Cisco IP Solution Center MPLS VPN User Guide, 3.0 - Mapping IPsec to MPLS VPN [Cisco IP Solution Center]

Table Of Contents

Mapping IPsec to MPLS VPN

Introduction

Public and Private Interfaces

Marking a PE Public Interface

Marking a CE's Private Interface

IPsec Policies

IPsec Encryption Policy

IPsec Site-to-Site VPN Policy

IPsec Remote Access VPN Policy

Network-Based IPsec vs. Regular IPsec Policy

Populating the Inventory

Site-to-Site IPsec Tunnels: One-Box Solution

Routing Options

Create a PE-CE Link with No Routing

No Routing: Create a Network-Based IPsec Policy

No Routing: Create an MPLS Policy

No Routing: Create an IPsec Service Request

No Routing: Create an MPLS Service Request

No Routing: Deploy the IPsec and MPLS Service Requests

Create a PE-CE Link with Routing Enabled

Routing: Mark a PE IPsec Private Interface

Routing: Create a Network-Based IPsec + GRE Policy

Routing: Create an MPLS Policy

Routing: Create an IPsec Service Request

Routing: Create an MPLS Service Request

Routing: Deploy the Service Requests

Site-to-Site IPsec Tunnels: Two-Box Solution

Links to Be Provisioned

Tasks to Be Completed

Define the Multi-VRF CE

Multi-VRF CE Routing Options

Create a PE to Multi-VRF CE to CE Link with No Routing

Multi-VRF No Routing: Create a Network-Based IPsec Policy

Multi-VRF No Routing: Create an MPLS Policy

Multi-VRF No Routing: Create an IPsec Service Request

Multi-VRF No Routing: Create an MPLS Service Request

Multi-VRF No Routing: Deploy the IPsec and MPLS Service Requests

Create a PE to Multi-VRF CE to CE Link with Routing Enabled

Multi-VRF with Routing: Mark the Multi-VRF CE's IPsec Private Interface

Multi-VRF with Routing: Create a Network-Based IPsec + GRE Policy

Multi-VRF with Routing: Create an MPLS Policy

Multi-VRF with Routing: Create an IPsec Service Request

Multi-VRF with Routing: Create an MPLS Service Request

Multi-VRF with Routing: Deploy the IPsec and MPLS Service Requests

Remote Access IPsec Tunnels: One-Box Solution

Create an AAA Server Entry

Create an IPsec Remote Access Policy

Create a Remote Access MPLS Policy

Create an IPsec Remote Access Service Request

Create an MPLS Remote Access Service Request

Deploy the IPsec and MPLS Remote Access Service Requests

Remote Access IPsec: Two-Box Solution

Links to Be Provisioned

Tasks to Be Completed

Create an AAA Server Entry

Create an IPsec Remote Access Policy

Create a Remote Access MPLS Multi-VRF CE Policy

Create an IPsec Remote Access Multi-VRF CE Service Request

Create an MPLS Remote Access Multi-VRF CE Service Request

Deploy the IPsec and MPLS Remote Access Service Requests

Mapping IPsec to MPLS VPN

This chapter describes how to use Cisco IP Solution Center (ISC) to map IPsec tunnels to MPLS VPNs. The following sections are included:

•Populating the Inventory

•Site-to-Site IPsec Tunnels: One-Box Solution

•Create a PE-CE Link with No Routing

•Create a PE-CE Link with Routing Enabled

•Site-to-Site IPsec Tunnels: Two-Box Solution

•Create a PE to Multi-VRF CE to CE Link with No Routing

•Create a PE to Multi-VRF CE to CE Link with Routing Enabled

•Remote Access IPsec Tunnels: One-Box Solution

•Remote Access IPsec: Two-Box Solution

Introduction

Provisioning network-based IPsec VPNs in order to map IPsec tunnels to MPLS VPNs involves both MPLS and IPsec services in IP Solutions Center. Thus, it is necessary to create both MPLS and IPsec policies, as well as MPLS and IPsec service requests.

The IPsec terminating router resides on the service provider premises. IPsec tunnels from various customers are aggregated on this router. This may be either a PE router or a Multi-VRF CE router. Depending on which type of device is employed, the IPsec- to-MPLS mapping is either the "one-box" solution or a "two-box" solution. In the "one-box" solution, the service provider uses a PE router as the IPsec aggregator (for details, see the "Site-to-Site IPsec Tunnels: One-Box Solution" section). In the "two-box" solution, the service provider uses a multi-VRF CE router for IPsec aggregation in conjunction with a PE router (see the "Site-to-Site IPsec Tunnels: Two-Box Solution" section).

Two types of IPsec tunnels can be terminated on the IPsec aggregator (the IPsec aggregator device can be either a PE or a Multi-VRF CE router):

•Site-to-site IPsec tunnels: A tunnel between a customer's CE router and the IPsec aggregator.

•Remote access IPsec tunnels: A tunnel initiated from a VPN client, for example, a Windows workstation running Cisco IPsec VPN Client software.

Public and Private Interfaces

The interface on which IPsec tunnels terminate is known as the public interface. The interface behind which customer subnets reside is known as the private interface.

The PE or the Multi-VRF CE router must be running Cisco IOS release 12.2(15)T or above. ISC supports VRF-aware IPsec, which is the key feature required for mapping IPsec tunnels into MPLS VPNs.

Both the PE and CE must at least one interface marked as their public interface. It is assumed that public interfaces on the PE and CE already exist. Moreover, it is assumed that the PE and CE have basic IPv4 connectivity, that is, they can both ping each other using the public interface's IP address. Please note that ISC will not create any new subinterfaces on the PE or CE for IPsec termination. ISC provisions IPsec tunnels that terminate on existing public interfaces.

Marking a PE Public Interface

Public and private interfaces for each PE and CE must be marked prior to using them in IPsec service requests. Each PE must have a public interface. You can mark the interfaces either by using the Inventory Manager at the time the devices are imported into the ISC Repository, or by using the CPE Editor as described in this section.

The PE may or may not have a private interface. If no routing protocol is to be configured over the IPsec tunnel between the PE and CE, the PE does not need to have a private interface.

Note If a routing protocol is configured between the PE and CE, the PE must have a loopback interface marked as private. This may seem odd since the concept of a private interface by definition does not apply to PEs at all. However, marking the loopback interface as private in this case instructs ISC to use that interface to unnumber GRE tunnels.

To mark a PE public interfaces:

Step 1 Choose Service Inventory > Inventory and Connection Manager.

Step 2 From the Inventory and Connection Manager page, choose Providers.

Step 3 From the Providers page TOC, choose PE Devices.

The list of PE devices is displayed.

Step 4 Select the PE whose interface you want to mark as public, then click Edit.

The Edit CPE Device dialog box appears (see Figure 6-1).

Figure 6-1 Marking the IPsec Interfaces of a PE

Step 5 From the list, locate the PE interface that is to be marked as the public interface, then from the IPsec drop-down list, choose Public.

Step 6 If a routing protocol will be running over the IPsec tunnel between the PE and CE, locate the interface that is to be marked as the private interface, then from the IPsec drop-down list, choose Private.

Step 7 Click Save.

Marking a CE's Private Interface

A CE must have at least one private interface. When an interface on a CE is marked private, ISC automatically creates a subnet and associates it with the CE. A CE has one or more subnets residing behind it, that is, on the private side. These subnets are ones that IPsec protects. The list of subnets behind a CE can be edited—for example, new subnets can be added to the list, or the automatically generated subnet can be edited or removed.

To mark a CE's private interface:

Step 1 Choose Service Inventory > Inventory and Connection Manager.

Step 2 From the Inventory and Connection Manager page, choose Customers.

Step 3 From the Customers page TOC, choose CPE Devices.

The list of CPE devices is displayed.

Step 4 Select the CE whose interface you want to mark as private, then click Edit.

The Edit CPE Device dialog box appears (see Figure 6-2).

Figure 6-2 Marking the IPsec Interfaces of a CE

Step 5 From the list, locate the PE interface that is to be marked as the private interface, then from the IPsec drop-down list, choose Private.

Step 6 Click Save.

IPsec Policies

There are three types of IPsec policies available in ISC:

•IPsec Encryption Policy

•IPsec Site-to-Site VPN Policy

•IPsec Remote Access VPN Policy

IPsec Encryption Policy

An IPsec Encryption policy defines the security parameters for protecting the data traveling through the IPsec tunnels (see Figure 6-3). It consists of one or more IKE proposals, one or more IPsec proposals, and some global attributes.

For example, a typical IPsec Encryption policy would consist of the following elements:

•An IKE proposal of (3DES, SHA, Certs, DH 2)

•An IPsec proposal of (ESP-AES, ESP-SHA, no AH, no compression)

•No PFS (Perfect Forward Secrecy)

Figure 6-3 IPsec Encryption Policy

IPsec Site-to-Site VPN Policy

An IPsec Site-to-Site VPN policy defines the characteristics of the site-to-site IPsec VPN, for example, whether the tunnels are IPsec tunnels or GRE tunnels + IPsec, whether a routing protocol is running over the tunnels, and so on. A site-to-site VPN policy uses an IPsec encryption policy (see Figure 6-4).

Figure 6-4 IPsec Site-to-Site Policy

IPsec Remote Access VPN Policy

An IPsec Remote Access VPN policy defines the characteristics of a Remote Access IPsec VPN, for example, the group name and group password, address pool, split tunneling subnets, and so on. An IPsec Remote Access VPN Policy uses an IPsec Encryption Policy (see Figure 6-5).

Figure 6-5 IPsec Remote Access VPN Policy

Network-Based IPsec vs. Regular IPsec Policy

It is important to select the IPsec policy type Network-based VPN instead of the standard site-to-site VPN policy. There are four variations of standard site-to-site VPN policies, as well as two variations of network-based VPN policies. Pure IPsec policy and IPsec + GRE policy options are available in both network-based policies and standard site-to-site policies.

Populating the Inventory

The major set of tasks required to populate the Inventory are as follows:

1. Create a Provider.

2. Create one or more Regions.

3. Create Resources.

4. Create CE Routing Communities (CERC).

5. Create an AAA server.

6. Create one or more VPNs.

7. Create a PE and mark its interfaces.

8. Create a Multi-VRF CE and mark its interfaces.

9. Create a CE and mark its interfaces.

10. Create an MPLS policy.

11. Create an IPsec policy.

12. Create an MPLS service request.

13. Create an IPsec service request.

Site-to-Site IPsec Tunnels: One-Box Solution

Site-to-site IPsec tunnels are typically used with MPLs VPNs where a customer has an existing VPN and a number of "off-net" sites. These off-net sites have access to the Internet, but not to the service provider's MPLS core. An IPsec tunnel between the off-net CE router and the service provider's IPsec aggregator router over the Internet enables the off-net site to join an existing MPLS VPN.

It is possible to map IPsec tunnels into MPLS VPNs because of VRF-aware IPsec, in which each IPsec tunnel is mapped to a VRF based on a peer IP address or a Group name.

In the one-box solution, the service provider is terminating the IPsec tunnels on a PE router. Thus, the PE serves as the IPsec aggregator, terminating IPsec tunnels from the customers' off-net CEs (see Figure 6-6). Note that the Cisco VPN Client is also known as the Unity Client.

Figure 6-6 PE Serving as an IPsec Aggregator

In effect, the service provider creates an MPLS link between the PE and CE, but this link is actually an IPsec tunnel rather than a traditional MPLS link. This can be achieved by using ISC to create both an MPLS link and an IPsec tunnel between the PE and CE.

An IPsec site-to-site policy defines the attributes of the IPsec tunnel between the PE and CE. For example, it defines whether Reverse Route Injection should be enabled, whether NAT Transparency should be enabled, the routing protocol to be used, and so on. Reverse Route Injection is used to populate the routing table of an internal router running Open Shortest Path First (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN clients or site-to-site sessions.

Similarly, an MPLS policy defines the attributes of the link between the PE and CE. For example, it defines the details of the routing protocol between the PE and CE.

In order to provision an IPsec tunnel between a PE and CE, you must perform the following tasks:

1. Mark the IPsec interfaces for PEs and CEs.

2. Create or use an existing IPsec site-to-site policy.

3. Create or use an existing MPLS policy (the CE Present option must be enabled).

4. Create an IPsec site-to-site service request.

5. Create an MPLS VPN service request.

6. First, deploy the IPsec service request.

7. Next, deploy the MPLS service request.

Routing Options

You can configure the IPsec tunnel between the PE and CE to either run a routing protocol or no routing. Before proceeding any further, you must decide whether you want to use the no routing option or prefer to have a routing protocol enabled over the tunnel between the PE and the CE. Depending on which option you choose, you would have to use a different IPsec policy as described in Table 6-1.

The supported routing options are:

•No routing: When you choose no routing, IPsec must be in Tunnel mode; that is, there is an IPsec tunnel between the PE and CE. When used in conjunction with the Reverse Route Injection option in the IPsec policy, the PE can have static routes for each of the CE subnets injected into the corresponding VRF for that CE's customer. These static routes can then be redistributed into MP-BGP as needed.

•Static routes: This option involves having an IPsec-protected GRE tunnel between the PE and CE. For each of the CE subnets, ISC creates a static route on the PE, which points to the corresponding Tunnel interface. Similarly, for each of the MPLS VPN summary addresses entered in the IPsec policy, a static route is created on each of the CEs that point to the corresponding Tunnel interface.

•Dynamic routing protocols: This option involves having an IPsec-protected GRE tunnel between the PE and CE. A dynamic routing protocol (EIGRP, RIPv2, or OSPF) runs over this GRE tunnel.

Depending on the routing option chosen, you must use a different site-to-site IPsec policy (see Table 6-1). There are two types of Network-based IPsec policies available:

•IPsec Policy: This policy should be used if no routing option is desired between the PE and CE.

•GRE + IPsec Policy: This policy should be used if a static route or a routing protocol is desired between the PE and CE.

Table 6-1 Matching the Routing Option to the Appropriate Policy

If the Routing Option Is

Select the Following Policy

Comments

1

No routing

Site-to-site IPsec policy

Be sure to enter one or more subnets in the Summarized Addresses for MPLS VPN attribute of the IPsec policy.

2

Static route

Site-to-site GRE + IPsec policy

Be sure to enter one or more subnets in the Summarized Addresses for MPLS VPN attribute of the IPsec policy.

3

•EIGRP

•RIPv2

•OSPF

Site-to-site GRE + IPsec policy

Create a PE-CE Link with No Routing

The steps to create a PE-CE link with No Routing specified are as follows:

•No Routing: Create a Network-Based IPsec Policy (see the next section)

•No Routing: Create an MPLS Policy

•No Routing: Create an IPsec Service Request

•No Routing: Create an MPLS Service Request

•No Routing: Deploy the IPsec and MPLS Service Requests

No Routing: Create a Network-Based IPsec Policy

When it is necessary to run no routing protocols between the PE and CE, you must use a network-based IPsec policy instead of a GRE + IPsec policy.

Step 1 Choose the Service Design tab, then choose Policy Manager.

The Policy Manager appears (see Figure 6-7).

Figure 6-7 Creating a New Service Policy

Step 2 From the Create drop-down list, choose IPsec Policy.

The IPsec Policy Create page appears.

Step 3 From the Network Based VPN Policy TOC entry, choose IPsec.

The IPsec Network Based Policy dialog box appears (see Figure 6-8).

Figure 6-8 IPsec Network-Based Policy

Step 4 Complete the parameters in the Network-Based Policy dialog box.

a. Name: Enter the name of the policy.

b. Owner: Select the customer from the drop-down list. This type of policy requires that you associate this policy with a specific customer.

c. Encryption Policy: Select an IPsec Encryption policy.

d. Generate Reverse Route Injection: Make sure this option is enabled (set to ON).

When this option is enabled, static routes to the CEs are injected into the corresponding VRF on the PE upon establishment of the IPsec tunnels. These routes can, in turn, be redistributed into MP-BGP thereby propagating them to all the other MPLS PEs.

e. Summarized Addresses for MPLS VPN: Enter one or more subnets in a.b.c.d/n format. Separate multiple subnet entries by commas.

When the No Routing option is selected in the service request, it is important to enter one or more subnets for the summarized addresses attribute. Because a PE is shared by many customers, it does have the concept of private subnets residing behind it; instead, a set of MPLS VPNs reside behind a PE. For each customer's IPsec policy, these VPNs are defined as a list of summarized IP addresses. This list is needed in order to define the interesting traffic that needs to travel through the IPsec tunnel.

f. You can leave the rest of the parameters on this dialog box set to their default values.

Step 5 Click Save.

No Routing: Create an MPLS Policy

Provisioning an MPLS VPN begins with defining a service policy. A service policy can be applied to multiple PE-CE links in a single service request. For details on this process, see the "Creating Service Policies" section.

To create an MPLS policy for this link, follow these steps:

Step 1 Select Service Design, then choose Policy Manager.

The Policy Manager appears.

Step 2 From the Create drop-down list, choose MPLS Policy.

The MPLS Policy Type dialog box appears (see Figure 6-9).

Figure 6-9 Creating a Regular PE-CE MPLS Policy

Step 3 Specify the appropriate values for the Policy Type parameters:

a. Policy Name: Enter the name of the policy.

b. Policy Owner: Select Customer.

c. Customer: Select the appropriate customer name.

d. Policy Type: Select Regular: PE-CE (the default).

e. CE Present: Make sure that this option is enabled (it is enabled by default).

Step 4 Click Next.

Step 5 For the Interface dialog box, accept the defaults, then click Next.

Step 6 For the IP Address Scheme dialog box, accept the defaults, then click Next.

Figure 6-10 Specifying the Routing Information in the MPLS Policy

Step 7 Specify the values in the PE-CE Routing Information dialog box (see Figure 6-10):

a. Routing Protocol: Select NONE as the routing option.

b. Redistribute Static: Select the Redistribute Static check box.

c. Redistribute Connected: Select the Redistribute Connected check box, then click Next.

The VRF and VPN Membership dialog box appears (see Figure 6-11).

Figure 6-11 Specifying the VRF and VPN Membership Information in the MPLS Policy

Step 8 In the VRF and VPN Membership dialog box, accept the defaults, then click Finish.

It provides the most flexibility to not select any CERCs in the service policy itself (as shown in Figure 6-11), since you can assign the CERCs when the operator creates the MPLS service request.

No Routing: Create an IPsec Service Request

To create a new IPsec service request, follow these steps:

Step 1 Choose Service Inventory.

a. From the Service Inventory window, choose Inventory and Connection Manager.

b. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears (see Figure 6-12).

Figure 6-12 Initial Service Requests Dialog Box

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose IPsec VPN.

The Select IPsec Policy dialog box appears. This dialog box displays the list of all the IPsec service policies that have been defined in ISC.

Step 4 Select the check box for the policy of choice, then click OK.

The IPsec Service Editor appears (see Figure 6-13).

Figure 6-13 Creating an IPsec to MPLS Mapping Service Request

Step 5 VPN: Select the corresponding VPN for the service.

Step 6 Network-based IPsec:

a. Select IPSEC_TO_MPLS_MAPPING.

b. Select One-box solution: PE as the IPsec Aggregator.

Step 7 Site-to-Site Policy: To select a site-to-site policy for the service request, click Select.

The Policy Chooser window displays only the network-based policies owned by the current customer (see Figure 6-14).

Figure 6-14 IPsec Policy Chooser

a. Select the appropriate IPsec policy, then click Select.

You return to the IPsec Service Editor.

Step 8 Select the PE and the CEs for this service request:

a. From the Select drop-down list, choose PEs.

The IPsec PE Chooser is displayed (see Figure 6-15).

Figure 6-15 IPsec PE Chooser

b. Choose the PE for this service, then click Select.

You return to the IPsec Service Editor.

c. From the Select drop-down list, choose CPEs.

The IPsec CPE Chooser is displayed (see Figure 6-16).

Figure 6-16 IPsec CPE Chooser

d. Choose the CPE for this service, then click Select.

You return to the IPsec Service Editor.

The PE will automatically be marked as the hub. When all the CEs are added to the service request, you can save the service request.

e. Click Save.

The IPsec Service Editor displays the settings you have specified for the IPsec service (see Figure 6-17).

Figure 6-17 IPsec Service Request Defined

No Routing: Create an MPLS Service Request

The next step is to create an MPLS service request. Because the procedures for creating MPLS service requests are fully described in the previous chapter, this section summarizes the main tasks. For details on this process, see the "Creating Service Requests" section.

Step 1 Choose the Service Inventory tab.

a. From the Service Inventory window, choose Inventory and Connection Manager.

b. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears (see Figure 6-18).

Figure 6-18 Initial Service Requests Dialog Box

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose MPLS VPN.

The Select MPLS Policy dialog box appears (see Figure 6-19).

This dialog box displays the list of all the MPLS service policies that have been defined in ISC.

Figure 6-19 Selecting the MPLS Policy for This Service

Step 4 Select the check box for the appropriate service policy, then click OK.

The MPLS Service Request Editor appears (see Figure 6-20).

Figure 6-20 MPLS Service Request Editor

Step 5 Click Add Link.

The MPLS Service Request Editor now displays a set of fields, as shown in Figure 6-21. Notice that the Select CE field is enabled. Specifying the CE for the link is the first task required to define the link for this service.

Figure 6-21 Initial Fields Displayed to Define the PE-CE Link

Step 6 CE: Click Select CE.

The Select CPE Device dialog box is displayed (see Figure 6-22).

Figure 6-22 Selecting the CE for the MPLS Link

Step 7 In the Select column, select the name of the CE for the MPLS link, then click Select.

Step 8 CE Interface: Select the CE interface from the drop-down list (see Figure 6-23).

Figure 6-23 CE and CE Interface Fields Defined

This CE interface must be the interface that has already been marked as an IPsec public interface.

If the CE's public interface is a subinterface, select the major interface for that subinterface.

Step 9 PE: Click Select PE.

The Select PE Device dialog box is displayed.

Step 10 In the Select column, select the name of the PE for the MPLS link, then click Select.

Step 11 PE Interface: Select the PE interface from the drop-down list (see Figure 6-24).

Note The selected interface for the PE must have already been marked as an IPsec public interface.

If the PE public interface is a subinterface, select the major interface.

Figure 6-24 PE Selected and PE Interface Defined

Step 12 In the Link Attribute column, select Add.

The MPLS Link Attribute Editor is displayed, showing the fields for the interface parameters (see Figure 6-25).

Figure 6-25 Confirming the PE and CE Interfaces' IPsec Attributes

In this dialog box, only interface names for the PE and CE should be displayed. Next to each interface, you should see "(IPsec public interface)".

Note If you see attributes other than the interface name, you probably selected an incorrect interface. It is important that the selected interfaces for PE and CE were already marked as IPsec public interface.

Entering a Subinterface Number

If the public interface for the PE or CE is a subinterface, you must type in the subinterface number in the Interface Name field, then press Tab. When you press Tab, all attributes except for Interface Name will disappear, and the string "(IPsec public interface)" will be displayed next to the subinterface name.

For example, let's assume that the IPsec public interface for CE 5 is its Serial1/0.100 subinterface. When the operator gets to the PE-CE Interface dialog box, he would see the screen shown in Figure 6-26:

Figure 6-26 Specifying the Subinterface Number

–In the Interface Name field, the operator would type the subinterface ID number—.100.

The PE-CE Interface dialog box automatically updates as shown in Figure 6-27:

Figure 6-27 Subinterface Number Specified for Interface

Thus, all the fields except for Interface Name are removed from the dialog box, and the subinterface now displays the appropriate "IPsec public interface" label.

Step 13 Edit any interface values that need to be modified for this particular link, then click Next.

The MPLS Link Attribute Editor for the IP Address Scheme appears.

The field values displayed in this dialog box reflect the values specified in the service policy associated with this service. For details on the IP address scheme fields, see the "Specifying the IP Address Scheme" section.

Step 14 Edit any IP address scheme values that need to be modified for this particular link, then click Next.

The MPLS Link Attribute Editor for Routing Information appears (see Figure 6-28).

Figure 6-28 Specifying the MPLS Link Routing Protocol Attributes

The field values displayed in this dialog box reflect the values specified in the service policy associated with this service. For details on the routing information for the PE and CE, see the "Specifying the Routing Protocol for a Service" section.

Because the service policy used for this service specified the routing protocol as editable, you can change the routing protocol for this service request as needed.

Step 15 Edit any routing protocol values that need to be modified for this particular link, then click Next.

The MPLS Link Attribute Editor for the VRF and VPN attributes appears (see Figure 6-29).

Figure 6-29 Specifying the MPLS Link VRF and VPN Attributes

The field values displayed in this dialog box reflect the values specified in the service policy associated with this service. For details on the VRF and VPN information, see the "Defining the Service Policy VRF and VPN Information" section.

Step 16 To select a CERC for this service request, click Add.

The CERC Chooser dialog box appears (see Figure 6-30).

Figure 6-30 Specifying the CERC for the MPLS Link

a. Customer: Select the correct customer.

b. VPN: Select the correct VPN.

c. CERC: From the displayed list of CERCs, select the appropriate CERC.

d. Click Join as Hub.

e. When finished with these settings, click Done.

Your CERC selection is added to the VRF and VPN page.

Step 17 When satisfied with the VRF and VPN settings, click Finish.

Step 18 To save your service request specifications for this link, click Save.

No Routing: Deploy the IPsec and MPLS Service Requests

Tip It is important to deploy the IPsec service request before you deploy the MPLS service request because there are some commands generated by the IPsec service request that the MPLS service request depends on.

To deploy the IPsec and MPLS service requests:

Step 1 Choose the Service Inventory tab.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 4 Select the check box next to the Job ID for the IPsec service request.

Step 5 Click the Deploy drop-down list, then click Deploy.

The Deploy Service Requests dialog box appears, which allows you to schedule when you want to deploy the selected service request.

Step 6 Complete the fields in this scheduling dialog box to schedule the service requested as needed.

Step 7 When satisfied with the schedule settings, click Save.

You return to the Service Requests dialog box. Check the Status display in the lower left corner of the window. If the service request has been deployed successfully, the Status display appears as shown in Figure 6-31.

Figure 6-31 Status for Successful Deployment

Step 8 Repeat Steps 4 through 7 to deploy the MPLS service request.

Create a PE-CE Link with Routing Enabled

You can configure the IPsec tunnel between the PE and CE to either run a routing protocol or no routing. If a static route or a routing protocol is desired between the PE and CE, you should use the GRE + IPsec policy.

If the service provider chooses the configure the IPsec tunnel with routing, the options are as follows:

•Static routes

•EIGRP

•RIPv2

•OSPF

Routing: Mark a PE IPsec Private Interface

To provision static routes or a dynamic routing protocol for the PE-CE IPsec link, GRE tunnels are necessary. ISC automatically creates these Tunnel interfaces on both the PE and CE and makes them IP unnumbered. For this purpose, you must mark a loopback interface on the PE as an IPsec private interface.

The loopback interface marked as an IPsec private interface can have a nonroutable IP address. This IP address appears in Network statement of the selected routing protocol, which will in effect enable the selected routing protocol on all the GRE Tunnel interfaces, unnumbered with the loopback interface with that IP address.

To mark a PE IPsec interface as private, follow these steps:

Step 1 Choose the Service Inventory tab.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 Choose Providers, then choose PE Devices.

The Edit PE Devices dialog box is displayed (see Figure 6-32).

Figure 6-32 Marking the PE Loopback Interface as Private

Observe the entry for the Loopback0 interface.

Step 4 In the IPsec column for the Loopback0 interface, select Private from the drop-down list.

Routing: Create a Network-Based IPsec + GRE Policy

When routing is enabled between the PE and CE, you must use the IPsec + GRE IPsec policy, instead of the Pure IPsec policy.

GRE (Generic Routing Encapsulation) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers over an IP network. Ip tunneling using GRE provides a way to connect multiprotocol subnetworks across a single-protocol backbone.

To create a network-based IPsec + GRE policy:

Step 1 Choose the Service Design tab, then choose Policy Manager.

The Policy Manager appears.

Step 2 From the Create drop-down list, choose IPsec Policy.

The IPsec Policy Create page appears.

Step 3 From the Network Based VPN Policy TOC entry, choose IPsec + GRE.

The IPsec + GRE Network Based Policy dialog box appears (see Figure 6-33).

Figure 6-33 IPsec + GRE Policy for a Routing Link

Step 4 Complete the parameters in the Network-Based Policy dialog box.

a. Name: Enter the name of the policy.

b. Owner: Select the customer from the drop-down list. This type of policy requires that you associate this policy with a specific customer.

c. Encryption Policy: Select an IPsec Encryption policy.

d. Routing Protocol: When you select a routing protocol such as EIGRP, RIPv2, or OSPF in an IPsec policy, you do not have to specify the parameters associated with these protocols (such as the EIGRP autonomous system (AS) number or the OSPF Area number) in the IPsec policy since those parameters are specified in the MPLS policy.

e. Summarized Addresses for MPLS VPN: If the selected routing option is Static, enter one or more subnets in a.b.c.d/n format. Separate multiple subnet entries by commas.

For each customer's IPsec policy, this VPN is defined as a list of summarized IP addresses. This list of subnets is used to generate static routes on the spokes pointing to the GRE tunnel that terminates on the PE.

f. You can leave the rest of the parameters on this dialog box set to their default values.

Step 5 Click Save.

Routing: Create an MPLS Policy

You can either use a new MPLS policy with the Routing option set to Static, EIGRP, RIPv2, or OSPF, or you can use an existing MPLS policy.

If you use an existing MPLS policy, change the routing protocol to the desired option when you create the MPLS service request.

Routing: Create an IPsec Service Request

This step is identical to the previous case (see the "No Routing: Create an IPsec Service Request" section), with the exception that you must select a Network-based IPsec + GRE policy for the IPsec service request.

The routing protocol is either already set to the desired option in the IPsec policy, or you can set it to the desired option in the IPsec service request.

When you specify a routing protocol such as EIGRP, RIPv2, or OSPF in the IPsec service request, you must select the same routing protocol in the corresponding MPLS service request.

Routing: Create an MPLS Service Request

This step is identical to the "No Routing: Create an MPLS Service Request" section. The routing protocol is either already set to the desired option in the MPLS policy, or you can set it to the desired option in the MPLS service request.

When you specify a routing protocol such as EIGRP, RIPv2, or OSPF in the MPLS service request, you must specify the same routing protocol in the corresponding IPsec service request. In the example shown in Figure 6-33, EIGRP is specified in the IPsec service request, so the MPLS service request also uses EIGRP as the routing protocol. Notice the extra parameters that need to be specified for EIGRP (see Figure 6-34).

Figure 6-34 EIGRP Parameters for the MPLS Service Request

Routing: Deploy the Service Requests

It is important to deploy the IPsec service request before you deploy the MPLS service request because there are commands generated by the IPsec service request that the MPLS service request depends on.

Site-to-Site IPsec Tunnels: Two-Box Solution

In the two-box solution, there is an IPsec tunnel between the off-net CE and a Multi-VRF CE. The Multi-VRF CE is connected to a PE (see Figure 6-35). The IPsec aggregator in the two-box solution is the Multi-VRF CE. IPsec tunnels from the off-net CEs terminate on a single interface on the Multi-VRF CE. VRF-aware IPsec maps each IPsec tunnel to the corresponding VRF on the Multi-VRF CE.

The PE-facing interfaces are each in a customer's VRF, and the PE-facing interfaces connect to an interface on the PE, which itself is in a customer VRF.

Figure 6-35 Multi-VRF CE Serving as an IPsec Aggregator

Links to Be Provisioned

In effect, the service provider creates an MPLS link between the PE and Multi-VRF CE, and then creates another link between the off-net CE and the Multi-VRF CE. The latter link is actually an IPsec tunnel rather than a traditional MPLS link. This can be achieved by using ISC to create both an MPLS link and an IPsec tunnel between the Multi-VRF CE and the off-net CE.

In other words, there are really two links involved in this process, as shown in Figure 6-35:

•A link between an off-net CE and the Multi-VRF CE: This is an IPsec tunnel, and as such requires both an IPsec service request and an MPL service request.

•A link between the Multi-VRF CE and a PE: This is a conventional MPLS link, and only requires an MPLS service request.

Tasks to Be Completed

To provision these two links between the off-net CE, the Multi-VRF CE, and the PE, the following tasks are required:

1. Mark the IPsec interfaces for the Multi-VRF CE and the off-net CE.

2. Create or use an existing IPsec site-to-site policy.

3. Create or use an existing MPLS policy (with a CE—the CE Present option must be enabled).

4. Create an IPsec site-to-site service request (for the off-net CE to MVRF-CE tunnels).

5. Create an MPLS VPN service request (for the links between the off-net CE, MVRF-CE, and PE).

6. Deploy the IPsec service request.

7. Deploy the MPLS service request.

Define the Multi-VRF CE

In the two-box solution, all the IPsec tunnels terminate on the Multi-VRF CE public interface. It is important to ensure the Multi-VRF CE is set up correctly in ISC. To begin with, the CE management type for this device must be set to Multi-VRF.

To define a device as a Multi-VRF CE:

Step 1 Choose the Service Inventory tab.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 Choose Customers.

The Customers dialog box is displayed, along with the TOC (see Figure 6-36).

Figure 6-36 Customers Dialog Box and TOC

Step 4 From the TOC, choose CPE Devices.

ISC presents the list of CPE devices (see Figure 6-37).

Figure 6-37 List of CPE Devices

Step 5 Check the check box for the CPE you want to define as an Multi-VRF CE, then click Edit.

The Edit CPE Device dialog box is displayed (see Figure 6-38).

Figure 6-38 Specifying the CPE Management Type

Step 6 In the Management Type drop-down list, choose Multi-VRF.

Step 7 Click Save.

The selected device is now defined as a Multi-VRF CE.

Step 8 Finally, the IPsec public interface of the Multi-VRF CE must be marked.

Multi-VRF CE Routing Options

You can configure the IPsec tunnel between the off-net CE and the Multi-VRF CE to either run a routing protocol or no routing. Before proceeding any further, you must decide whether you want to use the no routing option or prefer to have a routing protocol enabled over the tunnel between the Multi-VRF CE and the off-net CE. Depending on your choice, you would apply a different IPsec policy, as described in Table 6-2.

The supported routing options are:

•No routing: When you choose no routing, IPsec must be in Tunnel mode; that is, there is an IPsec tunnel between the Multi-VRF CE and off-net CE. When used in conjunction with the Reverse Route Injection option in the IPsec policy, the Multi-VRF CE can have static routes for each of the off-net CE subnets injected into the corresponding VRF for that CE's customer. These static routes can then be redistributed into MP-BGP as needed.

•Static routes: This option involves having an IPsec-protected GRE tunnel between the Multi-VRF CE and off-net CE. For each of the off-net CE subnets, ISC creates a static route on the Multi-VRF CE, which points to the corresponding Tunnel interface. Similarly, for each of the MPLS VPN summary addresses entered in the IPsec policy, a static route is created on each of the CEs that point to the corresponding Tunnel interface.

•Dynamic routing protocols: This option involves having an IPsec-protected GRE tunnel between the Multi-VRF CE and the off-net CE. A dynamic routing protocol (EIGRP, RIPv2, or OSPF) runs over this GRE tunnel.

Depending on the routing option chosen, you must use a different site-to-site IPsec policy (see Table 6-1). There are two types of Network-based IPsec policies available:

•IPsec Policy: This policy should be used if no routing option is desired between the Multi-VRF CE and off-net CE.

•GRE + IPsec Policy: This policy should be used if a static route or a routing protocol is desired between the Multi-VRF CE and off-net CE.

