GET VPN - part eight (fail-close)
I would like to analyze one scenario where a GM sends data before or during registration process. When the GM is registered the traffic is encrypted like we can see here:
Ping from R3 to R5 (GET VPN active, GM registered)
R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/104/128 ms
R3#
Now I disable KS1 and KS2 and clear keys on GM1:
R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
.....
Success rate is 0 percent (0/5)
R3#
As you see I didn’t receive any response but traffic was sent as a clear text. In my case it was just ping but you can imagine an application that tries to send some data that can be easily eavesdropped.
There is one feature – fail-close - which can block the traffic until a GM will be able to get all keys and start sending traffic over an encrypted tunnel (ESP). There are two methods how to implement it:
a) ACL on interface – you can add permit/deny entries for traffic that should be allowed or not
b) Crypto map – you can set it to work in fail-close mode
I configure the case ‘b’ as the first one is clear.
Assume we have to allow on icmp traffic before the member is registered with a key server but telnet traffic should be dropped:
1) Test if telnet and ping are allowed before I start:
R3#telnet 10.55.55.55 /vrf GREEN /source-interface loo0
Trying 10.55.55.55 ...
% Connection timed out; remote host not responding
R3#
And I see the traffic as a clear text:
2) Add the access list and enable the feature:
access-list 110 deny icmp any any
crypto map MAPA-GREEN gdoi fail-close
match address 110
activate
3) Do the final tests
R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
.....
Success rate is 0 percent (0/5)
R3#
R3#telnet 10.55.55.55 /vrf GREEN /source-interface loo0
Trying 10.55.55.55 ...
% Connection timed out; remote host not responding
R3#
As you see above ping is sent as a clear text, telnet is dropped. ‘Deny’ statement means – do not dropped even GM is not registered yet.
Let’s do last test to check if you can ping and telnet once the GM is registered with the KS:
R3#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP-GREEN
Group Identity : 1
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 0
IPSec SA Direction : Both
Group Server list : 3.3.3.2
6.6.6.2
Group member : 7.7.7.2 vrf: MNG
Version : 1.0.4
Registration status : Registered
Registered with : 3.3.3.2
Re-registers in : 148 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 0.0.0.0
Last rekey seq num : 0
Unicast rekey received: 0
Rekey ACKs sent : 0
R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/106/116 ms
R3#
And now telnet:
R3#telnet 10.55.55.55 /vrf GREEN /source-interface loo0
Trying 10.55.55.55 ... Open
Password required, but none set
[Connection to 10.55.55.55 closed by foreign host]
R3#
One the GM is registered we can ping and telnet and the traffic is encrypted.