Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EHWIC-4G, BGP/MPLS VPN, and IPSEC

Any ideas on how the following might be accomplished? I've been mocking up configurations with no success:

Branch network is 172.30.38.0/24... networks 192.168.123.0/24 and 172.30.31.0/24 are brought in through BGP, over an MPLS VPN... but I'd like to block inbound distribution of those networks and route them into an IPsec tunnel, through an EHWIC-4G-LTE-V (Verizon), which will peer with a router that has 192.168.123.0/24 as its LAN.

Every time I apply the crypto map to my cellular interface, it starts bouncing, and IPsec debugging repeatedly shows "Kicking dialer interface".

I'll happily provide my latest configuration attempt, if needed. Thanks!

3 REPLIES

Re: EHWIC-4G, BGP/MPLS VPN, and IPSEC

Hello, Jeremy.

Is it possible to share your current configuration (interfaces c0/0/0, dialer, MPLS CE interface, static routes, crypto map)?

PS: is it possible to convert crypto map into VTI?

New Member

Re: EHWIC-4G, BGP/MPLS VPN, and IPSEC

I'll definitely give VTI a try.

Here's the latest configuration I've tested:

Version 15.3

crypto isakmp policy 10

     encr aes

     authentication pre-share

     group 2

     lifetime 28800

crypto isakmp key ******** address *.*.*.* no-xauth

crypto isakmp profile AGGRESSIVE

     self-identity fqdn ROUTER

     match identity address *.*.*.* 255.255.255.255

     initiate mode agressive

crypto ipsec transform-set SET esp-aes esp-sha-hmac

     mode tunnel

crypto map MAP isakmp-profile AGGRESSIVE

crypto map MAP 10 ipsec-isakmp

     set peer *.*.*.*

     set transform-set SET

     set pfs group2

     match address 101

interface Cellular0/0/0

     ip address negotiated

     ip nat outside

     ip virtual-reassembly in

     encapsulation slip

     dialer in-band

     dialer idle-timeout 0

     dialer string lte

     dialer-group 1

     async mode interactive

router bgp *****

     bgp log-neighbor-changes

     network 192.168.51.0 mask 255.255.255.0

     neighbor *.*.*.* remote-as *****

     neighbor *.*.*.* distribute-list 2 in

ip nat inside source list NONAT interface Cellular0/0/0 overload

ip route 0.0.0.0 0.0.0.0 Cellular0/0/0

ip access-list extended NONAT

     deny ip 192.168.122.0 0.0.0.255 172.30.31.0 0.0.0.255

     deny ip 192.168.122.0 0.0.0.255 192.168.123.0 0.0.0.255

     permit ip any any

dialer-list 1 protocol ip permit

access-list 2 deny 192.168.123.0 0.0.0.255

access-list 2 permit any

access-list 101 permit ip 192.168.122.0 0.0.0.255 172.30.31.0 0.0.0.255

access-list 101 permit ip 172.30.31.0 0.0.0.255 192.168.122.0 0.0.0.255

access-list 101 permit ip 192.168.122.0 0.0.0.255 192.168.123.0 0.0.0.255

access-list 101 permit ip 192.168.123.0 0.0.0.255 192.168.122.0 0.0.0.255

line 0/0/0

     script dialer lte

     modem InOut

     no exec

Thanks for your time!

Re: EHWIC-4G, BGP/MPLS VPN, and IPSEC

Hello, Jeremy.

Definitely VTI could help you. But here some notes:

  • you are using strange ACL 101 (it should describe only traffic originated on your site, but not backtrack traffic);
  • I would configure 4G via Dialer interface (see deployment guide for details -

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-VPNRemoteSiteOver3G4GDesignGuide-AUG13.pdf). And actually this could be a cause.

277
Views
3
Helpful
3
Replies
CreatePlease login to create content