×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco ISR to BlueCoat Cloud Proxy

Unanswered Question
Aug 15th, 2014
User Badges:
Hi all, I'm wondering if anyone has done ipsec tunnel to BlueCoat Proxy from ISR G2. I do have a security license on the router. All i know is that they use ikev1 psk to establish the connection... please let me know. Thanks
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nkarthikeyan Sat, 08/16/2014 - 01:48
User Badges:
  • Gold, 750 points or more

Hi,

 

Yeap. You have to use ikev1 and psk for this ipsec establishment with BC cloud proxy.

 

Recommendations:

ikev1

presharedkey

IKEv1 Policy:

pre-share-aes-256-sha
pre-share-aes-sha
 
Mode: Tunnel Mode
 
IPSec Policy:
PFS should be enabled
NAT-T should be disabled
DH Group: 5
 
Local Network as it on actuals and remote network type any
 
Connection should be bi-directional
Service should be enabled for http/https and nat to be done for the same..... with disabling proxy-arp
 
 
after configuring this you can try a http/https access to a website....
 
Even that will show you which pod you have connected with...
 
Regards
Karthik
 
Ji-Won Park Sat, 08/16/2014 - 09:31
User Badges:

IPSEC is established between BC Cloud and my ISR now... However, I am facing a little challenge here. 

 

I have NAT-OVERLOAD to my cellular network which is connected to my intenal network in GRE/IPSEC (BGP) and I need to somehow forward my client traffic to the BC Cloud IP address. 

 

Diagram:

Tunnel1 SW--ISR---------GRE/IPSEC-------------INTERNAL-DC

SW--ISR-----------------------IPSEC------------------BC Cloud

 

 

Has anyone gone through this exercise? Please let me know.

 

Thanks

Ji-Won Park Sat, 08/16/2014 - 06:57
User Badges:

I believe my ISR supports IKEv2 only.. Does it fall back to IKEv1??

 

## Here's my config

 

crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 5

crypto isakmp key [PSK] address [CLOUD-IP]  no-xauth

 

crypto ipsec transform-set BC-Cloud esp-aes esp-sha256-hmac

 mode tunnel

 

crypto map vpn 1 ipsec-isakmp

 set peer [CLOUD-IP]

 set transform-set BC-Cloud

 match address 175

 

access-list 175 permit ip [internal Client IP] any 

 

interface cellular 0/0/0

 crypto map vpn

 

Please note that I only provided IPSEC related configuration here. Assume that cellular interface, NAT, routing all other components are working as expected.

 

Thanks

Ji-Won Park Sat, 08/16/2014 - 18:07
User Badges:

Anyone...??

 

The tunnel has been created, but I still don't know how i should be forwarding packets as I am using cellular interface.. I have 'nat overload to Cellular0/0/0' and my default route pointing to Cellular0/0/0..

Actions

This Discussion