GET VPN - part five (Group Member Authorization List)

In this short post I would like to show one interesting feature that allows us to control which GM can register in a particular KS. I will use the same scenario I used in my previous posts.

getvpn-1.jpg

There two methods how we can control it:

a) ACL

b) PKI

Let’s try with the first one:

I would like to limit the number of GMs to just only one 4.4.4.2. I need to add firs a standard access list:

access-list 50 permit 4.4.4.2

and then add the ACL to the gdoi group configuration (authorization address ipv4):

crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  authorization address ipv4 50
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2

When I check the member list I see only one: (you need first issue two commands: clear crypto isakmp, clear crypto gdoi):

R1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP : 0

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

R1#

You can find following message:

R2#
*Dec 15 18:54:48.835: %GDOI-1-UNAUTHORIZED_IPADDR: Group GDOI-GROUP received registration from unauthorized ip address: 7.7.7.2
R2#

Next method, PKI, is described by Cisco here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-D334DB6B-C3EC-4792-AA0F-B13C25006B5B

and I try to implement it now.

On all clients (R3,R4 and R5) I need to add:

 crypto pki trustpoint CA-TP
 subject-name CN=R3.mymicroblog.com,OU=HR

assume that only OU=HR should be able to register at the KS, so on the R5 I change it to:

 crypto pki trustpoint CA-TP
 subject-name CN=R3.mymicroblog.com,OU=IT

On all clients I need to change isakmp identity:

 crypto isakmp identity dn

On servers I have to add a new crypto identity:

crypto identity PKI
 dn OU=HR

so, only clients with organization unit equals ‘HR’ should register.
Now I need to add this authorization identity to the crypto gdoi group:

crypto gdoi group GDOI-GROUP
 identity number 1
 server local
 authorization identity PKI

On the KS1 I see following message:

R1#
*Dec 15 21:04:20.243: %GDOI-1-UNAUTHORIZED_IDENTITY: Group GDOI-GROUP received registration from unauthorized identity:       Dist. name parsing failed. Peer Address: 5.5.5.2
R1#

It means the authorization works fine. Let’s check member list:

R1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP : 0

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

Group Member ID    : 7.7.7.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

R1#

There are only two members, the one excluded has not registered.

 
7
Kudos
 
7
Kudos

Now read this

ikev2 - ASA & IOS - part one

Today I would like to work with the new Internet Key Exchange protocol v2, which was introduced some time ago. This is a totally new protocol (https://tools.ietf.org/html/rfc7296) and you can’t consider it as an updated ikev1. You can’t... Continue →