Secure Overlay and Single IP Configuration

Secure Overlay

An overlay is a virtualized network layer on top of the physical network with the support of its infrastructure to provide additional security to the newtork. IPSec is a framework with protocols and algorithms to provide secured data transimission over unprotected or untrusted networks. IPSec secure tunnel is created between two networks to ensure virtual private network communication.

Secure overlay in NFVIS allows IPSec tunnel establishment between NFVIS supporting the vBranch platform and a VPN server and allows the orchestrator to manage NFVIS over the IPSec tunnel.

Supported Features on Secure Overlay

The following features are supported on NFVIS 3.10.x and later releases:

  • IPSec IKEv2

  • IPv4

  • Authentication:

    • Pre-shared-key authentication

    • Introduced in NFVIS 3.12.3 release - EAP authentication

  • IKE cipher:

    • aes128-sha1-mopd1536

    • Introduced in NFVIS 3.12.3 release - aes256-sha512-modp2048

    • Introduced in NFVIS 3.12.3 release - aes256-sha512-modp4096

  • ESP cipher:

    • aes128-sha1

    • Introduced in NFVIS 3.12.3 release - aes256-sha512

  • Local system IP address:

    • Unique tunnel IP address for each NFVIS system.

    • Introduced in NFVIS 3.11.1 release - Internal management network bridge (int-mgmt-net-br) gateway IP address is allowed to be used as local system IP address. In this case, the local system IP bridge much be set to internal management network (int-mgmt-net).

  • Local bridge for NFVIS reaching out to remote VPN server:

    • wan-br by default

    • wan2-br

  • Introduced in NFVIS 3.12.1 release - Secure overlay is support on NFVIS Dual WAN feature. DHCP client toggles between wan and wan2 to request for an IP address. When IP address and default gateway are obtained from an interface with DHCP configuration, the toggling stops. If dual-local-bridge is configured, to start overlay, NFVIS selects the interface between local-bridge and dual-local-bridge, in the following order:

    • Interface with DHCP configuration.

    • Interface having static IP address.

    • If both interfaces have static IP address, local-bridge interface.

  • Local identity:

    • IP address or FQDN

    • Introduced in NFVIS 3.12.3 release - email domain

  • Remote identity:

    • IP address or FQDN

    • Introduced in NFVIS 3.12.3 release - Distinguish Name

    • Introduced in NFVIS 3.12.3 release - email domain

Example for Secure Overlay with Zero Touch Deployment

  1. NFVIS has WAN IP address, static IP address or DHCP IP address. NFVIS calls home PnP server.

  2. The PnP server pushes NFVIS Day-0 configurations including the secure overlay configuration.

  3. NFVIS establishes IPSec connection between NFVIS and the headend management hub which has IPSec VPN configurations. On NFVIS side, the tunnel end point has NFVIS local system IP address.

  4. After the IPSec tunnel is up, the headend can connect to NFVIS through the system IP address and manage NFVIS over the IPSec tunnel.

To configure secure overlay:


configure terminal
secure-overlay mgmthub
remote-interface-ip-addr 10.85.189.36
    local-bridge wan-br
    remote-system-ip-addr 10.19.18.251 
    remote-id mgmt-hub.cloudvpn.com 
    local-system-ip-addr 14.14.14.4
    psk local-psk Cisco1234Admin 
    remote-psk Cisco1234Admin
    commit



confirgure terminal
secure-overlay myconn 
local-system-ip-addr 12.12.12.1 
local-system-ip-bridge int-mgmt-net 
remote-interface-ip-addr 172.19.160.75 
    remote-system-ip-addr 192.168.1.90 
    ike-cipher aes256-sha512-modp2048 
    esp-cipher aes256-sha512  
    remote-id "CN=vbranch, unstructuredAddress=172.19.160.75, unstructuredName=Headend.headendvpn" 
    local-id AxxxY@cisco.com
    commit



configure terminal 
secure-overlay myconn eap 
username admin 
password Cisco123# 
cacert intdatastore:uploads/csr.pem
commit

To get the secure overlay state:


nfvis# show secure-overlay    
                ACTIVE                 SELECTED        
                LOCAL       STATE      LOCAL
NAME    STATE   BRIDGE     DETAILS     BRIDGE
--------------------------------------------------------
MYCONN   UP     wan-br                 wan-br

Examples for Configuring Secure Overlay


Note

Secure overlay configuration on NFVIS must match with VPN configuration on the VPN server. The secure overlay tunnel will not be established successfully if the configurations do not match.

Secure Overlay over WAN with pre-shared-key and fqdn-remote-id


<secure-overlay>
   <name>mgmthub</name>
   <local-bridge>wan-br</local-bridge>
   <local-system-ip-addr>14.14.14.4</local-system-ip-addr>
   <remote-interface-ip-addr>10.85.189.36</remote-interface-ip-addr>
   <remote-system-ip-addr>10.19.18.251</remote-system-ip-addr>
   <remote-id>mgmt-hub.cloudvpn.com</remote-id>
   <psk>
      <local-psk>Cisco1234Admin</local-psk>
      <remote-psk>Cisco1234Admin</remote-psk>
   </psk>
</secure-overlay>

VPN configuration on VPN server:


crypto ikev2 authorization policy default
 route set interface
 route set access-list Inject
 
crypto ikev2 profile default
 match identity remote any
 identity local fqdn mgmt-hub.cloudvpn.com
 authentication local pre-share key Cisco1234Admin
 authentication remote pre-share key Cisco1234Admin
 dpd 60 2 on-demand
 nat keepalive 25
 aaa authorization group psk list default default
 virtual-template 1

crypto ipsec transform-set NO-ENCR esp-aes esp-sha-hmac 
 mode tunnel

crypto ipsec profile default
 set transform-set NO-ENCR 
 set ikev2-profile default

interface Loopback1
 description for IKEv2
 ip address 10.253.254.1 255.255.255.255

interface GigabitEthernet0/0/1
 description Corp_Network
 ip address 10.85.189.36 255.255.255.0
 negotiation auto

interface GigabitEthernet0/0/2
 ip address 10.19.18.250 255.255.255.0
 negotiation auto

interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile default

ip access-list extended Inject
 remark restricts customer mgmt addresses
 permit ip 10.254.0.0 0.0.255.255 any

Internal management network bridge IP address as local system IP address


Note

NFVIS internal management network has gateway IP address 12.12.12.1.

 

<secure-overlay>
   <name>mgmthub</name>
   <local-bridge>wan-br</local-bridge>
   <local-system-ip-addr>12.12.12.1</local-system-ip-addr>
   <local-system-ip-bridge>int-mgmt-net</local-system-ip-bridge>
   <remote-interface-ip-addr>10.85.189.36</remote-interface-ip-addr>
   <remote-system-ip-addr>10.19.18.251</remote-system-ip-addr>
   <remote-id>mgmt-hub.cloudvpn.com</remote-id>
   <psk>
      <local-psk>Cisco1234Admin</local-psk>
      <remote-psk>Cisco1234Admin</remote-psk>
   </psk>
</secure-overlay>

dual-local-bridge and int-mgmt-net-br IP as local system IP


<secure-overlay>
   <name>mgmthub</name>
   <local-bridge>wan-br</local-bridge>
   <dual-local-bridge>wan2-br</dual-local-bridge.
   <local-system-ip-addr>12.12.12.1</local-system-ip-addr>
   <local-system-ip-bridge>int-mgmt-net</local-system-ip-bridge>
   <remote-interface-ip-addr>10.85.189.36</remote-interface-ip-addr>
   <remote-system-ip-addr>10.19.18.251</remote-system-ip-addr>
   <remote-id>mgmt-hub.cloudvpn.com</remote-id>
   <psk>
      <local-psk>Cisco1234Admin</local-psk>
      <remote-psk>Cisco1234Admin</remote-psk>
   </psk>
</secure-overlay>

EAP authentication


<secure-overlay>
   <name>mgmthub</name>
   <local-bridge>wan-br</local-bridge>
   <local-system-ip-addr>12.12.12.1</local-system-ip-addr>
   <local-system-ip-bridge>int-mgmt-net</local-system-ip-bridge>
   <local-id>branch101@cisco.com</local-id>
   <remote-interface-ip-addr> 172.19.160.75</remote-interface-ip-addr>
   <remote-system-ip-addr> 192.168.1.90</remote-system-ip-addr>
   <remote-id>CN=vbranch, unstructuredAddress=172.19.160.75, unstructuredName=Headend.headendvpn</remote-id>
   <ike-cipher>aes256-sha512-modp2048</ike-cipher>
   <esp-cipher>aes256-sha51</esp-cipher>
   <eap>
      <username>admin</username>
      <password>Cisco123#</password>
      <cacert>https://cert/csr.pem</cacert>
   </eap>
</secure-overlay>

