Expert@FW01]# ls
ICS bin doc oracle_oi state
SU boot hash policy sup
amw cisco lib postfix_install tmp
amw_kss conf log sclient uf
appi cyrus_sasl_install modules scripts well
aspam_engine_install database nac spool
av dlp nacportal srpkg
[Expert@SSYDFW01]# cd log
[Expert@FW01]# ls
ike.elg ldap_pid_5014.stats
[Expert@FW01]#
[Expert@FW01]# ftp
ftp> o 192.168.8.74
Connected to 192.168.8.74 (192.168.8.74).
220 3Com 3CDaemon FTP Server Version 2.0
Name (192.168.8.74:admin): anonymous
331 User name ok, need password
Password:
230-The response ” is not valid.
230-Next time, please use your email address as password.
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /var/log/opt/CPsuite-R75.40/fw1
ftp> lcd
Local directory now /var/log/opt/CPsuite-R75.40/fw1
ftp> put ike.elg
ftp>quit

For more vpn ratings and guides check vpnreviews.online

Read More