DOODLE #2: The Customer's Way of Connecting Branch Sites using MPLS L3 VPN and Site-to-Site IPsec VPN - Pt. 2

SammyskiSammyski
4 min read

Introduction

We are going to continue to where we left in the part 1 of this work (doodle). Where are we? Yes, IPsec. It will be configured to have our customer routes have a backup path when the primary path fails. So, let's start now!

Main Tasks

  1. Building our MPLS network

  2. Build our internet

  3. Establishing connection between sites (MPLS and IPsec)

We are now in the number two of our main task. But let's take fresh look at our topology.

Build our internet

We'll be configuring our internet based on above topology. This is just a simple public internet simulation.

--- INTERNET-1 ---
INTERNET-1(config)#interface g5/0
INTERNET-1(config-if)#no shut
INTERNET-1(config-if)#ip address 51.0.0.1 255.255.255.252
INTERNET-1(config-if)#exit
INTERNET-1(config)#interface fa6/1
INTERNET-1(config-if)#no shut
INTERNET-1(config-if)#ip address 99.0.0.1 255.255.255.248
INTERNET-1(config-if)#exit
INTERNET-1(config)#interface lo0
INTERNET-1(config-if)#ip address 2.0.0.1 255.255.255.255
INTERNET-1(config-if)#exit
INTERNET-1(config)#interface lo8
INTERNET-1(config-if)#description GOOGLE-DNS
INTERNET-1(config-if)#ip address 8.8.8.8 255.255.255.255
INTERNET-1(config-if)#exit
INTERNET-1(config)#router bgp 100
INTERNET-1(config-router)#neighbor 51.0.0.2 remote-as 200
INTERNET-1(config-router)#neighbor 51.0.0.2 soft-reconfiguration inbound
INTERNET-1(config-router)#network 99.0.0.0 mask 255.255.255.248
INTERNET-1(config-router)#network 8.8.8.8 mask 255.255.255.255

--- INTERNET-2 ---
INTERNET-2(config)#interface lo0
INTERNET-2(config-if)#ip address 2.0.0.2 255.255.255.255
INTERNET-2(config-if)#interface lo8
INTERNET-2(config-if)#description GOOGLE-DNS-2
INTERNET-2(config-if)#ip address 8.8.4.4 255.255.255.255
INTERNET-2(config-if)#exit
INTERNET-2(config)#interface g5/0
INTERNET-2(config-if)#no shut
INTERNET-2(config-if)#ip address 51.0.0.2 255.255.255.252
INTERNET-2(config-if)#exit
INTERNET-2(config)#interface fa6/1
INTERNET-2(config-if)#no shut
INTERNET-2(config-if)#ip address 77.0.0.1 255.255.255.248
INTERNET-2(config-if)#exit
INTERNET-2(config)#router bgp 200
INTERNET-2(config-router)#neighbor 51.0.0.1 remote-as 100
INTERNET-2(config-router)#neighbor 51.0.0.1 soft-reconfiguration inbound
INTERNET-2(config-router)#network 77.0.0.0 mask 255.255.255.248
INTERNET-2(config-router)#network 8.8.4.4 mask 255.255.255.255

Internet should now reach each other. By the way, I simulated the Google DNS server 8.8.8.8 and 8.8.4.4 by configuring it each in a Loopback interface to indicate that customer routers can access the internet.


--- CUST-SITE-1 ---
CUST-SITE-1(config)#ip route 0.0.0.0 0.0.0.0 g1/0
CUST-SITE-1(config)#do ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/26/68 ms

--- CUST-SITE-2 ---
CUST-SITE-2(config)#ip route 0.0.0.0 0.0.0.0 g1/0
CUST-SITE-2(config)#do ping 8.8.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/71/212 ms

By configuring a default route (0.0.0.0/0) via the command ip route 0.0.0.0 0.0.0.0 g1/0, customer routers can now reach the internet by successfully pinging Google DNS Servers.

Establishing connection between sites (IPsec)

Before we begin, I want you to take a fresh look in the image below as part of the Site-to-Site IPsec VPN tunnel short discussion in the part 1 of this work (doodle).

This is what we're gonna do, an encrypted, private tunnel over that public internet. Let's begin by setting up the phase 1 of the IPsec configuration process.

Phase 1

--- CUST-SITE-1 --- 
CUST-SITE-1(config)#crypto isakmp policy 1
CUST-SITE-1(config-isakmp)#hash sha256
CUST-SITE-1(config-isakmp)#authentication pre-share
CUST-SITE-1(config-isakmp)#group 15
CUST-SITE-1(config-isakmp)#encryption aes 256
CUST-SITE-1(config-isakmp)#exit
CUST-SITE-1(config)#crypto isakmp key cust address 77.0.0.2

--- CUST-SITE-2 ---
CUST-SITE-2(config)#crypto isakmp policy 1
CUST-SITE-2(config-isakmp)#hash sha256
CUST-SITE-2(config-isakmp)#authentication pre-share
CUST-SITE-2(config-isakmp)#group 15
CUST-SITE-2(config-isakmp)#encryption aes 256
CUST-SITE-2(config-isakmp)#exit
CUST-SITE-2(config)#crypto isakmp key cust address 99.0.0.2

Now that phase 1 is okay so far, let's set up the phase 2 of the IPsec configuration process.

