CL2 VPN Connectivity Procedures

Owned by CME Group
Last updated: Aug 20, 2024
2 min read

The topics below describe the procedure to follow for VPN connectivity.

Configuring VPN Connectivity with CME Network Services

Upon receipt of the Schedule B form, a CME Network Services engineer will review and evaluate the provided information. The engineer will send the following information to be used in configuring your connectivity:

  • A range of private addresses (per RFC 1918) from which you assign addresses to your hosts

  • A suggested router configuration

  • A unique pre-shared key (PSK) for authenticating devices and encrypting/decrypting packets

For details regarding the RFC 1918, a request for comment standards document on the topic of address allocation for private internets, see the RFC Editor site (http://www.rfc-editor.org/).

Sample Customer Cisco IOS Configuration

The following is a sample customer Cisco IOS configuration:

crypto isakmp policy 2

encr aes

hash md5

authentication pre-share

crypto isakmp key xxxxxxxxx address 164.74.125.10

!

crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac

!

crypto map cmevpn 1 ipsec-isakmp

set peer 164.74.125.10

set transform-set cmevpn

match address 100

!

interface fa0/0

ip address 10.203.x.1 255.255.255.0

duplex auto

speed auto

no cdp enable

!

interface fa0/1

ip address x.x.x.x 255.255.255.x #(Customer public interface)

crypto map cmevpn

ip access-group 199 in

!

ip classless

no ip http server

no ip http secure-server



access-list 100 permit ip 10.203.x.0 0.0.0.255 69.50.120.0 0.0.255

access-list 199 permit ip 69.50.120.0 0.0.255 10.203.x.0 0.0.0.255

access-list 199 permit udp any any eq isakmp

access-list 199 permit ahp any any

access-list 199 permit esp any any

Verifying VPN Operation

After Configuring the VPN Connection

You will not be able to ping the CME Group public IP VPN peer address 164.74.125.10 across the VPN tunnel or from anywhere on the Internet. CME Group does not permit this traffic.

The following Cisco IOS commands are helpful in troubleshooting issues that may arise when turning up new VPN connections:

  • sh crypto isakmp sa | i 164.74.125.10 (a good output should show "QM_IDLE" state)

  • sh crypto ipsec sa | i 164.74.125.10 (a good output will show packets being encapsulated and decapsulated with no errors)

After Verifying the VPN Connection

If you have any problems or questions performing the above, please contact the network engineer who has been assigned your work request.







How was your Client Systems Wiki Experience? Submit Feedback

Copyright © 2024 CME Group Inc. All rights reserved.