Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1182
Views
0
Helpful
4
Replies

Cisco ISR to BlueCoat Cloud Proxy

Ji-Won Park
Level 1
Level 1

‎08-15-2014 07:09 PM

Hi all, I'm wondering if anyone has done ipsec tunnel to BlueCoat Proxy from ISR G2. I do have a security license on the router. All i know is that they use ikev1 psk to establish the connection... please let me know. Thanks
Labels:
0 Helpful
4 Replies 4

nkarthikeyan
Level 7
Level 7

‎08-16-2014 01:48 AM

Hi,

 

Yeap. You have to use ikev1 and psk for this ipsec establishment with BC cloud proxy.

 

Recommendations:

ikev1

presharedkey

IKEv1 Policy:

pre-share-aes-256-sha
pre-share-aes-sha
 
Mode: Tunnel Mode
 
IPSec Policy:
PFS should be enabled
NAT-T should be disabled
DH Group: 5
 
Local Network as it on actuals and remote network type any
 
Connection should be bi-directional
Service should be enabled for http/https and nat to be done for the same..... with disabling proxy-arp
 
 
after configuring this you can try a http/https access to a website....
 
Even that will show you which pod you have connected with...
 
Regards
Karthik
 
0 Helpful

Ji-Won Park
Level 1
Level 1
In response to nkarthikeyan

‎08-16-2014 09:31 AM

IPSEC is established between BC Cloud and my ISR now... However, I am facing a little challenge here. 

 

I have NAT-OVERLOAD to my cellular network which is connected to my intenal network in GRE/IPSEC (BGP) and I need to somehow forward my client traffic to the BC Cloud IP address. 

 

Diagram:

Tunnel1 SW--ISR---------GRE/IPSEC-------------INTERNAL-DC

SW--ISR-----------------------IPSEC------------------BC Cloud

 

 

Has anyone gone through this exercise? Please let me know.

 

Thanks

0 Helpful

Ji-Won Park
Level 1
Level 1

‎08-16-2014 06:57 AM

I believe my ISR supports IKEv2 only.. Does it fall back to IKEv1??

 

## Here's my config

 

crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 5

crypto isakmp key [PSK] address [CLOUD-IP]  no-xauth

 

crypto ipsec transform-set BC-Cloud esp-aes esp-sha256-hmac

 mode tunnel

 

crypto map vpn 1 ipsec-isakmp

 set peer [CLOUD-IP]

 set transform-set BC-Cloud

 match address 175

 

access-list 175 permit ip [internal Client IP] any 

 

interface cellular 0/0/0

 crypto map vpn

 

Please note that I only provided IPSEC related configuration here. Assume that cellular interface, NAT, routing all other components are working as expected.

 

Thanks

0 Helpful

Ji-Won Park
Level 1
Level 1

‎08-16-2014 06:07 PM

Anyone...??

 

The tunnel has been created, but I still don't know how i should be forwarding packets as I am using cellular interface.. I have 'nat overload to Cellular0/0/0' and my default route pointing to Cellular0/0/0..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents