The topics below describe the procedure to follow for VPN connectivity.
| Table of Contents |
|---|
Configuring VPN Connectivity with CME Network Services
Upon receipt of the Schedule B form, a CME Network Services engineer will review and evaluate the provided information. The engineer will send the following information to be used in configuring your connectivity:
A range of private addresses (per RFC 1918) from which you assign addresses to your hosts
A single private address (per RFC 1918) that you will use for your GRE tunnel
A single private loopback address (per RFC 1918) that you will use as the GRE tunnel source
An MDP certification template
A suggested router configuration
A unique pre-shared key (PSK) for authenticating devices and encrypting/decrypting packets
| Info |
|---|
For details regarding the RFC 1918, a request for comment standards document on the topic of address allocation for private internets, see the RFC Editor site (http://www.rfc-editor.org/). |
Sample Customer Cisco IOS Configuration
...
| Panel |
|---|
ip multicast-routing #(only required for MDP access) crypto isakmp policy 2 encr aes hash md5 authentication pre-share crypto isakmp key xxxxxxxxx address 164.74.129.10 ! crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac ! crypto map cmevpn 1 ipsec-isakmp set peer 164.74.129.10 set transform-set cmevpn match address 100 ! interface Loopback0 #(Leave interface shutdown if MDP access not required) ip address 10.144.0.x 255.255.255.255 shutdown interface Tunnel0 #(Leave interface shutdown if MDP access not required) ip address 10.144.1.x 255.255.255.252 ip pim sparse-mode tunnel source 10.144.0.x tunnel destination 10.144.254.1 shutdown interface fa0/0 ip address 10.144.x.1 255.255.255.0 ip pim sparse-mode #(only required for MDP access) duplex auto speed auto no cdp enable ! interface fa0/1 ip address x.x.x.x 255.255.255.x #(Customer public interface) crypto map cmevpn ip access-group 199 in ! ip route 69.50.112.0 255.255.255.128 Tunnel0 #(only required for MDP access) ip classless no ip http server no ip http secure-server ip pim rp-address 69.50.112.254 #(only required for MDP access) ip mroute 69.50.112.0 0.0.127 Tunnel0 #(only required for MDP access) access-list 100 permit ip 10.144.x.0 0.0.0.255 69.50.112.0 0.0.255 access-list 100 permit gre host 10.144.0.x host 10.144.254.1 #(only required for MDP access) access-list 199 permit ip 69.50.112.0 0.0.255 10.144.x.0 0.0.0.255 access-list 199 permit udp any any eq isakmp access-list 199 permit ahp any any access-list 199 permit esp any any |
...
After Configuring the VPN Connection
| Info |
|---|
You will not be able to ping the CME Group public IP VPN peer address 164.74.129.10 across the VPN tunnel or from anywhere on the Internet. CME Group does not permit this traffic. |
The following Cisco IOS commands are helpful in troubleshooting issues that may arise when turning up new VPN connections:
sh crypto isakmp sa | i 164.74.129.10 (a good output should show "QM_IDLE" state)
sh crypto ipsec sa | i 164.74.129.10 (a good output will show packets being encapsulated and decapsulated with no errors)
Use one of the following tests for VPN connections that include access to CME Group's MDP environments:
Ping across the GRE tunnel to CME Group's point-to-point IP (not the source and destination GRE loopback addresses, but the IP address assigned to the actual tunnel interface).
The Cisco IOS command "show ip pim neighbor" should show CME Group's head end router as a PIM neighbor.
After Verifying the VPN Connection
...
Your firm may soon be ready to perform application testing and attain CME Group certification. Users performing certification may refer to the following topics:
CME Market Data Platform describes how to develop for the new platform and how the platform will read from the user interface of the customer-side application.
CME Market Data Platform AutoCert+ Guide describes how to log into the AutoCert+ site and lists the required and optional test scripts corresponding to MDP message functionality.