GET VPN - part two
This is the second post about GET VPN. Today I will add second KS (R2) to increase their availability.
I need to check first if the certificate on the 1st KS can be exported:
R1#sh crypto key mypubkey rsa GETVPN-KEY
% Key pair was generated at: 14:53:12 UTC Dec 14 2014
Key name: GETVPN-KEY
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C30EE3
27F24059 F08D903D 0BE7E5A5 BC1D5549 EC346B2E BDFF7B00 3C7C4DB9 46714282
73CBC501 E42859C4 756805F3 A5EEE473 78E59148 5B417C76 B8002F61 258480A4
4B66DDEA 9C9C65E5 7EEEB784 A724B548 F3A2F686 39E23662 19E10877 FF5B1E1A
AC833FA1 E7650BBD 9645F101 23B0CDC0 7F2DBF77 6C8D300D 6D902323 03020301 0001
R1#
Now I export the certificate from the KS1:
R1(config)#crypto key export rsa GETVPN-KEY pem terminal 3des cisco123
% