GET VPN - part six (VRF)
Today I would like to configure VRF aware GETVPN. I’m going to work on the same scenario with some changes.
As you see there are two vrf networks and I need to provide secure and separated protection for business traffic using the same GETVPN.
Let’s start from KS1:
1) phase 1
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
2) phase 2
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
3) ipsec profile - we can have two different ipsec profiles
crypto ipsec profile IPSEC-PROFILE-GREEN
set transform-set TS
!
crypto ipsec profile IPSEC-PROFILE-RED
set transform-set TS
4) access list - for each VRF I need to define an ACL
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
5) definition of gdoi group - for each VRF I define a separate group with different identity number, different ipsec profile and an access list with subnets for encryption
crypto gdoi group GDOI-GROUP-RED
identity number 2
server local
rekey lifetime seconds 300
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN-KEY
rekey transport unicast
sa ipsec 1
profile IPSEC-PROFILE-RED
match address ipv4 102
replay counter window-size 64
address ipv4 3.3.3.2
redundancy
local priority 10
peer address ipv4 6.6.6.2
!
crypto gdoi group GDOI-GROUP-GREEN
identity number 1
server local
rekey lifetime seconds 300
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN-KEY
rekey transport unicast
sa ipsec 1
profile IPSEC-PROFILE-GREEN
match address ipv4 101
replay counter window-size 64
address ipv4 3.3.3.2
redundancy
local priority 10
peer address ipv4 6.6.6.2
!
6) interface
interface FastEthernet0/0
ip address 3.3.3.2 255.255.255.0
The same configuration I apply on the KS2 (of course excluding interface settings).
Now, it’s time to modify a group member configuration:
1) definition of VRFs
ip vrf GREEN
!
ip vrf MNG
!
ip vrf RED
2) keyring - very important, you can’t use standard command with crypto isakmp key for interface in non default VRF, the only way is to use keyring, where you can specify the VRF
crypto keyring KEYRING vrf MNG
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
3) isakmp policy
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
4) definition of the gdoi group for each VRF - like in my case where there is more than one outside interface we need to specify over which interface we want to register in KS
crypto gdoi group GDOI-GROUP-GREEN
identity number 1
server address ipv4 3.3.3.2
server address ipv4 6.6.6.2
client registration interface FastEthernet0/0.1
!
crypto gdoi group GDOI-GROUP-RED
identity number 2
server address ipv4 3.3.3.2
server address ipv4 6.6.6.2
client registration interface FastEthernet0/0.1
5) crypto map
crypto map MAPA-GREEN 10 gdoi
set group GDOI-GROUP-GREEN
!
crypto map MAPA-RED 10 gdoi
set group GDOI-GROUP-RED
6) interfaces - inside
interface Loopback0
ip vrf forwarding GREEN
ip address 10.33.33.33 255.255.255.0
!
interface Loopback1
ip vrf forwarding RED
ip address 20.33.33.33 255.255.255.0
7) interfaces - outside
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip vrf forwarding MNG
ip address 7.7.7.2 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip vrf forwarding GREEN
ip address 17.17.17.2 255.255.255.0
crypto map MAPA-GREEN
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip vrf forwarding RED
ip address 27.27.27.2 255.255.255.0
crypto map MAPA-RED
8) routing
ip route vrf GREEN 0.0.0.0 0.0.0.0 17.17.17.1
ip route vrf MNG 0.0.0.0 0.0.0.0 7.7.7.1
ip route vrf RED 0.0.0.0 0.0.0.0 27.27.27.1
ASA Configuration :
1) interfaces
asa1# sh run int
!
interface GigabitEthernet0
nameif keys1
security-level 50
ip address 3.3.3.1 255.255.255.0
!
interface GigabitEthernet1
nameif keys2
security-level 50
ip address 6.6.6.1 255.255.255.0
!
interface GigabitEthernet2
no nameif
no security-level
no ip address
!
interface GigabitEthernet2.1
vlan 10
nameif spoke1-mng
security-level 50
ip address 7.7.7.1 255.255.255.0
!
interface GigabitEthernet2.2
vlan 2
nameif spoke1-green
security-level 50
ip address 17.17.17.1 255.255.255.0
!
interface GigabitEthernet2.3
vlan 3
nameif spoke1-red
security-level 50
ip address 27.27.27.1 255.255.255.0
!
interface GigabitEthernet3
no nameif
no security-level
no ip address
!
interface GigabitEthernet3.1
vlan 11
nameif spoke2-mng
security-level 50
ip address 4.4.4.1 255.255.255.0
!
interface GigabitEthernet3.2
vlan 12
nameif spoke2-green
security-level 50
ip address 14.14.14.1 255.255.255.0
!
interface GigabitEthernet3.3
vlan 13
nameif spoke2-red
security-level 50
ip address 24.24.24.1 255.255.255.0
interface GigabitEthernet4.1
vlan 51
nameif spok3-mng
security-level 50
ip address 5.5.5.1 255.255.255.0
!
interface GigabitEthernet4.2
vlan 52
nameif spoke3-green
security-level 50
ip address 15.15.15.1 255.255.255.0
!
