GET VPN - part nine (exception)

getvpn-8-0.jpg

Let’s consider scenario where we need to block traffic between some LANs but we don’t want to change proxy to not increase number of Security Association (SA).

My requirements are:

One of the recommend method is ‘match’ statement under a crypto map:

access-list 120 deny   ip host 20.33.33.33 host 20.55.55.55

before I apply this access list I need to be sure I can ping hosts between sites:

R5#ping vrf RED 20.33.33.33 source 20.55.55.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.55.55.55
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/98/100 ms
R5#

R4#ping vrf RED 20.33.33.33 so
R4#ping vrf RED 20.33.33.33 source 20.44.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/110/136 ms
R4#

As you see I can ping from both sites. Let’s apply the ACL:

R3#sh run int fa0/0.3
Building configuration...

Current configuration : 140 bytes
!
interface FastEthernet0/0.3
 encapsulation dot1Q 73
 ip vrf forwarding RED
 ip address 27.27.27.2 255.255.255.0
 crypto map MAPA-RED
end

R3#

Remember to choose the correct crypto map !

crypto map MAPA-RED 10 gdoi
 set group GDOI-GROUP-RED
 match address 120

and repeat the same test:

R5#ping vrf RED 20.33.33.33 source 20.55.55.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.55.55.55
.....
Success rate is 0 percent (0/5)
R5#

R4#ping vrf RED 20.33.33.33 source 20.44.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/106/132 ms
R4#

As you see above the new exception works as expected. More information about the GET VPN solution you find here:

http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

 
3
Kudos
 
3
Kudos

Now read this

GET VPN - part one

Today I would like to implement GET VPN solution based on following scenario: As you see there are many components like two key servers, CA server, three members and one firewall. I start the configuration with only one key server and... Continue →