Table 6-2 Matching the Routing Option to the Appropriate Policy

If the Routing Option Is

Select the Following Policy

Comments

1

No routing

Site-to-site IPsec policy

Be sure to enter one or more subnets in the Summarized Addresses for MPLS VPN attribute of the IPsec policy.

2

Static route

Site-to-site GRE + IPsec policy

Be sure to enter one or more subnets in the Summarized Addresses for MPLS VPN attribute of the IPsec policy.

3

•BGP

•EIGRP

•RIPv2

•OSPF

Site-to-site GRE + IPsec policy

The link between the Multi-VRF CE and the PE can be running the same or a different routing protocol as the other link. This option is completely under the control of the MPLS service request and has no corresponding requirements on the IPsec side.

Create a PE to Multi-VRF CE to CE Link with No Routing

The steps to create a Multi-VRF CE to CE link with No Routing specified are as follows:

•Multi-VRF No Routing: Create a network-based IPsec Policy (see the next section)

•Multi-VRF No Routing: Create a Network-Based IPsec Policy

•Multi-VRF No Routing: Create an MPLS Policy

•Multi-VRF No Routing: Create an IPsec Service Request

•Multi-VRF No Routing: Deploy the IPsec and MPLS Service Requests

Multi-VRF No Routing: Create a Network-Based IPsec Policy

When it is necessary to run no routing protocols between the Multi-VRF CE and off-net CE, you must use the Pure IPsec policy, instead of the GRE + IPsec policy.

Step 1 Choose the Service Design tab, then choose Policy Manager.

The Policy Manager dialog box appears.

Step 2 From the Create drop-down list, choose IPsec Policy.

The IPsec Policy Create page appears.

Step 3 From the Network Based VPN Policy TOC entry, choose IPsec.

The IPsec Network Based Policy dialog box appears (see Figure 6-39).

Figure 6-39 Creating an IPsec Network-Based Policy

Step 4 Complete the parameters in the Network-Based Policy dialog box.

a. Name: Enter the name of the policy.

b. Owner: Select the customer from the drop-down list. This type of policy requires that you associate this policy with a specific customer.

c. Encryption Policy: Select an IPsec Encryption policy.

d. Generate Reverse Route Injection: Make sure this option is enabled.

When this option is enabled, static routes to the CEs are injected into the corresponding VRF on the Multi-VRF CE upon establishment of the IPsec tunnels. These routes can, in turn, be redistributed into the routing protocol running over the link between the Multi-VRF CE and the PE, which then redistributes them into MP-BGP.

e. Summarized Addresses for MPLS VPN: Enter one or more subnets in a.b.c.d/n format. Separate multiple subnet entries by commas.

When the No Routing option is selected in the service request, you must enter one or more subnets for the Summarized Addresses for MPLS VPN attribute. Because the Multi-VRF CE is shared by many customers, it does not have the concept of private subnets residing behind it; instead, a set of MPLS links to a PE reside behind a Multi-VRF CE, which in turn map to a set of customer VPNs. For each customer's IPsec policy, this VPN is defined as a list of summarized IP addresses. This list is needed in order to define the interesting traffic that needs to travel through the IPsec tunnel.

f. You can leave the rest of the parameters on this dialog box set to their default values.

Step 5 Click Save.

Multi-VRF No Routing: Create an MPLS Policy

For this Multi-VRF CE policy, be sure to both set the Policy Type to MVRFCE: PE-CE (by default, the Policy Type is Regular: PE-CE), and enable the CE Present option.

To create an MPLS policy for the CE-Multi-VRF CE-PE links:

Step 1 Select the Service Design tab, then choose Policy Manager.

The Policy Manager appears.

Step 2 From the Create drop-down list, choose MPLS Policy.

The MPLS Policy Type dialog box appears (see Figure 6-40).

Figure 6-40 Creating a Multi-VRF PE to CE Policy

Step 3 Specify the appropriate values for the Policy Type parameters:

a. Policy Name: Enter the name of the policy.

b. Policy Owner: Select Customer.

c. Customer: Select the appropriate customer name.

d. Policy Type: Select MVRFCE: PE-CE.

e. CE Present: Make sure that this option is enabled (it is enabled by default).

Step 4 Click Next.

The Multi-VRF CE PE Interface dialog box is displayed (see Figure 6-41).

This is a standard MPLS link. You have the option of either specifying a specific PE interface type in the policy or keeping it open and making the final PE interface selection when the operator creates the MPLS service request.

Figure 6-41 Specifying the Multi-VRF PE Interface Parameters

Step 5 Select the appropriate values for the interfaces on the PE for the link to the Multi-VRF CE, then click Next.

For details on these parameters, see the "Specifying the PE and CE Interface Parameters" section.

The Multi-VRF-CE CE Interface dialog appears (see Figure 6-42).

Figure 6-42 Specifying the Multi-VRF CE Interface Parameters

Step 6 Select the appropriate values for the interfaces on the CE for the link to the Multi-VRF CE, then click Next.

The IP Address Scheme for the PE to Multi-VRF CE link dialog box appears (see Figure 6-43).

The link represented in this dialog is an IPsec tunnel.

Figure 6-43 Specifying the IP Address Scheme for the PE to Multi-VRF CE Link

Step 7 Specify the IP addressing scheme for the link between the PE and the Multi-VRF CE, then click Next.

For information on these parameters, see the "Specifying the IP Address Scheme" section.

The IP Address Scheme for the Multi-VRF CE to the CE link dialog box appears (see Figure 6-44).

Figure 6-44 Specifying the IP Address Scheme for the Multi-VRF CE to the CE Link

The link represented in this dialog is the IPsec tunnel between the Multi-VRF CE and off-net CE. Since there is no IP address being assigned by the IPsec VPN service, this dialog is ignored.

Step 8 Accept the defaults, then click Next.

The Routing Information dialog box for the link between the PE and the Multi-VRF CE appears (see Figure 6-45).

Figure 6-45 Specifying the Routing Information for the PE to Multi-VRF CE Link

Step 9 Specify the routing parameters for the link between the PE and the Multi-VRF CE, then click Next.

You may also leave the default settings for the routing parameters and specify the routing details when the operator creates the MPLS service request.

For detailed information on these parameters, see the "Specifying the Routing Protocol for a Service" section.

The Routing Information dialog box for the link between the Multi-VRF CE and the CE appears (see Figure 6-46).

Figure 6-46 Specifying the Routing Information for the Multi-VRF CE to CE Link

Step 10 Select NONE as the routing protocol option for the IPsec tunnel between the Multi-VRF CE and the off-net CE, then click Next.

The VRF and VPN Membership dialog box is displayed (see Figure 6-47).

Figure 6-47 Specifying the VRF Membership

Step 11 Accept the VRF membership defaults, then click Finish.

Multi-VRF No Routing: Create an IPsec Service Request

To create a new IPsec service request for a Multi-VRF CE link, follow these steps:

Step 1 Start up and log into ISC.

a. From the Welcome to IP Solution Center window, choose Service Inventory.

b. From the Service Inventory window, choose Inventory and Connection Manager.

c. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose IPsec.

The Select IPsec Policy dialog box appears. This dialog box displays the list of all the IPsec service policies that have been defined in ISC.

Step 4 Select the check box for the policy of choice, then click OK.

The IPsec Service Editor appears (see Figure 6-48).

Figure 6-48 Creating a Multi- VRF IPsec to MPLS Mapping Service Request

Step 5 VPN: Select the corresponding VPN for the service.

Step 6 Network-based IPsec:

a. Select IPSEC_TO_MPLS_MAPPING.

b. Select Two-box solution: Multi-VRF CE as the IPsec Aggregator.

Step 7 Site-to-Site Policy: To select a site-to-site policy for the service request, click Select.

The Policy Chooser window displays only the network-based policies owned by the current customer (see Figure 6-49).

Figure 6-49 IPsec Policy Chooser

a. Select the appropriate network-based IPsec policy (using Pure IPsec), then click Select.

b. Click Save.

You return to the IPsec Service Editor.

Step 8 Select the Multi-VRF CE and the off-net CEs for this service request:

By default, the CE Chooser only shows the CEs that are owned by the current customer. Since the Multi-VRF CE is owned by the service provider, Cisco recommends that you change the Matching value in the CE Chooser from the customer name to an asterisk( * ), then click Find.

This displays all the customer-owned CEs, as well as the provider-owned Multi-VRF CEs. Alternatively, you can select the customer CEs first, then change the Matching value to show the Multi-VRF CEs as well.

a. From the Device drop-down list, click Select, then choose CPEs.

The CPEs associated with the IPsec service request are displayed (see Figure 6-50).

Figure 6-50 List of CPEs Displayed

b. Choose the Multi-VRF CE and the associated CE for this service, then click Select.

You return to the IPsec Service Editor, where the newly selected devices are listed (see Figure 6-51). The Multi-VRF CE is automatically assigned as the hub.

Figure 6-51 Multi-VRF CE and Associated CEs Selected

c. Click Save.

The IPsec Service Editor displays the settings you have specified for the IPsec service (see Figure 6-52).

Figure 6-52 IPsec Service Request Defined

Multi-VRF No Routing: Create an MPLS Service Request

The next step is to create an MPLS service request for this Multi-VRF service. Notice that there are three devices in each link now:

•Customer CE

•Multi-VRF CE

•PE

The Multi-VRF CE is between the customer CE and the PE and therefore has two interfaces that we are interested in:

•CE-facing interface

•PE-facing interface

The CE-facing interface is the interface on which IPsec tunnels from various customers terminate, and as such must already be marked as an IPsec public interface.

The PE-facing interface is part of a conventional MPLS link with the PE and it is provisioned by ISC.

To create the MPLS service request for this link:

Step 1 Choose Service Inventory.

a. From the Service Inventory window, choose Inventory and Connection Manager.

b. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose MPLS VPN.

The Select MPLS Policy dialog box appears. This dialog box displays the list of all the MPLS service policies that have been defined in ISC.

Step 4 Select the policy created earlier for Multi-VRF CE service requests, then click OK.

The MPLS Service Request Editor appears (see Figure 6-53).

Figure 6-53 MPLS Service Request Editor for a Multi-VRF Service

Step 5 Click Add Link.

The MPLS Service Request Editor now displays a set of fields, as shown in Figure 6-54. Notice that the Select CE field is enabled. Specifying the CE for the link is the first task required to define the link for this service.

Figure 6-54 Initial Fields Displayed to Define the Multi-VRF CE to CE Link

Step 6 CE: Click Select CE.

The Select CPE Device dialog box is displayed (see Figure 6-55).

Figure 6-55 Selecting the CE for the Multi-VRF CE Link

Step 7 In the Select column, select the name of the CE for the MPLS link, then click Select.

Step 8 CE Interface: ISC automatically populates the CE Interface field.

The Select MVRFCE hyperlink is now enabled.

Step 9 MVRF CE: Click Select MVRFCE.

A list of Multi-VRF CEs is displayed.

Step 10 Select the appropriate Multi-VRF CE, then click Select.

The name of the selected Multi-VRF CE is now displayed in the MVRFCE column, ISC populates the Multi-VRF CE Facing Interface field, and the Select PE hyperlink is now enabled.

Step 11 PE: Click Select PE.

A list of PEs is displayed.

Step 12 Select the appropriate PE for this link, then click Select.

The name of the selected PE is now displayed in the PE column, ISC populates the PE Interface field, and the Link Attribute Add link is now enabled (see Figure 6-56).

Figure 6-56 Multi-VRF Fields Completed for This MPLS Service

Step 13 Click Add.

The MPLS Link Attribute Editor is displayed, showing the fields for the interface parameters (see Figure 6-57).

In this Link Attribute Interface dialog box, the interfaces of the PE and Multi-VRF CE are listed. These are the endpoints of the MPLS link.

Figure 6-57 Specifying the PE and Multi-VRF CE Interface Parameters

ISC populated the interface names, the encapsulation (802.1Q), and entered the VLAN ID. ISC will automatically create subinterfaces on the PE and the Multi-VRF CE for this VLAN ID.

