Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco ISR to BlueCoat Cloud Proxy

Unanswered Question
Aug 15th, 2014
User Badges:
Hi all, I'm wondering if anyone has done ipsec tunnel to BlueCoat Proxy from ISR G2. I do have a security license on the router. All i know is that they use ikev1 psk to establish the connection... please let me know. Thanks
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nkarthikeyan Sat, 08/16/2014 - 01:48
User Badges:
  • Gold, 750 points or more



Yeap. You have to use ikev1 and psk for this ipsec establishment with BC cloud proxy.





IKEv1 Policy:

Mode: Tunnel Mode
IPSec Policy:
PFS should be enabled
NAT-T should be disabled
DH Group: 5
Local Network as it on actuals and remote network type any
Connection should be bi-directional
Service should be enabled for http/https and nat to be done for the same..... with disabling proxy-arp
after configuring this you can try a http/https access to a website....
Even that will show you which pod you have connected with...
Ji-Won Park Sat, 08/16/2014 - 09:31
User Badges:

IPSEC is established between BC Cloud and my ISR now... However, I am facing a little challenge here. 


I have NAT-OVERLOAD to my cellular network which is connected to my intenal network in GRE/IPSEC (BGP) and I need to somehow forward my client traffic to the BC Cloud IP address. 



Tunnel1 SW--ISR---------GRE/IPSEC-------------INTERNAL-DC

SW--ISR-----------------------IPSEC------------------BC Cloud



Has anyone gone through this exercise? Please let me know.



Ji-Won Park Sat, 08/16/2014 - 06:57
User Badges:

I believe my ISR supports IKEv2 only.. Does it fall back to IKEv1??


## Here's my config


crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 5

crypto isakmp key [PSK] address [CLOUD-IP]  no-xauth


crypto ipsec transform-set BC-Cloud esp-aes esp-sha256-hmac

 mode tunnel


crypto map vpn 1 ipsec-isakmp

 set peer [CLOUD-IP]

 set transform-set BC-Cloud

 match address 175


access-list 175 permit ip [internal Client IP] any 


interface cellular 0/0/0

 crypto map vpn


Please note that I only provided IPSEC related configuration here. Assume that cellular interface, NAT, routing all other components are working as expected.



Ji-Won Park Sat, 08/16/2014 - 18:07
User Badges:



The tunnel has been created, but I still don't know how i should be forwarding packets as I am using cellular interface.. I have 'nat overload to Cellular0/0/0' and my default route pointing to Cellular0/0/0..


This Discussion