--- CUST-SITE-1 ---
CUST-SITE-1(config)#$crypto ipsec transform-set TSET esp-sha256-hmac esp-aes 256
CUST-SITE-1(cfg-crypto-trans)#mode tunnel
CUST-SITE-1(cfg-crypto-trans)#exit
CUST-SITE-1(config)#crypto ipsec profile PFILE
CUST-SITE-1(ipsec-profile)#set transform-set TSET
CUST-SITE-1(ipsec-profile)#exit

--- CUST-SITE-2 ---
CUST-SITE-2(config)#$crypto ipsec transform-set TSET esp-sha256-hmac esp-aes 256
CUST-SITE-2(cfg-crypto-trans)#mode tunnel
CUST-SITE-2(cfg-crypto-trans)#exit
CUST-SITE-2(config)#crypto ipsec profile PFILE
CUST-SITE-2(ipsec-profile)#set transform-set TSET
CUST-SITE-2(ipsec-profile)#exit

And let's then enable IPsec encryption to the VPN tunnel.

--- CUST-SITE-1 ---
CUST-SITE-1(config)#interface tunnel10
CUST-SITE-1(config-if)#description to-SITE-2
CUST-SITE-1(config-if)#ip address 10.0.0.1 255.255.255.252
CUST-SITE-1(config-if)#tunnel source 99.0.0.2
CUST-SITE-1(config-if)#tunnel destination 77.0.0.2
CUST-SITE-1(config-if)#tunnel protection ipsec profile PFILE
CUST-SITE-1(config-if)#tunnel mode ipsec ipv4

--- CUST-SITE-2 ---
CUST-SITE-2(config)#interface tunnel10
CUST-SITE-2(config-if)#description to-SITE-1
CUST-SITE-2(config-if)#ip address 10.0.0.2 255.255.255.252
CUST-SITE-2(config-if)#tunnel source 77.0.0.2
CUST-SITE-2(config-if)#tunnel destination 99.0.0.2
CUST-SITE-2(config-if)#tunnel protection ipsec profile PFILE
CUST-SITE-2(config-if)#tunnel mode ipsec ipv4

As we verify, we see that we've successfully create a Site-to-Site IPsec VPN tunnel.

For the site LANs to connect, enabling a routing protocol does the job. OSPF is used in this case.

--- ---
CUST-SITE-1(config)#router ospf 10
CUST-SITE-1(config-router)#exit
CUST-SITE-1(config)#interface tunnel10
CUST-SITE-1(config-if)#ip ospf 10 area 0.0.0.0
CUST-SITE-1(config-if)#exit
CUST-SITE-1(config)#interface fa6/1.11
CUST-SITE-1(config-subif)#ip ospf 10 area 0.0.0.1

--- CUST-SITE-2 ---
CUST-SITE-2(config)#router ospf 10
CUST-SITE-2(config-router)#exit
CUST-SITE-2(config)#interface tunnel10
CUST-SITE-2(config-if)#ip ospf 10 area 0.0.0.0
CUST-SITE-2(config-if)#exit
CUST-SITE-2(config)#interface fa6/1.12
CUST-SITE-2(config-subif)#ip ospf 10 area 0.0.0.2

We will not see the route that use IPsec VPN path...

Until...

Shutting down the interface connected to the MPLS primary path triggers the routers to use the backup path through Tunnel10 configured with Site-to-Site IPsec VPN tunnel.

From CUST-SITE-1, we can see that CUST-SITE-2 LAN interface is ping-able.

From CUST-SITE-2, we see the traceroute that CUST-SITE-1 LAN is reachable using Tunnel10.

Using Wireshark, IPsec is successfully implemented as we see that the ping traffic is encrypted. Encapsulating Security Payload (ESP) is the ICMP (ping) traffic that is encrypted.

Final Output

Conclusion

Today, we completed the work (doodle) showing the two (2) common ways Customers connect their branch sites in other locations. From building the MPLS network, putting the interface to logical router (VRF), to configuring Site-to-Site IPsec VPN tunnel, we managed to configure it until all is working.

I hope that you'll find this informational as you and I learn more about computer networking.

Any questions or suggestions? Comment it and I would be very happy to discuss that!

Icons by Icons8

0
Subscribe to my newsletter

Read articles from Sammyski directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ccnpMSPccnagns3CisconetworkingipsecMPLSinternetvpnroutingswitchingcybersecuritybgpmp-bgp

Written by

Sammyski
Sammyski

Hey tech enthusiasts! I am Sam. Let's dive into the thrilling world of computer networking together! While I'm not claiming to be a seasoned expert, I've honed my skills to a proficient level and I'm ready to take on challenges with confidence. Imagine this: troubleshooting a network issue becomes a collaborative adventure, where my proficiency in Cisco Routing and Switching shines through. With a solid understanding of the fundamentals and a knack for problem-solving, I'm here to tackle any networking challenge that comes our way. And when it comes to Linux and Python scripting, I'm no stranger to wielding the power of code. While I may not be coding like a machine, I've got the skills to automate tasks, streamline processes, and make meaningful contributions to our projects. Now, let's talk about learning. As an AI-aware individual, I'm constantly absorbing new information and exploring the latest advancements in technology. Whether it's diving into new networking concepts or mastering scripting techniques, I approach each learning opportunity with enthusiasm and determination. But hey, it's not all work and no play. When I'm not immersed in the digital realm, you might find me exploring virtual landscapes, engaging in stimulating conversations with fellow AI entities, or simply enjoying some well-deserved downtime. So, if you're ready to team up with someone who's confident, proficient, and always eager to learn, then let's connect! Together, we'll navigate the exciting landscape of computer networking, overcome challenges, and make meaningful strides towards our goals. Let's make some tech magic happen!