interface GigabitEthernet4.3
vlan 53
nameif spoke3-red
security-level 50
ip address 25.25.25.1 255.255.255.0
asa1#
2) routing
asa1# sh run | i route
route spoke1-green 10.33.33.0 255.255.255.0 17.17.17.2 1
route spoke2-green 10.44.44.0 255.255.255.0 14.14.14.2 1
route spoke3-green 10.55.55.0 255.255.255.0 15.15.15.2 1
route spoke1-red 20.33.33.0 255.255.255.0 27.27.27.2 1
route spoke2-red 20.44.44.0 255.255.255.0 24.24.24.2 1
route spoke3-red 20.55.55.0 255.255.255.0 25.25.25.2 1
Let’s check now how looks like the gdoi status on KS and GM:
R2#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP-RED (Unicast)
Group Identity : 2
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 3
IPSec SA Direction : Both
Redundancy : Configured
Local Address : 6.6.6.2
Local Priority : 20
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.4
Group Rekey Lifetime : 300 secs
Group Rekey
Remaining Lifetime : 267 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : IPSEC-PROFILE-RED
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 1617 secs
ACL Configured : access-list 102
Group Server list : Local
GROUP INFORMATION
Group Name : GDOI-GROUP-GREEN (Unicast)
Group Identity : 1
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 3
IPSec SA Direction : Both
Redundancy : Configured
Local Address : 6.6.6.2
Local Priority : 20
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.4
Group Rekey Lifetime : 300 secs
Group Rekey
Remaining Lifetime : 272 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : IPSEC-PROFILE-GREEN
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 1622 secs
ACL Configured : access-list 101
Group Server list : Local
R2#
R2#sh crypto gdoi ks members
Group Member Information :
Number of rekeys sent for group GDOI-GROUP-RED : 83
Group Member ID : 7.7.7.2 GM Version: 1.0.4
Group ID : 2
Group Name : GDOI-GROUP-RED
Key Server ID : 6.6.6.2
Rekeys sent : 18
Rekeys retries : 6
Rekey Acks Rcvd : 16
Rekey Acks missed : 0
Sent seq num : 1 1 1 1
Rcvd seq num : 1 1 1 1
Group Member ID : 4.4.4.2 GM Version: 1.0.4
Group ID : 2
Group Name : GDOI-GROUP-RED
Key Server ID : 3.3.3.2
Rekeys sent : 62
Rekeys retries : 14
Rekey Acks Rcvd : 58
Rekey Acks missed : 0
Sent seq num : 1 1 1 1
Rcvd seq num : 1 1 1 1
Group Member ID : 5.5.5.2 GM Version: 1.0.4
Group ID : 2
Group Name : GDOI-GROUP-RED
Key Server ID : 3.3.3.2
Rekeys sent : 35
Rekeys retries : 7
Rekey Acks Rcvd : 36
Rekey Acks missed : 0
Sent seq num : 1 1 1 1
Rcvd seq num : 1 1 1 1
Number of rekeys sent for group GDOI-GROUP-GREEN : 85
Group Member ID : 5.5.5.2 GM Version: 1.0.4
Group ID : 1
Group Name : GDOI-GROUP-GREEN
Key Server ID : 6.6.6.2
Rekeys sent : 15
Rekeys retries : 2
Rekey Acks Rcvd : 13
Rekey Acks missed : 1
Sent seq num : 1 2 1 2
Rcvd seq num : 0 0 0 0
Group Member ID : 7.7.7.2 GM Version: 1.0.4
Group ID : 1
Group Name : GDOI-GROUP-GREEN
Key Server ID : 6.6.6.2
Rekeys sent : 16
Rekeys retries : 1
Rekey Acks Rcvd : 16
Rekey Acks missed : 0
Sent seq num : 1 1 1 1
Rcvd seq num : 1 1 1 1
Group Member ID : 4.4.4.2 GM Version: 1.0.4
Group ID : 1
Group Name : GDOI-GROUP-GREEN
Key Server ID : 3.3.3.2
Rekeys sent : 53
Rekeys retries : 6
Rekey Acks Rcvd : 53
Rekey Acks missed : 0
Sent seq num : 1 1 1 1
Rcvd seq num : 1 1 1 1
R2#
R3#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP-GREEN
Group Identity : 1
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 18
IPSec SA Direction : Both
Group Server list : 3.3.3.2
6.6.6.2
Group member : 7.7.7.2 vrf: MNG
Version : 1.0.4
Registration status : Registered
Registered with : 6.6.6.2
Re-registers in : 146 sec
Succeeded registration: 3
Attempted registration: 6
Last rekey from : 6.6.6.2
Last rekey seq num : 0
Unicast rekey received: 21
Rekey ACKs sent : 21
Rekey Rcvd(hh:mm:ss) : 00:00:11
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 18
After latest register : 18
Rekey Acks sents : 18
ACL Downloaded From KS 6.6.6.2:
access-list permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 287
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet0/0.2:
IPsec SA:
spi: 0x42A2925(69871909)
transform: esp-3des esp-sha-hmac
sa timing:remaining key lifetime (sec): (1563)
Anti-Replay : Disabled
GROUP INFORMATION
Group Name : GDOI-GROUP-RED
Group Identity : 2
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 18
IPSec SA Direction : Both
Group Server list : 3.3.3.2
6.6.6.2
Group member : 7.7.7.2 vrf: MNG
Version : 1.0.4
Registration status : Registered
Registered with : 6.6.6.2
Re-registers in : 162 sec
Succeeded registration: 2
Attempted registration: 8
Last rekey from : 6.6.6.2
Last rekey seq num : 0
Unicast rekey received: 20
Rekey ACKs sent : 20
Rekey Rcvd(hh:mm:ss) : 00:00:16
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 18
After latest register : 18
Rekey Acks sents : 18
ACL Downloaded From KS 6.6.6.2:
access-list permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 282
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet0/0.3:
IPsec SA:
spi: 0xA1672E6B(2707893867)
transform: esp-3des esp-sha-hmac
sa timing:remaining key lifetime (sec): (1557)
Anti-Replay : Disabled
R3#
Note: Key Server is not VRF aware.
More information you can find here: