GET VPN - part six (VRF)

Today I would like to configure VRF aware GETVPN. I’m going to work on the same scenario with some changes.

getvpn-1 - vrf.jpg

As you see there are two vrf networks and I need to provide secure and separated protection for business traffic using the same GETVPN.

Let’s start from KS1:

1) phase 1

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
!

2) phase 2

crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel

3) ipsec profile - we can have two different ipsec profiles

crypto ipsec profile IPSEC-PROFILE-GREEN
 set transform-set TS
!
crypto ipsec profile IPSEC-PROFILE-RED
 set transform-set TS

4) access list - for each VRF I need to define an ACL

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255

5) definition of gdoi group - for each VRF I define a separate group with different identity number, different ipsec profile and an access list with subnets for encryption

crypto gdoi group GDOI-GROUP-RED
 identity number 2
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE-RED
   match address ipv4 102
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2
!
crypto gdoi group GDOI-GROUP-GREEN
 identity number 1
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE-GREEN
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2
!

6) interface

interface FastEthernet0/0
 ip address 3.3.3.2 255.255.255.0

The same configuration I apply on the KS2 (of course excluding interface settings).

Now, it’s time to modify a group member configuration:

1) definition of VRFs

ip vrf GREEN
!
ip vrf MNG
!
ip vrf RED

2) keyring - very important, you can’t use standard command with crypto isakmp key for interface in non default VRF, the only way is to use keyring, where you can specify the VRF

crypto keyring KEYRING vrf MNG
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

3) isakmp policy

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

4) definition of the gdoi group for each VRF - like in my case where there is more than one outside interface we need to specify over which interface we want to register in KS

crypto gdoi group GDOI-GROUP-GREEN
 identity number 1
 server address ipv4 3.3.3.2
 server address ipv4 6.6.6.2
 client registration interface FastEthernet0/0.1
!
crypto gdoi group GDOI-GROUP-RED
 identity number 2
 server address ipv4 3.3.3.2
 server address ipv4 6.6.6.2
 client registration interface FastEthernet0/0.1

5) crypto map

crypto map MAPA-GREEN 10 gdoi
 set group GDOI-GROUP-GREEN
!
crypto map MAPA-RED 10 gdoi
 set group GDOI-GROUP-RED

6) interfaces - inside

interface Loopback0
 ip vrf forwarding GREEN
 ip address 10.33.33.33 255.255.255.0
!
interface Loopback1
 ip vrf forwarding RED
 ip address 20.33.33.33 255.255.255.0

7) interfaces - outside

interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip vrf forwarding MNG
 ip address 7.7.7.2 255.255.255.0
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip vrf forwarding GREEN
 ip address 17.17.17.2 255.255.255.0
 crypto map MAPA-GREEN
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip vrf forwarding RED
 ip address 27.27.27.2 255.255.255.0
 crypto map MAPA-RED

8) routing

ip route vrf GREEN 0.0.0.0 0.0.0.0 17.17.17.1
ip route vrf MNG 0.0.0.0 0.0.0.0 7.7.7.1
ip route vrf RED 0.0.0.0 0.0.0.0 27.27.27.1

ASA Configuration :

1) interfaces

asa1# sh run int
!
interface GigabitEthernet0
 nameif keys1
 security-level 50
 ip address 3.3.3.1 255.255.255.0
!
interface GigabitEthernet1
 nameif keys2
 security-level 50
 ip address 6.6.6.1 255.255.255.0
!
interface GigabitEthernet2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet2.1
 vlan 10
 nameif spoke1-mng
 security-level 50
 ip address 7.7.7.1 255.255.255.0
!
interface GigabitEthernet2.2
 vlan 2
 nameif spoke1-green
 security-level 50
 ip address 17.17.17.1 255.255.255.0
!
interface GigabitEthernet2.3
 vlan 3
 nameif spoke1-red
 security-level 50
 ip address 27.27.27.1 255.255.255.0
!
interface GigabitEthernet3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3.1
 vlan 11
 nameif spoke2-mng
 security-level 50
 ip address 4.4.4.1 255.255.255.0
!
interface GigabitEthernet3.2
 vlan 12
 nameif spoke2-green
 security-level 50
 ip address 14.14.14.1 255.255.255.0
!
interface GigabitEthernet3.3
 vlan 13
 nameif spoke2-red
 security-level 50
 ip address 24.24.24.1 255.255.255.0
interface GigabitEthernet4.1
 vlan 51
 nameif spok3-mng
 security-level 50
 ip address 5.5.5.1 255.255.255.0
!
interface GigabitEthernet4.2
 vlan 52
 nameif spoke3-green
 security-level 50
 ip address 15.15.15.1 255.255.255.0
!
interface GigabitEthernet4.3
 vlan 53
 nameif spoke3-red
 security-level 50
 ip address 25.25.25.1 255.255.255.0

asa1#

2) routing

asa1# sh run | i route
route spoke1-green 10.33.33.0 255.255.255.0 17.17.17.2 1
route spoke2-green 10.44.44.0 255.255.255.0 14.14.14.2 1
route spoke3-green 10.55.55.0 255.255.255.0 15.15.15.2 1
route spoke1-red 20.33.33.0 255.255.255.0 27.27.27.2 1
route spoke2-red 20.44.44.0 255.255.255.0 24.24.24.2 1
route spoke3-red 20.55.55.0 255.255.255.0 25.25.25.2 1

Let’s check now how looks like the gdoi status on KS and GM:

R2#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP-RED (Unicast)
    Group Identity           : 2
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 300 secs
    Group Rekey
        Remaining Lifetime   : 267 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE-RED
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 1617 secs
      ACL Configured         : access-list 102

     Group Server list       : Local



GROUP INFORMATION

    Group Name               : GDOI-GROUP-GREEN (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 300 secs
    Group Rekey
        Remaining Lifetime   : 272 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE-GREEN
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 1622 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R2#
R2#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP-RED : 83

Group Member ID    : 7.7.7.2     GM Version: 1.0.4
 Group ID          : 2
 Group Name        : GDOI-GROUP-RED
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 18
 Rekeys retries    : 6
 Rekey Acks Rcvd   : 16
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 2
 Group Name        : GDOI-GROUP-RED
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 62
 Rekeys retries    : 14
 Rekey Acks Rcvd   : 58
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Group Member ID    : 5.5.5.2     GM Version: 1.0.4
 Group ID          : 2
 Group Name        : GDOI-GROUP-RED
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 35
 Rekeys retries    : 7
 Rekey Acks Rcvd   : 36
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Number of rekeys sent for group GDOI-GROUP-GREEN : 85

Group Member ID    : 5.5.5.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP-GREEN
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 15
 Rekeys retries    : 2
 Rekey Acks Rcvd   : 13
 Rekey Acks missed : 1

 Sent seq num : 1       2       1       2
Rcvd seq num :  0       0       0       0

Group Member ID    : 7.7.7.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP-GREEN
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 16
 Rekeys retries    : 1
 Rekey Acks Rcvd   : 16
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP-GREEN
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 53
 Rekeys retries    : 6
 Rekey Acks Rcvd   : 53
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

R2#

R3#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP-GREEN
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 18
    IPSec SA Direction       : Both

     Group Server list       : 3.3.3.2
                               6.6.6.2

    Group member             : 7.7.7.2          vrf: MNG
       Version               : 1.0.4
       Registration status   : Registered
       Registered with       : 6.6.6.2
       Re-registers in       : 146 sec
       Succeeded registration: 3
       Attempted registration: 6
       Last rekey from       : 6.6.6.2
       Last rekey seq num    : 0
       Unicast rekey received: 21
       Rekey ACKs sent       : 21
       Rekey Rcvd(hh:mm:ss)  : 00:00:11
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 18
       After latest register : 18
       Rekey Acks sents      : 18

 ACL Downloaded From KS 6.6.6.2:
   access-list   permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 287
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0.2:
    IPsec SA:
        spi: 0x42A2925(69871909)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1563)
        Anti-Replay : Disabled


GROUP INFORMATION

    Group Name               : GDOI-GROUP-RED
    Group Identity           : 2
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 18
    IPSec SA Direction       : Both

     Group Server list       : 3.3.3.2
                               6.6.6.2

    Group member             : 7.7.7.2          vrf: MNG
       Version               : 1.0.4
       Registration status   : Registered
       Registered with       : 6.6.6.2
       Re-registers in       : 162 sec
       Succeeded registration: 2
       Attempted registration: 8
       Last rekey from       : 6.6.6.2
       Last rekey seq num    : 0
       Unicast rekey received: 20
       Rekey ACKs sent       : 20
       Rekey Rcvd(hh:mm:ss)  : 00:00:16
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 18
       After latest register : 18
       Rekey Acks sents      : 18

 ACL Downloaded From KS 6.6.6.2:
   access-list   permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 282
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0.3:
    IPsec SA:
        spi: 0xA1672E6B(2707893867)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1557)
        Anti-Replay : Disabled


R3#

Note: Key Server is not VRF aware.

More information you can find here:

http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07-624088.html

 
18
Kudos
 
18
Kudos

Now read this

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1... Continue →