DMVPN & GET VPN

Today I would like to test an integration of DMVPN and GET VPN technologies. DMVPN can be used over the public network like Internet and GET VPN only over private like MPLS (because of IP preservation).

As you remember from my previous posts about DMVPN the best option is the phase 3. With thousands of spokes your hub has to keep the same number of SAs (security association).

As you remember, for the phase 3, the first packet was sent to the hub and then was redirected (NHRP) to the destination. Next packets were sent directly to the spoke:

R2#traceroute 100.33.33.33 source 100.22.22.22

Type escape sequence to abort.
Tracing the route to 100.33.33.33

  1 10.10.10.1 40 msec 56 msec 76 msec
  2 10.10.10.3 104 msec 88 msec 140 msec
R2# 



R2#traceroute 100.33.33.33 source 100.22.22.22

Type escape sequence to abort.
Tracing the route to 100.33.33.33

  1 10.10.10.3 104 msec 104 msec 72 msec
R2#

Let’s test how it works with GET VPN:

1) First I added a new spoke 3 which will be a Key Server for GET VPN.

dmvpn-getvpn-1.jpg

2) Next I have to remove a tunnel protection on the hub and all spokes:

interface Tunnel0
no  tunnel protection ipsec profile IPSEC-PRF

Once we remove the protection, I see on my firewall the new GRE connections (not ESP as before):

GRE spoke3 8.8.8.1:0 hub 5.5.5.1:0, idle 0:00:04, bytes 1088, flags E
GRE spoke2 7.7.7.1:0 hub 5.5.5.1:0, idle 0:00:04, bytes 1088, flags E
GRE spoke1 6.6.6.1:0 hub 5.5.5.1:0, idle 0:00:04, bytes 1088, flags E
GRE spoke2 7.7.7.1:0 hub 5.5.5.1:0, idle 0:00:00, bytes 1156, flags E
GRE spoke1 6.6.6.1:0 hub 5.5.5.1:0, idle 0:00:00, bytes 1156, flags E

I need to change the ACL for the new spoke:

asa1(config)# %ASA-4-106023: Deny protocol 47 src spoke3:8.8.8.1 dst hub:5.5.5.1 by access-group "SPOKE3" [0x0, 0x0]
access-list SPOKE3 ext permit gre host 8.8.8.1 host 5.5.5.1

3) Once I have unprotected GRE tunnels between all routers, I can start implementing GET VPN

a) key server:

crypto key generate rsa general-keys modulus 1024 label GETVPN-KEY

access-list 100 deny udp any eq 848 any eq 848
access-list 100 permit gre any any


!
crypto gdoi group GETVPN-GROUP
 identity number 1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PRF
   match address ipv4 100
   replay counter window-size 64
  address ipv4 8.8.8.1
!

b) group members:

crypto gdoi group GETVPN-GROUP
 identity number 1
 server address ipv4 8.8.8.1
!
crypto map MAPA 1 gdoi
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 crypto map MAPA
!

On the ASA I can see:

%ASA-4-106023: Deny udp src spoke3:8.8.8.1/848 dst hub:5.5.5.1/848 by access-group "SPOKE3" [0x0, 0x0]
%ASA-4-106023: Deny udp src spoke2:7.7.7.1/848 dst spoke3:8.8.8.1/848 by access-group "SPOKE2" [0x0, 0x0]
%ASA-4-106023: Deny udp src spoke1:6.6.6.1/848 dst spoke3:8.8.8.1/848 by access-group "SPOKE1" [0x0, 0x0]

Let’s fix it:

access-list SPOKE1 ext permit udp host 6.6.6.1 host 8.8.8.1 eq 848
access-list SPOKE2 ext permit udp host 7.7.7.1 host 8.8.8.1 eq 848
access-list SPOKE3 ext permit udp host 8.8.8.1 host 5.5.5.1 eq 848

Ok, let’s check how to works:

DMVPN:

a) hub

R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:3,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         6.6.6.1      10.10.10.2    UP 01:08:22 D
     2         7.7.7.1      10.10.10.3    UP 01:08:22 D
     1         8.8.8.1      10.10.10.4    UP 01:08:12 D

R1#

b) spoke - R2

R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         5.5.5.1      10.10.10.1    UP 01:14:39 S
     1         7.7.7.1      10.10.10.3    UP 01:01:10 D

R2#sh ip nh
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:15:00, never expire
  Type: static, Flags: nat used
  NBMA address: 5.5.5.1
100.33.33.0/24 via 10.10.10.3, Tunnel0 created 01:01:17, expire 00:58:42
  Type: dynamic, Flags: router nat
  NBMA address: 7.7.7.1
R2#

On the Key Server (R4) I see 3 registered GMs:

R4#sh crypto gdoi
Group Information

    Group Name               : GETVPN-GROUP
    Group Identity           : 1
    Group Members            : 3
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 84047 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PRF
      Replay method          : Count Based
      Replay Window Size     : 64
      ACL Configured         : access-list 100

    Group Server list        : Local


R4#

As the GET VPN is tunnel less on R2 we can see:

R2#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: MAPA, local addr 6.6.6.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer  port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 1

     local crypto endpt.: 6.6.6.1, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x714D2F06(1900883718)

     inbound esp sas:
      spi: 0x714D2F06(1900883718)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 53, flow_id: SW:53, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4458211/1083)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x714D2F06(1900883718)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 54, flow_id: SW:54, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4458211/1080)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R2#

I check now how the traffic from Lan2 is sent to Lan3:

R2#traceroute 100.33.33.33 source 100.22.22.22

Type escape sequence to abort.
Tracing the route to 100.33.33.33

  1 10.10.10.3 104 msec 80 msec 72 msec
R2#

As you see the first attempt is sent using spoke-to-spoke connection.

Let’s check if we can intercept traffic (inside IPs) as with the native GET VPN:

dmvpn-getvpn-2.jpg

so, I can assume it works as expected. We can’t see inside IP addresses. We don’t have many SAs as with native DMVPN and traffic between spokes is sent directly, even the first packet.

 
19
Kudos
 
19
Kudos

Now read this

ACS, radius and management access to ASA

There are couple of ways how to configure management access to ASA. One of them is configuring users in ACS database. Depending on radius attributes the user can have access to specific management ways. ciscoasa# sh run aaa aaa... Continue →