The following is an example of the VPN configuration on VPN server:



aaa group server radius radius-group
 server-private 172.19.160.190 auth-port 1812 acct-port 1813 key Cisco123#
 ip radius source-interface GigabitEthernet

aaa authentication login default group radius-group
aaa authentication login ucpe-authen group radius-group

ip domain name headendvpn
 
crypto pki server ca-server
 database level names
 no database archive
 hash sha512
 lifetime certificate 3650
 lifetime ca-certificate 7305 23 59
 auto-rollover 365
 eku server-auth client-auth
 database url flash:ca

crypto pki trustpoint ca-server
 revocation-check crl
 rsakeypair ca-server

crypto pki trustpoint router
 enrollment url http://172.19.160.75:80
 ip-address 172.19.160.75
 subject-name CN=vbranch
 revocation-check crl
 rsakeypair router
 auto-enroll regenerate
 hash sha512

crypto ikev2 authorization policy uCPE-athor-pol 
 pfs
 route set interface 

no crypto ikev2 authorization policy default

crypto ikev2 proposal uCPE-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16 14
 
no crypto ikev2 policy default

crypto ikev2 policy uCPE-policy 
 match address local 172.19.160.75
 proposal uCPE-proposal
crypto ikev2 profile uCPE-profile
 description uCPE profile
 match identity remote email domain cisco.com
 identity local dn 
 authentication local rsa-sig
 authentication remote eap query-identity
 pki trustpoint router
 dpd 60 2 on-demand
 aaa authentication eap ucpe-authen
 aaa authorization group eap list default uCPE-athor-pol
 virtual-template 1 mode auto

crypto ipsec transform-set tset_aes_256_sha512 esp-aes 256 esp-sha512-hmac 
 mode tunnel

crypto ipsec profile uCPE-ips-prof
 set security-association lifetime seconds 28800
 set security-association idle-time 1800
 set transform-set tset_aes_256_sha512
 set pfs group16
 set ikev2-profile uCPE-profile

interface Loopback1
 ip address 192.168.254.1 255.255.255.0

interface GigabitEthernet1
 ip address 172.19.160.75 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid

interface GigabitEthernet2
 ip address 192.168.1.90 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid

interface Virtual-Template1 type tunnel
 description uCPE virt template
 ip unnumbered Loopback1
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile uCPE-ips-prof

Single Public IP Address and Secure Overlay

Single Public IP Address

In a virtual branch deployment, two public IP addresses are needed for each branch site, one for the NFVIS hypervisor and the other one for the WAN router. In Single Public IP Address feature on NFVIS, one public IP address assigned to a branch site, is seamlessly shared between the NFVIS hypervisor and the guest VM deployed on NFVIS. This feature ensures that the branch site is reachable even if the guest router is in failure state.

NFVIS reclaims the WAN IP address if the guest router has:

  • Deployment failure.

  • Error state.

  • Stopped.

  • Undeployed.

NFVIS releases the WAN IP address if the guest router has:

  • Deployed.

  • Started.

To create a single-ip-mode:


configure terminal
single-ip-mode vm-name ROUTER.ROUTER
commit

To get the state of single-ip-mode use the show single-ip-mode command.

Single Public IP Address with Secure Overlay

Secure overlay tunnel is established automatically when IP address is moves back and forth between NFVIS and the guest VM. The orchestrator can always reach NFVIS through the system IP address which does not change during the transitioning of the single public IP address.

Figure 1. Example of Setting IPSec Tunnel in Single IP mode

After secure overlay over WAN is established, the orchestrator sends requests to configure single IP mode and deploy the guest router that takes the public IP address.

  1. NFVIS deploys the VM with specified bootstrap and Day-0 configuration. NFVIS takes down the current IPSec tunnel and releases the public IP address.

  2. The VM takes the public IP address when it is in active state. NFVIS sets up the IPSec tunnel again with the remote management hub.

  3. After the IPSec tunnel is up, the orchestrator can connect to NFVIS through its system IP address and manage NFVIS over the IPSec tunnel.

In single IP mode, NFVIS monitors the guest VM taking the public IP address. NFVIS takes WAN IP address back when the guest VM is:

  • In error state.

  • Stopped through vmAction.

  • Undeployed.

Figure 2. Example of NFVIS Handling Failure

  1. NFVIS takes WAN IP address.

  2. NFVIS sets up IPSec tunnel to the management hub.

  3. When IPSec tunnel is up, the VPN server can connect to NFVIS through its system IP address and manage NFVIS over the IPSec tunnel.

Guest VM taking Public IP Address

Guest VM must be deployed as a monitored VM which has two interfaces:

  • Interface facing public with the public IP address.

  • Interface on int-mgmt-net-br for traffic flow with NFVIS.

The guest VM has routing function to route traffic between the two interfaces and Network address translation (NAT) enabled. NFVIS reaches remote through int-mgmt-net-br to the guest VM.

The int-mgmt-net-br address pool and gateway IP address must be unique on each NFVIS. If secure overlay is configured, single IP mode is setup when VM is active and int-mgmt-net-br is used as a local-bridge.

Single IP address and DHCP

NFVIS single-ip-mode supports the public IP address acquired through DHCP by leveraging on the lease timer configuration on DHCP server. The guest VM with Day-0 configuration gets the IP address through DHCP when NFVIS client sends release message to DHCP server.

To handle failure, NFVIS:

  • stops the VM, to ensure the VM dhclient does not send DHCP renew to DHCP server

  • switches back to WAN and its dhclient sends DHCP renew message to DHCP server

  • gets the same IP address from DHCP server when VM’s lease time expires.

ISRv bootstrap and Day-0 Configuration

In single-ip-mode, NFVIS reaches to the guest router and takes its IP address. Traffic must be allowed between ISRv gigabit ethernet interface 1 connected to NFVIS int-mgmt-net-br and gigabit ethernet interface 2 connected to public side having the public IP address.

To verify single-ip-mode status use the show single-ip-mode and show secure-overlay command.

Single IP and Secure Overlay APIs

Secure Overlay APIs

Secure Overlay Commands

/api/config/single-ip-mode

single-ip-mode

/api/operational/single-ip-mode

Single IP Address Without Secure Overlay


Note

This feature is only supported for WAN bridge in NFVIS 3.10.1 release.

To reach NFVIS when secure overlay is not configured, you must first configure the guest device and manage IP addressing. The rest of the functionality, switching IP address between NFVIS and the guest device is the same as IP address with secure overlay.

Typically you need two IP addresses in each site, one for NFVIS and one for the VM. You can enable the single IP feature to reduce one public IP address. The single public IP address is used by NFVIS after deploying the VM with the single IP feature. After the VM comes up, NFVIS releases the public IP address for the VM to use. NFVIS and the VM have an internal network to communicate with each other. The traffic between NFVIS and an external network will need to go through the new VM and NAT by the new VM.

For single IP without secure overlay feature to work:

  • From the Deploy page on NFVIS portal select single IP or configure the single IP mode by using the single-ip-mode router.router command.

  • Provide a bootstrap file for the VM.

  • Enable Monitor for the VM and the internal network int-mgmt-net between NFVIS and VM is created automatically.

The following example is a sample bootstrapping configuration:

172.25.221.7/24 is the single public IP address that is originally used by NFVIS and later by the VM. 172.25.221.1 is the gateway to the external network and 10.20.0.x is the internal network between NFVIS and the VM. IP address in 10.20.0.x network is used to NAT by the VM: - 


---------------------
interface GigabitEthernet1
ip nat inside
negotiation auto
!
interface GigabitEthernet2
ip address 172.25.221.17 255.255.255.0
ip nat outside
negotiation auto
!
ip nat inside source list NAT interface GigabitEthernet2 overload
ip route 0.0.0.0 0.0.0.0 172.25.221.1
!
ip access-list standard NAT
permit 10.20.0.0 0.0.0.25
-------------

When the VM is down, NFVIS takes back the single IP address and the external server can communicate with NFVIS directly.