Step 14 Confirm the specific interface parameters for the PE and Multi-VRF CE, then click Next.

The Multi-VRF CE to CE Interface page appears (see Figure 6-58).

The interfaces of the Multi-VRF CE and the customer CE are listed. Notice that both of these interfaces are labeled IPsec public interfaces since they were marked as public. The link represented in this dialog box is an IPsec tunnel. Therefore, the interfaces have to be the IPsec public interfaces.

Figure 6-58 Specifying the Multi-VRF CE and CE Interface Parameters

Step 15 No further configuration is needed in this dialog box—click Next.

The IP Address Scheme dialog for the PE to Multi-VRF CE link appears (see Figure 6-59). The fields are populated with the values specified in the associated MPLS policy.

Figure 6-59 Confirming the IP Address Scheme for the PE to Multi-VRF CE Link

In this example, we selected the option to automatically assign IP addresses for the MPLS link endpoints by obtaining IP addresses from a pool.

Step 16 If necessary, modify the IP address scheme for the link between the Multi-VRF CE and the PE; otherwise, accept the displayed values, then click Next.

Next, you need to define the address scheme for the link between the Multi-VRF CE and the CE.

Figure 6-60 Specifying the IP Address Scheme for the Multi-VRF CE to CE Link

Step 17 Specify the IP address scheme for the Multi-VRF CE to CE link, then click Next.

The PE to Multi-VRF CE Routing Information dialog box appears (see Figure 6-61).

Figure 6-61 Specifying the Routing Information for the PE to Multi-VRF CE Link

Step 18 Specify the routing information for the link between the PE and the Multi-VRF CE, then click Next.

The Multi-VRF CE to CE Routing Information dialog box is displayed (see Figure 6-62).

In this dialog, you select the routing option between the Multi-VRF CE and the customer CE.

•When the link between the Multi-VRF CE and the customer CE is a Pure IPsec tunnel, then you must select NONE as the routing option.

•When the link is a GRE tunnel with IPsec protection, you can select other routing options, such as Static, EIGRP, RIP, and OSPF.

Figure 6-62 Specifying No Routing Between the Multi-VRF CE and the CE

Step 19 Routing Protocol: Specify the routing for the Multi-VRF CE to CE link, then click Next.

The MPLS Link Attribute Editor for the VRF and VPN attributes appears (see Figure 6-63).

Figure 6-63 Specifying the MPLS Link VRF and VPN Attributes

The field values displayed in this dialog box reflect the values specified in the service policy associated with this service. For details on the VRF and VPN information, see the "Defining the Service Policy VRF and VPN Information" section.

Step 20 To select a CERC for this service request, click Add.

The CERC Chooser dialog box appears (see Figure 6-64).

Figure 6-64 Specifying the CERC for the MPLS Link

Step 21 Complete the fields as necessary:

a. Customer: Select the correct customer.

b. VPN: Select the correct VPN.

c. CERC: From the displayed list of CERCs, select the appropriate CERC.

d. Click Join as Hub.

e. When finished with these settings, click Done.

Your CERC selection is added to the VRF and VPN page.

Step 22 When satisfied with the VRF and VPN settings, click Finish.

Step 23 To save your service request specifications for this link, click Save.

Multi-VRF No Routing: Deploy the IPsec and MPLS Service Requests

Tip It is important to deploy the IPsec service request before the MPLS service request is deployed because there are some commands generated by the IPsec service request that the MPLS service request depends on.

To deploy the IPsec and MPLS service requests:

Step 1 Choose the Service Inventory tab.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 4 Select the check box next to the Job ID for the IPsec service request.

Step 5 Click the Deploy drop-down list, then click Deploy.

The Deploy Service Requests dialog box appears, which allows you to schedule when you want to deploy the selected service request.

Step 6 Complete the fields in this scheduling dialog box to schedule the service requested as needed.

Step 7 When satisfied with the schedule settings, click Save.

You return to the Service Requests dialog box. Check the Status display in the lower left corner of the window. If the service request has been deployed successfully, the Status display appears as shown in Figure 6-65.

Figure 6-65 Status for Successful Deployment

Step 8 Repeat Steps 4 through 7 to deploy the MPLS service request.

Create a PE to Multi-VRF CE to CE Link with Routing Enabled

The steps to create a Multi-VRF CE to customer CE link with routing enabled are as follows:

•Multi-VRF with Routing: Mark the Multi-VRF CE's IPsec Private Interface (see the next section)

•Multi-VRF with Routing: Create a Network-Based IPsec + GRE Policy

•Multi-VRF with Routing: Create an MPLS Policy

•Multi-VRF with Routing: Create an IPsec Service Request

•Multi-VRF with Routing: Create an MPLS Service Request

•Multi-VRF with Routing: Deploy the IPsec and MPLS Service Requests

Multi-VRF with Routing: Mark the Multi-VRF CE's IPsec Private Interface

In order to provision static routes or a dynamic routing protocol for the IPsec link between the Multi-VRF CE and the customer CE, you must use GRE tunnels. ISC automatically creates the Tunnel interfaces on the Multi-VRF CE and the customer CE routers, and configures them as ip unnumbered.

For this purpose, the operator must mark a loopback interface as the IPsec private interface on the Multi-VRF CE. This interface may have a nonroutable IP address. This IP address is included in the Network statement of the specified routing protocol. This procedure enables the selected routing protocol on all the unnumbered routing GRE Tunnel interfaces with the loopback interface with the corresponding IP address.

To mark a CE's private interface:

Step 1 Choose Service Inventory > Inventory and Connection Manager.

Step 2 From the Inventory and Connection Manager page, choose Customers.

Step 3 From the Customers page TOC, choose CPE Devices.

The list of CPE devices is displayed.

Step 4 Select the CE whose interface you want to mark as private, then click Edit.

The Edit CPE Device dialog box appears (see Figure 6-66).

Figure 6-66 Marking the Multi-VRF CE's Private Interfaces

Step 5 From the list, locate the loopback interface, then from the IPsec drop-down list, then choose Private.

Step 6 Click Save.

Multi-VRF with Routing: Create a Network-Based IPsec + GRE Policy

When routing is enabled between the Multi-VRF CE and the customer CE, you must use an IPsec + GRE policy.

To create a network-based IPsec + GRE policy:

Step 1 Choose Service Design > Policy Manager.

The Policy Manager dialog box appears.

Step 2 From the Create drop-down list, choose IPsec Policy.

The IPsec Policy Create page appears.

Step 3 From the Network Based VPN Policy TOC entry, choose IPsec + GRE.

The IPsec + GRE Network Based Policy dialog box appears (see Figure 6-67).

Figure 6-67 IPsec + GRE Policy for a Routing Link

Step 4 Complete the parameters in the Network-Based Policy dialog box.

a. Name: Enter the name of the policy.

b. Owner: Select the customer from the drop-down list. This type of policy requires that you associate this policy with a specific customer.

c. Encryption Policy: Select an IPsec Encryption policy.

d. Routing Protocol: When you select a routing protocol such as EIGRP, RIPv2, or OSPF in an IPsec policy, you do not have to specify the parameters associated with these protocols (such as the EIGRP autonomous system (AS) number or the OSPF Area number) in the IPsec policy since those parameters are specified in the MPLS policy.

e. Summarized Addresses for MPLS VPN: If the selected routing option is Static, you must enter one or more subnets in a.b.c.d/n format. Separate multiple subnet entries by commas.

When the No Routing option is selected in the service request, you must enter one or more subnets for the Summarized Addresses for MPLS VPN attribute. Because the Multi-VRF CE is shared by many customers, it does not have the concept of private subnets residing behind it; instead, a set of MPLS links to a PE reside behind a Multi-VRF CE, which in turn map to a set of customer VPNs.

For each customer's IPsec policy, this VPN is defined as a list of summarized IP addresses. This list of subnets is used to generate static routes on the spokes pointing to the GRE tunnel that terminates on the Multi-VRF CE.

f. You can leave the rest of the parameters on this dialog box set to their default values.

Step 5 Click Save.

Multi-VRF with Routing: Create an MPLS Policy

You can either use a new MPLS policy with the Routing option set to Static, EIGRP, RIPv2, or OSPF, or you can use an existing MPLS policy.

If you use an existing MPLS policy, change the routing protocol to the desired option when you create the MPLS service request.

To create an MPLS policy for the CE-Multi-VRF CE-PE links:

Step 1 Select the Service Design tab, then choose Policy Manager.

The Policy Manager appears.

Step 2 From the Create drop-down list, choose MPLS Policy.

Step 3 Complete the policy definition as necessary for this link.

Multi-VRF with Routing: Create an IPsec Service Request

This step is identical to the previous case (see the "Multi-VRF No Routing: Create an IPsec Service Request" section), with the exception that you must select a Network-based IPsec + GRE policy for the IPsec service request.

The routing protocol is either already set to the desired option in the IPsec policy, or you can set it to the desired option in the IPsec service request.

When you specify a routing protocol such as RIPv2 or OSPF in the IPsec service request, you must select the same routing protocol in the corresponding MPLS service request for the Multi-VRF CE to customer CE link.

Multi-VRF with Routing: Create an MPLS Service Request

This step is identical to the "Multi-VRF No Routing: Create an MPLS Service Request" section. The routing protocol is either already set to the desired option in the MPLS policy, or you can set it to the desired option in the MPLS service request.

When you specify a routing protocol such as RIPv2 or OSPF for the Multi-VRF CE to customer CE link, you must specify the same routing protocol in the corresponding IPsec service request. In the example shown in Figure 6-67, Static is specified in the IPsec service request, so the MPLS service request must also use Static as the routing protocol.

Multi-VRF with Routing: Deploy the IPsec and MPLS Service Requests

Tip It is important to deploy the IPsec service request before the MPLS service request is deployed because there are some commands generated by the IPsec service request that the MPLS service request depends on.

To deploy the IPsec and MPLS service requests:

Step 1 Choose the Service Inventory tab.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 4 Select the check box next to the Job ID for the IPsec service request.

Step 5 Click the Deploy drop-down list, then click Deploy.

The Deploy Service Requests dialog box appears, which allows you to schedule when you want to deploy the selected service request.

Step 6 Complete the fields in this scheduling dialog box to schedule the service requested as needed.

Step 7 When satisfied with the schedule settings, click Save.

You return to the Service Requests dialog box. Check the Status display in the lower left corner of the window to make sure the service request has been deployed successfully.

Step 8 Repeat Steps 4 through 7 to deploy the MPLS service request.

Remote Access IPsec Tunnels: One-Box Solution

Remote access IPsec tunnels are typically used with MPLS VPNs where the customer has an existing VPN and a number of roaming users. These users have access to the Internet and need remote access to the MPLS VPN. An IPsec tunnel between the roaming users' workstations and the service provider's IPsec aggregator router over the Internet allows them to join the MPLS VPN.

In the remote access one-box solution, the service provider terminates the IPsec tunnels on a PE router. That is, the IPsec aggregator is the PE, terminating IPsec tunnels from various customers' remote users or off-net CEs.

An IPsec Remote Access policy defines the attributes of the IPsec tunnel between the IPsec aggregator and the remote user. For example, the policy defines the group name and password, whether Reverse Route Injection should be enabled, whether NAT Transparency should be enabled, and so on.

Similarly, an MPLS policy defines the attributes of the link between the PE and CE. In the remote access case, we use an MPLS link with no CE present to represent the IPsec tunnels terminating on the PE from remote users. As such, in the remote access case, running a routing protocol over the link is not necessary.

In order to provision an IPsec tunnel from a remote user's workstation and a PE, the following tasks need to be completed:

1. Mark the IPsec interfaces on the PE.

2. Create or use an existing AAA server entry.

3. Create or use an existing IPsec Remote Access policy.

4. Create or use an existing MPLS policy (with no CE present).

5. Create an IPsec Remote Access service request.

6. Create an MPLS VPN service request.

7. First, deploy the IPsec service request.

8. Finally, deploy the MPLS service request.

Create an AAA Server Entry

If the Remote Access IPsec policy indicates that user profiles or group attributes are obtained from an AAA (Authentication/Authorization/Accounting) server instead of having them stored on the PE router itself, you must create an AAA server entry.

Depending on whether the AAA server is owned by the service provider or the customer, select the ownership as Global or Customer, respectively.

Using a customer-owned AAA server in a Remote Access service request generates VRF-aware AAA commands. Using a global AAA server generates global AAA commands.

To create an AAA server entry:

Step 1 Choose Service Inventory.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 From the Inventory and Connection Manager window, choose AAA Servers.

The AAA Servers dialog box appears.

Step 4 Click Create.

The Create AAA Server dialog box appears (see Figure 6-68).

Figure 6-68 Creating an AAA Server

Step 5 Complete the fields as necessary:

a. Name: Enter the name of the AAA server.

b. Owner: Specify whether you want the owner to be Global or Customer. If you select Customer, click Select to choose the customer name.

Using a customer-owned AAA server in a Remote Access service request generates VRF-aware AAA commands. Using a global AAA server generates global AAA commands.

c. IP Address: Enter the IP address of the AAA server.

d. Server Type: Select the server type.

AAA server types can be one of the following: RADIUS, NT DOMAIN, SDI (authenticate users via external RSA Security, Inc. SecureID system), or TACACS+.

Note The AAA Server Type must match the value of the Authentication Server in the IPsec Remote Access policy (see the next section, "Create an IPsec Remote Access Policy").
For example, if the Authentication Server is set to RADIUS in the IPsec Remote Access policy, then the AAA Server Type must also be set to RADIUS.

e. Server Role: Specify the server role as one of the following values: Authentication, Accounting, or Both.

f. Port: Enter the UDP port number that accesses the Authentication server. The default port number is 1645.

g. Accounting Server Port: Enter the UDP port number that accesses the Accounting server. The default port number is 1646.

h. Timeout: Enter the time in seconds to wait after sending a query to the server and receiving no response before trying again. The minimum value is 1 second; the default is 4 seconds; the maximum value is 30 seconds.

i. Retries: Enter the number of times to retry sending a query to the server after the timeout period elapses. The minimum value is 0; the default is 2 retries; the maximum value is 10 retries.

j. Secret: Enter the RADIUS server secret. The maximum number of characters is 64.

Step 6 When satisfied with the values entered here, click Save.

Create an IPsec Remote Access Policy

An IPsec Remote Access policy defines the attributes of the IPsec tunnel between the IPsec aggregator and the remote user. These attributes are typically the same for both the one-box and two-box solutions.

For Remote Access IPsec, there is only one type of policy available which may be used for both regular and network-based IPsec. To create a remote access IPsec policy:

Step 1 Choose Service Design, then choose Policy Manager.

The Policy Manager appears.

Step 2 Choose IPsec Policy.

Step 3 The IPsec Policy Create page appears.

From the TOC's list of links, choose Remote Access VPN Policy.

The dialog box shown in Figure 6-69 appears.

Figure 6-69 Creating an IPsec Remote Access Policy

Step 4 Complete the information in the fields as necessary:

a. Name: Enter the name of this remote access IPsec policy. This name is also used as the name of the group. The name entered here is the name that the remote users must use when accessing the VPN. The policy/group name cannot contain any spaces.

b. Owner: Make sure to associate this policy to a specific customer.

c. Encryption Policy: Select an IPsec encryption policy for the remote access policy. The same encryption policy that was used for IPsec site-to-site policy can be used in a remote access policy.

d. Group Password: Enter the group password that remote users must use when connecting to the VPN via the Cisco VPN Client. Then confirm the password.

e. Group Type: Specify the group type. A group is a set of users belonging to a particular security model. A group defines the access rights for all the users belonging to it. Access rights define what SNMP objects can be read, written to, or created. In addition, the group defines what notifications a user is allowed to receive.

Depending on whether the group attributes will be maintained on the PE router itself or on an AAA server, select the corresponding group type:

•Internal: Signifies that you must configure groups from a Cisco IOS router (a PE or a Multi-VRF CE).

•External: Signifies that you must configure groups from an external AAA server.

f. XAUTH: Check this checkbox to enable ISAKMP Extended Authentication.

g. Use Mode Configuration: Check this check box to use Mode Configuration with IPsec clients (also known as the ISAKMP Configuration Method or Configuration Transaction). This option exchanges configuration parameters with the client while negotiating security associations.

If you enable this check box, configure the pertinent Mode Configuration parameters as described in the section below; otherwise, ignore them. This option is enabled by default.

Note To use split tunneling, you must enable Mode Configuration.

IPsec uses Mode Configuration to pass all configuration parameters to clients: IP addresses, DNS and WINS addresses, and so on. If this Use Mode Configuration option is not enabled, those parameters—even if configured with entries—are not passed to the client.

h. Tunneling Protocol: Check the desired tunneling protocol option to select the VPN tunneling protocols that clients can use: IPsec or L2TP over IPsec.

Note You cannot enable both IPsec and L2TP over IPsec. The IPsec parameters differ for these two protocols, and you cannot configure the VPN group for both tunneling protocols.

•IPsec: IP Security protocol. IPsec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both site-to-site and remote access connections and connections can use IPsec.

Cisco VPN Client is an IPsec client designed to work with devices that support the IPsec Unity server—namely, Cisco IOS, PIX, and the VPN 3000 concentrator. That is, remote access users can use Cisco VPN Client to terminate IPsec tunnels on headend gateways.

•L2TP Over IPsec: Layer 2 Tunneling Protocol (L2TP) over IPsec. This protocol provides interoperability with the Windows 2000 VPN client. L2TP packets are encapsulated within IPsec, thus providing an additional authentication and encryption layer for security.

i. Authentication Server: Specify the Authentication server. The following server options are supported: Internal, RADIUS, TACACS+.

Note that when specifying the Authentication server, the following two authentication values must match:

•The value of the Authentication server in the IPsec Remote Access policy.

•The AAA Server Type (see Figure 6-68 to view the dialog box where the AAA Server Type field occurs).

For example, if the Authentication server is set to RADIUS in the IPsec Remote Access policy, then the AAA Server Type must also be set to RADIUS.

Depending on whether the user profiles will be maintained on the PE router itself or on an AAA server, select the appropriate option.

j. When finished with this dialog, click Next.

The Address Pools page is displayed.

Step 5 To add an address pool, click Create.

The dialog shown in Figure 6-70 is displayed. Remote clients that establish IPsec tunnels to the PE will be assigned an inner IP address from this pool.

Figure 6-70 Creating an IP Address Pool

a. Starting Address: Enter the address pool's starting IP address.

b. Ending Address: Enter the address pool's ending IP address, then click OK.

You return to the Address Pools page where the IP addresses for the address pool that you entered are now displayed.

c. Click Next.

The Split Tunneling Network List appears (see Figure 6-71).

Figure 6-71 Defining a Split Tunnel

Step 6 Specify the split tunneling policy.

a. Split Tunneling Policy: Split tunneling lets an IPsec client conditionally direct packets over an IPsec tunnel in encrypted form, or to a network interface in clear text form. Packets not bound for destinations across the IPsec tunnel don't have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. Split tunneling thus eases the processing load, simplifies traffic management, and speeds up untunneled traffic.

Note You must create a split tunneling network list before you can enable split tunneling.

b. Generate: Use the Generate button if you want to automatically get the list of private subnets from an existing site-to-site IPsec VPN.

c. Create: Use the Create button in order to enter a list of network addresses that must travel through the IPsec tunnel.

The supported Split Tunneling Policy options are:

•Everything: All traffic will be sent through the IPsec tunnel to the PE, that is, both VPN-bound traffic and Internet-bound traffic will go through the IPsec tunnel.

•In List: Only traffic matching the list of networks in the In List will go through the IPsec tunnel to the PE. The traffic that does not match the list is sent to the PE unencrypted. If you select this option, you must click Create or Generate in order to create a list of networks that make up the VPN traffic, that is, the list of networks that need to travel through the IPsec tunnel.

•Not In List: Only the traffic to addresses not in the network list goes through the tunnel.

Split tunneling applies only to single-user remote-access IPsec tunnels, not to site-to-site connections.

Split tunneling decisions depend on the destination network address; hence the use of split tunneling network lists. A split tunneling network list is a list of addresses on the private network. The IPsec client uses the network list as an inclusion list: a list of networks for which traffic should be sent over the IPsec tunnel. All other traffic is routed as normal clear text traffic.

The IPsec client establishes an IPsec security association (SA) for each network specified in the list. Outbound packets with destination addresses that match one of the SAs are sent over the tunnel; everything else is sent as clear text to the locally connected network.

Split tunneling can act as a packet filter at the client. If a split tunneling network list defines only a subset of the private network address space, then a client can access only that subset of network addresses. The client cannot access other addresses because packets to those addresses are sent to the public Internet, from which they are not accessible.

Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling. However, since only ISC—and not the IPsec client—can enable split tunneling, you can control implementation here and thus protect security. Split tunneling is disabled by default. You enable and configure split tunneling in ISC, then the IPsec Unity server uses IKE Mode Configuration to push it to, and enable it on, the IPsec client.

Step 7 To create a split tunneling network list, click Create.

The dialog shown in Figure 6-72 appears.

Figure 6-72 Entering a Subnet Address for the Network List

a. Enter the subnet address and subnet mask, then click OK.

b. To add additional subnets to the split tunneling network list, click Create again and enter the additional addresses.

Step 8 Optionally, to automatically get the list of private subnets from an existing site-to-site IPsec VPN, click Generate.

A window is displayed that shows the list of service requests for the split tunnel list (see Figure 6-73).

Figure 6-73 Service Requests for Split Tunnel List

a. Since a VPN can be represented by one or more service requests, select all the service requests from which the list of private subnets must be extracted.

b. When the pertinent service requests are selected, click Select.

Once the network list is populated using Create, Generate, or both options, you can continue to edit the split tunneling network list until it contains the desired list of networks that must travel through the IPsec tunnel.

c. When satisfied with the split tunneling network list, click Next.

The Users List for the remote access VPN policy appears.

Step 9 If the PE is used to store the user profiles (instead of an AAA server), enter one or more users:

a. To add a remote access user, click Create.

The dialog shown in Figure 6-74 appears.

Figure 6-74 Adding a Remote Access User

b. Enter the user ID for the remote access user.

c. Enter the AAA server password and confirm the password, then click OK.

The new user is added to the user list (see Figure 6-75).

Figure 6-75 User List for Remote Access

d. Repeat these steps to add additional remote access users.

e. When finished adding users, click Next.

The dialog box shown in Figure 6-76 appears.

Figure 6-76 Setting Idle Timeout and Reverse Route Injection Parameters

Step 10 Specify these parameters as needed:

a. SA Idle Timeout Enabled: To enable idle timeout, check the check box.

b. SA Idle Timeout (in seconds): Enter the idle timeout period in seconds. If there is no communication activity on a user connection in this period, the system terminates the connection. To disable timeout and allow an unlimited idle period, enter 0.

c. Reverse Route Injection: Populates the routing table of an internal router running Open Shortest Path First (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN) clients or site-to-site sessions. Cisco recommends that you enable this option.

d. Reverse Route Injection Peer: Cisco recommends that you enable this option.

The following dialog box appears (see Figure 6-77).

Figure 6-77 Setting the PIX Editor Parameters

Step 11 Accept the defaults, then click Next.

The VPN 3000 Editor is displayed (see Figure 6-78).

Figure 6-78 Setting the PIX Editor Parameters

Step 12 Accept the VPN 3000 defaults, then click Next.

The Access Hours dialog box appears.

Step 13 Accept the Access Hours defaults, then click Next.

The dialog box shown in Figure 6-79 appears.

Figure 6-79 Setting the Layer 2 Tunneling Protocol Parameters

Step 14 Accept the Layer 2 Tunneling Protocol defaults, then click Next.

The Summary page is displayed, which lists the settings specified in this policy.

Step 15 Click Finish.

Create a Remote Access MPLS Policy

Tip When you create this MPLS policy for the PE-CE link, make sure the CE Present option is not enabled.

To create an MPLS policy for the link:

Step 1 Select the Service Design tab, then choose Policy Manager.

The Policy Manager appears.

Step 2 From the Create drop-down list, choose MPLS Policy.

The Policy Type dialog box appears (see Figure 6-80).

Figure 6-80 MPLS Policy Settings with No CE Present

Step 3 Specify the appropriate values for the Policy Type parameters:

a. Policy Name: Enter the name of the policy.

b. Policy Owner: Select Customer.

c. Customer: Select the appropriate customer name.

d. Policy Type: Select Regular: PE-CE.

e. CE Present: Make sure to deselect this option (it is enabled by default).

Step 4 Click Next.

The PE Interface dialog box is displayed. Because no CE is present in this link, the CE interface parameters are absent from this dialog box.

You have the option of either specifying a specific PE interface type in the policy or keeping it open and making the final PE interface selection when the operator creates the MPLS service request.

Step 5 Accept the defaults for the PE Interface page, then click Next.

The IP Address Scheme dialog box is displayed.

Step 6 Accept the defaults for the IP Address Scheme page, then click Next.

The Routing Information dialog box appears (see Figure 6-81).

Figure 6-81 Specifying No Routing for the Link with No CE

Step 7 Specify the appropriate values for the Routing Information parameters:

a. Routing Protocol: Select NONE.

b. Redistribute Static: Cisco recommends that you enable this option.

c. Redistribute Connected: Cisco recommends that you enable this option.

d. Click Next.

The VRF and VPN Membership page appears.

For the most flexibility, Cisco recommends that you not select CERCs in the policy itself. Specify the CERCs when the operator creates the MPLS service request for this link.

Step 8 Accept the defaults in the VRF and VPN Membership page, then click Finish.

Create an IPsec Remote Access Service Request

To create an IPsec Remote Access service request for this link, follow these steps:

Step 1 Choose Service Inventory.

a. From the Service Inventory window, choose Inventory and Connection Manager.

b. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose IPsec RA.

The Select IPsec Policy dialog box appears. This dialog box displays the list of all the IPsec service policies that have been defined in ISC.

Step 4 Select the check box for the policy of choice, then click OK.

The IPsec Remote Access Service Editor appears (see Figure 6-82).

Figure 6-82 Creating an IPsec Remote Access Service Request

Step 5 Specify the appropriate values for the IPsec remote access service parameters:

a. VPN: Select the corresponding VPN for the service.

b. Network-based IPsec: Select IPSEC_TO_MPLS_MAPPING.

c. Select One-box solution: PE as the IPsec Aggregator.

Step 6 Remote Access Policies: To select a remote access policy for the service request, click Select.

The Policy Chooser window displays only the network-based policies owned by the current customer (see Figure 6-83).

Figure 6-83 Choosing the IPsec Remote Access Policy

Step 7 Click the check box for the IPsec Remote Access policy, then click Select.

You return to the Service Editor page, where the name of the Remote Access policy you selected is now displayed.

If the Remote Access IPsec policy has an AAA server for its authentication server, or if its group type is external, then you must specify an AAA server for the service request.

Step 8 From the AAA Servers field, click Select.

The AAA Server window displays only the AAA servers owned by the current customer (see Figure 6-84).

Figure 6-84 Specifying the AAA Server for This Service Request

Step 9 Click the check box for the appropriate AAA server, then click Select.

You return to the Service Editor page, where the name of the AAA server you selected is now displayed.

Step 10 To select the PE on which IPsec tunnels from remote access clients are to be terminated, in the PEs field, click Select.

The list of PEs associated with Remote Access services is displayed (see Figure 6-85).

Figure 6-85 Selecting the PE for This Remote Access Service

Step 11 Click the check box for the appropriate PE, then click Select.

You return to the Service Editor page, where the name of the PE you selected is now displayed.

For each PE, you can also specify the source interface to access the AAA server.

Step 12 In the AAA Server I/F column, click Select Interface.

The page shown in Figure 6-86 appears.

Figure 6-86 Selecting the Interface on the AAA Server

Step 13 Click the appropriate interface for the AAA server, then click Select.

As shown in Figure 6-87, the parameters to define the PE in this link are now specified for this remote access service request.

Figure 6-87 PE Parameters Specified

Step 14 When you're satisfied with the service request settings, click Save.

Create an MPLS Remote Access Service Request

To create an MPLS Remote Access service request for this link, follow these steps:

Step 1 Choose Service Inventory.

a. From the Service Inventory window, choose Inventory and Connection Manager.

b. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose MPLS VPN.

The Select MPLS Policy dialog box appears (see Figure 6-88). This dialog box displays the list of all the MPLS service policies that have been defined in ISC.

Figure 6-88 Selecting an MPLS Remote Access No-CE Policy

Step 4 Select an MPLS service policy in which the CE is not present, then click OK.

The MPLS Service Request Editor appears.

Step 5 Click Add Link.

The MPLS Service Request Editor now displays a set of fields, as shown in Figure 6-89.

Notice that the Select CLE field is enabled. Because there is no CE in this link, ignore this field.

Specifying the PE for the link is the first task required to define the link for this service.

Figure 6-89 Initial Fields Displayed to Define the PE-CE Link

Step 6 PE: Click Select PE.

The Select PE Device dialog box is displayed.

Step 7 In the Select column, select the name of the PE for the MPLS link, then click Select.

Step 8 PE Interface: From the drop-down list, select the PE interface on which IPsec tunnels will terminate (see Figure 6-90).

Note The selected interface for the PE must have already been marked as an IPsec public interface.

If the PE public interface is a subinterface, select the major interface.

Figure 6-90 PE Selected and PE Interface Defined

Step 9 In the Link Attribute column, select Add.

The MPLS Link Attribute Editor is displayed, showing the fields for the interface parameters (see Figure 6-91).

Figure 6-91 Confirming the MPLS Interface's IPsec Attribute

In this dialog box, only the interface name for the PE should be displayed. Next to the PE interface name, you should see "(IPsec public interface)".

Note If the interface you selected is not indicated as an IPsec public interface, you either selected an incorrect interface or the PE interface has not been marked as an IPsec public interface. If the latter is the problem, cancel out of this step, mark the PE public interface (see the "Marking a PE Public Interface" section), then return to the MPLS Service Request Editor to correctly specify the PE interface.

Step 10 When satisfied with the PE interface attributes, click Next.

The MPLS Link Attribute Editor for Routing Information appears (see Figure 6-92).

Figure 6-92 Specifying the MPLS Link Routing Protocol Attributes

The field values displayed in this dialog box reflect the values specified in the service policy associated with this service.

Step 11 Routing Protocol: Ensure the selected routing option is NONE.

a. Redistribute Static: Cisco recommends that you enable Redistribute Static so that the static routes injected into the VRF as a result of Reverse Route Injection will be redistributed to MP-BGP.

b. Redistribute Connected: Optionally, you can enable redistribution of directly connected routes.

c. Click Next.

The MPLS Link Attribute Editor for the VRF and VPN attributes appears

Step 12 To select a CERC for this service request, click Add.

The CERC Chooser dialog box appears (see Figure 6-93).

Figure 6-93 Specifying the CERC for the MPLS Link

a. Customer: Select the correct customer.

b. VPN: Select the correct VPN.

c. CERC: From the displayed list of CERCs, select the appropriate CERC.

You can use a CERC created for a site-to-site scenario.

d. Click Join as Hub.

e. When finished with these settings, click Done.

Your CERC selection is added to the VRF and VPN page (see Figure 6-94).

Figure 6-94 Hub CERC Specified for This Service Request

Step 13 When satisfied with the VRF and VPN settings, click Finish.

Step 14 To save your service request specifications for this link, click Save.

Deploy the IPsec and MPLS Remote Access Service Requests

Tip It is important to deploy the IPsec service request before the MPLS service request is deployed because there are some commands generated by the IPsec service request that the MPLS service request depends on.

To deploy the IPsec and MPLS remote access service requests:

Step 1 Choose the Service Inventory tab.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 4 Select the check box next to the Job ID for the IPsec service request.

Step 5 Click the Deploy drop-down list, then click Deploy.

The Deploy Service Requests dialog box appears, which allows you to schedule when you want to deploy the selected service request.

Step 6 Complete the fields in this scheduling dialog box to schedule the service requested as needed.

Step 7 When satisfied with the schedule settings, click Save.

You return to the Service Requests dialog box. Check the Status display in the lower left corner of the window to make sure the service request deployed successfully.

Step 8 Repeat Steps 4 through 7 to deploy the MPLS service request.

Remote Access IPsec: Two-Box Solution

In the two-box solution (illustrated in Figure 6-95), the service provider terminates the IPsec tunnels on a Multi-VRF CE router. The Multi-VRF CE is connected to a PE. In the two-box solution, the IPsec Aggregator is the Multi-VRF CE.

IPsec tunnels from the various customers' remote users or off-net CEs terminate on a single interface on the Multi-VRF CE. VRF-aware IPsec maps each IPsec tunnel to the corresponding VRF on the Multi-VRF CE. The PE-facing interfaces are each in a customer's VRF, and the PE-facing interfaces connect to an interface on the PE, which itself is in a customer VRF.

Figure 6-95 Remote Users Connecting to a Multi-VRF CE Serving as an IPsec Aggregator

Links to Be Provisioned

In effect, the service provider creates an MPLS link between the PE and Multi-VRF CE, and then creates another link between the remote users and the Multi-VRF CE. The latter link is actually an IPsec tunnel rather than a traditional MPLS link. This can be achieved by using ISC to create both a no-CE MPLS link and an IPsec remote access tunnel between the Multi-VRF CE and the remote users.

In other words, there are really two links involved in this process, as shown in Figure 6-95:

•A link between remote users and the Multi-VRF CE: This is an IPsec tunnel, and therefore requires both an IPsec service request and an MPL service request.

•A link between the Multi-VRF CE and a PE: This is a conventional MPLS link, and only requires an MPLS service request.

Tasks to Be Completed

To provision these two links between the remote user, the Multi-VRF CE, and the PE, the following tasks are required:

1. Mark the IPsec interfaces for the Multi-VRF CE (see the "Marking a PE Public Interface" section).

2. Create or use an existing IPsec Remote Access policy.

3. Create or use an existing MPLS policy (with no CE—the CE Present option must be turned off).

4. Create an IPsec remote access service request (using the MVRF-CE as the head-end).

5. Create an MPLS VPN service request (for the link between the MVRF-CE and the PE).

6. First, deploy the IPsec service request.

7. Finally, deploy the MPLS service request.

Create an AAA Server Entry

If the Remote Access IPsec policy indicates that user profiles or group attributes are obtained from an AAA (Authentication/Authorization/Accounting) server instead of having them stored on the PE router itself, you must create an AAA server entry.

Depending on whether the AAA server is owned by the service provider or the customer, select the ownership as Global or Customer, respectively.

For details on this procedure, see the "Create an AAA Server Entry" section.

Create an IPsec Remote Access Policy

An IPsec Remote Access policy defines the attributes of the IPsec tunnel between the IPsec aggregator and the remote user. These attributes are typically the same for both the one-box and two-box solutions.

For details on this procedure, see the "Create an IPsec Remote Access Policy" section.

Create a Remote Access MPLS Multi-VRF CE Policy

Tip When you create this MPLS policy for the Multi-VRF CE to PE link, make sure the CE Present option is not enabled.

To create an MPLS policy for the link:

Step 1 Select the Service Design tab, then choose Policy Manager.

The Policy Manager appears.

Step 2 From the Create drop-down list, choose MPLS Policy.

The Policy Type dialog box appears (see Figure 6-96).

Figure 6-96 MPLS Multi-VRF Policy Settings

Step 3 Specify the appropriate values for the Policy Type parameters:

a. Policy Name: Enter the name of the policy.

b. Policy Owner: Select Customer.

c. Customer: Select the appropriate customer name.

d. Policy Type: Select MVRFCE: PE-CE.

e. CE Present: Make sure to deselect this option (it is enabled by default).

Step 4 Click Next.

The Multi-VRF CE PE Interface dialog box is displayed (see Figure 6-97). Because no CE is present in this link, the CE interface parameters are absent from this dialog box.

This is a standard MPLS link. You have the option of either specifying a specific PE interface type in the policy or keeping it open and making the final PE interface selection when the operator creates the MPLS service request.

Figure 6-97 Specifying the Multi-VRF PE Interface Parameters

Step 5 Select the appropriate values for the interfaces on the PE for the link to the Multi-VRF CE, then click Next.

For details on these parameters, see the "Specifying the PE and CE Interface Parameters" section.

The Multi-VRF-CE CE Interface dialog appears (see Figure 6-98).

Figure 6-98 Specifying the Multi-VRF CE Facing Interface Parameters

Step 6 Select the appropriate values for the interfaces on Multi-VRF CE, then click Next.

The IP Address Scheme for the PE to Multi-VRF CE link dialog box appears (see Figure 6-99).

The link represented in this dialog is an IPsec tunnel.

Figure 6-99 Specifying the IP Address Scheme for the PE to Multi-VRF CE Link

Step 7 Specify the IP addressing scheme for the link between the PE and the Multi-VRF CE, then click Next.

For information on these parameters, see the "Specifying the IP Address Scheme" section.

The IP Address Scheme dialog box appears (see Figure 6-100).

Figure 6-100 Specifying the IP Address Scheme for the Multi-VRF CE to the CE Link

The link represented in this dialog is the IPsec tunnel between the Multi-VRF CE and the remote user. Since there is no IP address being assigned by the IPsec VPN service, this dialog is ignored.

Step 8 Accept the defaults, then click Next.

The Routing Information dialog box for the link between the PE and the Multi-VRF CE appears (see Figure 6-101).

Figure 6-101 Specifying the Routing Information for the PE to Multi-VRF CE Link

Step 9 Specify the routing parameters for the link between the PE and the Multi-VRF CE, then click Next.

You may also leave the default settings for the routing parameters and specify the routing details when the operator creates the MPLS service request.

For detailed information on these parameters, see the "Specifying the Routing Protocol for a Service" section.

The Routing Information dialog box for the link between the Multi-VRF CE and the remote user appears (see Figure 6-102).

Figure 6-102 Specifying the Routing Information for the Multi-VRF CE to Remote User Link

Step 10 Select NONE as the routing protocol option for the IPsec tunnel between the Multi-VRF CE and the remote user, then click Next.

The VRF and VPN Membership dialog box is displayed.

Step 11 Accept the VRF membership defaults, then click Finish.

Create an IPsec Remote Access Multi-VRF CE Service Request

To create an IPsec Remote Access Multi-VRF CE service request for this link, follow these steps:

Step 1 Choose Service Inventory.

a. From the Service Inventory window, choose Inventory and Connection Manager.

b. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose IPsec RA.

The Select IPsec Policy dialog box appears. This dialog box displays the list of all the IPsec service policies that have been defined in ISC.

Step 4 Select the check box for the policy of choice, then click OK.

The IPsec Remote Access Service Editor appears (see Figure 6-103).

Figure 6-103 Creating an IPsec Remote Access Service Request

Step 5 Specify the appropriate values for the IPsec remote access service parameters:

a. VPN: Select the corresponding VPN for the service.

b. Network-based IPsec: Select IPSEC_TO_MPLS_MAPPING.

c. Select Two-box solution: Multi-VRF CE as the IPsec Aggregator.

Step 6 Remote Access Policies: To select a remote access policy for the service request, click Select.

The Policy Chooser window displays only the network-based policies owned by the current customer (see Figure 6-104).

Figure 6-104 Choosing the IPsec Remote Access Policy

Step 7 Click the check box for the IPsec Remote Access policy, then click Select.

You return to the Service Editor page, where the name of the Remote Access policy you selected is now displayed.

If the Remote Access IPsec policy has an AAA server for its authentication server, or if its group type is external, then you must specify an AAA server for the service request.

Step 8 From the AAA Servers field, click Select.

The AAA Server window displays only the AAA servers owned by the current customer (see Figure 6-105).

Figure 6-105 Specifying the AAA Server for This Service Request

Step 9 Click the check box for the appropriate AAA server, then click Select.

You return to the Service Editor page, where the name of the AAA server you selected is now displayed.

Step 10 To select the Multi-VRF CE on which IPsec tunnels from remote access clients are to be terminated, in the CPEs field, click Select.

The list of Multi-VRF CEs associated with Remote Access services is displayed (see Figure 6-106).

Figure 6-106 Selecting the PE for This Remote Access Service

Step 11 Click the check box for the appropriate Multi-VRF CE, then click Select.

You return to the Service Editor page, where the name of the Multi-VRF CE you selected is now displayed.

For each Multi-VRF CE, you can also specify the source interface to access the AAA server.

Step 12 In the AAA Server I/F column, click Select Interface.

The page shown in Figure 6-107 appears.

Figure 6-107 Selecting the Interface on the AAA Server

Step 13 Click the appropriate interface for the AAA server, then click Select.

As shown in Figure 6-108, the parameters to define the Multi-VRF CE in this link are now specified for this remote access service request.

Figure 6-108 Multi-VRF CE Parameters Specified

Step 14 When you're satisfied with the service request settings, click Save.

Create an MPLS Remote Access Multi-VRF CE Service Request

To create an MPLS Remote Access service request for this link, follow these steps:

Step 1 Choose Service Inventory.

a. From the Service Inventory window, choose Inventory and Connection Manager.

b. From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 2 To start the process to create a new service, click Create.

A drop-down list is displayed, showing the types of service requests you can create.

Step 3 Choose MPLS VPN.

The Select MPLS Policy dialog box appears (see Figure 6-109). This dialog box displays the list of all the MPLS service policies that have been defined in ISC.

Figure 6-109 Selecting an MPLS Remote Access Multi-VRF No-CE Policy

Step 4 Select an MPLS service policy in which the CE is not present, then click OK.

The MPLS Service Request Editor appears.

Step 5 Click Add Link.

The MPLS Service Request Editor now displays a set of fields, as shown in Figure 6-110.

Notice that the Select CLE field is enabled. Because there is no CE in this link, ignore this field.

Specifying the Multi-VRF CE for the link is the first task required to define the link for this service.

Figure 6-110 Initial Fields Displayed to Define the PE-CE Link

Step 6 MVRFCE: Click Select MVRFCE.

The Select CPE Device dialog box is displayed.

Step 7 In the Select column, select the name of the Multi-VRF CE for the MPLS link, then click Select.

Step 8 Multi-VRF CE CE-Facing Interface: From the drop-down list, select the CE-facing interface on the Multi-VRF CE. This is the interface on which IPsec tunnels from remote users or CEs will terminate.

Note The selected interface for the Multi-VRF CE must have already been marked as an IPsec public interface.

If the Multi-VRF CE's public interface is a subinterface, select the major interface.

Step 9 Multi-VRF CE PE-Facing Interface: Now select the PE-facing interface on the Multi-VRF CE.

This interface is in a standard MPLS link with the PE. Figure 6-111 shows the Multi-VRF CE facing interfaces selected.

Figure 6-111 Multi-VRF CE Facing Interfaces Selected

Step 10 PE: Click Select PE.

The list of PEs available for this MPLS link is displayed.

Step 11 Select the appropriate PE for this link, then click Select.

The name of the selected PE is now displayed in the PE column.

Step 12 PE Interface: Select the interface on the PE for the link with the Multi-VRF CE.

In this example, the Multi-VRF CE and the PE use their Ethernet interfaces for the MPLS link with 802.1Q encapsulation. Thus, they will be on the same VLAN.

ISC populates the PE Interface field, and the Link Attribute Add link is now enabled (see Figure 6-112).

Figure 6-112 Multi-VRF Fields Completed for This MPLS Service

Step 13 In the Link Attribute column, click Add.

The MPLS Link Attribute Editor is displayed, showing the fields for the interface parameters (see Figure 6-113).

In this page, you will configure the attributes of the MPLS link between the PE and the Multi-VRF CE. This is a standard MPLS link. In this example, we configure a VLAN with ID 300 between the PE and Multi-VRF CE.

Figure 6-113 Confirming the PE and Multi-VRF CE Interface Parameters

ISC populated the interface names, encapsulation (802.1Q), and entered the VLAN ID. ISC will automatically create subinterfaces on the PE and the Multi-VRF CE for this VLAN ID.

Step 14 Confirm the specific interface parameters for the PE and Multi-VRF CE, then click Next.

The Multi-VRF CE to CE Interface page appears (see Figure 6-114).

The IPsec public interface on the Multi-VRF CE is listed. Notice that this interface is labeled IPsec public interface. The link represented in this dialog box is an IPsec tunnel. Therefore, the interface must be the IPsec public interface.

Figure 6-114 Specifying the Multi-VRF CE and CE Interface Parameters

Note If the interface you selected is not indicated as an IPsec public interface, you either selected an incorrect interface or the PE interface has not been marked as an IPsec public interface. If the latter is the problem, cancel out of this step, mark the PE public interface (see the "Marking a PE Public Interface" section), then return to the MPLS Service Request Editor to correctly specify the PE interface.

Step 15 No further configuration is needed in this dialog box—click Next.

The IP Address Scheme dialog for the PE to Multi-VRF CE link appears. The fields are populated with the values specified in the associated MPLS policy.

Step 16 If necessary, modify the IP address scheme for the link between the Multi-VRF CE and the PE; otherwise, accept the displayed values, then click Next.

The PE to Multi-VRF CE Routing Information dialog box appears (see Figure 6-115). The routing protocol fields are populated with the previously specified values.

Figure 6-115 Confirming the Routing Information for the PE to Multi-VRF CE Link

Step 17 Confirm the routing information for the link between the PE and the Multi-VRF CE, then click Next.

The Multi-VRF CE to CE Routing Information dialog box is displayed (see Figure 6-116).

In this dialog, you select the routing option between the Multi-VRF CE and the Cisco VPN Client.

Note Because the link between the Multi-VRF CE and the Cisco VPN Client is a Pure IPsec tunnel, you must select NONE as the routing option.

Figure 6-116 Specifying No Routing Between the Multi-VRF CE and the CE

Step 18 Routing Protocol: Select NONE for the routing option, then click Next.

The MPLS Link Attribute Editor for the VRF and VPN attributes appears.

Step 19 To select a CERC for this service request, click Add.

The CERC Chooser dialog box appears.

a. Customer: Select the correct customer.

b. VPN: Select the correct VPN.

c. CERC: From the displayed list of CERCs, select the appropriate CERC.

You can use a CERC created for a site-to-site scenario.

d. Click Join as Hub.

e. When finished with these settings, click Done.

Your CERC selection is added to the VRF and VPN page.

Step 20 When satisfied with the VRF and VPN settings, click Finish.

Step 21 To save your service request specifications for this link, click Save.

Deploy the IPsec and MPLS Remote Access Service Requests

Tip It is important to deploy the IPsec service request before the MPLS service request is deployed because there are some commands generated by the IPsec service request that the MPLS service request depends on.

To deploy the IPsec and MPLS remote access service requests:

Step 1 Choose the Service Inventory tab.

Step 2 From the Service Inventory window, choose Inventory and Connection Manager.

Step 3 From the Inventory and Connection Manager window, choose Service Requests.

The Service Requests dialog box appears.

Step 4 Select the check box next to the Job ID for the IPsec service request.

Step 5 Click the Deploy drop-down list, then click Deploy.

The Deploy Service Requests dialog box appears, which allows you to schedule when you want to deploy the selected service request.

Step 6 Complete the fields in this scheduling dialog box to schedule the service requested as needed.

Step 7 When satisfied with the schedule settings, click Save.

You return to the Service Requests dialog box. Check the Status display in the lower left corner of the window to make sure the service request deployed successfully.

Step 8 Repeat Steps 4 through 7 to deploy the MPLS service request.