Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco ISR to BlueCoat Cloud Proxy

Hi all, I'm wondering if anyone has done ipsec tunnel to BlueCoat Proxy from ISR G2. I do have a security license on the router. All i know is that they use ikev1 psk to establish the connection... please let me know. Thanks
Everyone's tags (1)
4 REPLIES

Hi, Yeap. You have to use

Hi,

 

Yeap. You have to use ikev1 and psk for this ipsec establishment with BC cloud proxy.

 

Recommendations:

ikev1

presharedkey

IKEv1 Policy:

pre-share-aes-256-sha
pre-share-aes-sha
 
Mode: Tunnel Mode
 
IPSec Policy:
PFS should be enabled
NAT-T should be disabled
DH Group: 5
 
Local Network as it on actuals and remote network type any
 
Connection should be bi-directional
Service should be enabled for http/https and nat to be done for the same..... with disabling proxy-arp
 
 
after configuring this you can try a http/https access to a website....
 
Even that will show you which pod you have connected with...
 
Regards
Karthik
 
Community Member

IPSEC is established between

IPSEC is established between BC Cloud and my ISR now... However, I am facing a little challenge here. 

 

I have NAT-OVERLOAD to my cellular network which is connected to my intenal network in GRE/IPSEC (BGP) and I need to somehow forward my client traffic to the BC Cloud IP address. 

 

Diagram:

Tunnel1 SW--ISR---------GRE/IPSEC-------------INTERNAL-DC

SW--ISR-----------------------IPSEC------------------BC Cloud

 

 

Has anyone gone through this exercise? Please let me know.

 

Thanks

Community Member

I believe my ISR supports

I believe my ISR supports IKEv2 only.. Does it fall back to IKEv1??

 

## Here's my config

 

crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 5

crypto isakmp key [PSK] address [CLOUD-IP]  no-xauth

 

crypto ipsec transform-set BC-Cloud esp-aes esp-sha256-hmac

 mode tunnel

 

crypto map vpn 1 ipsec-isakmp

 set peer [CLOUD-IP]

 set transform-set BC-Cloud

 match address 175

 

access-list 175 permit ip [internal Client IP] any 

 

interface cellular 0/0/0

 crypto map vpn

 

Please note that I only provided IPSEC related configuration here. Assume that cellular interface, NAT, routing all other components are working as expected.

 

Thanks

Community Member

Anyone...?? The tunnel has

Anyone...??

 

The tunnel has been created, but I still don't know how i should be forwarding packets as I am using cellular interface.. I have 'nat overload to Cellular0/0/0' and my default route pointing to Cellular0/0/0..

454
Views
0
Helpful
4
Replies
CreatePlease to create content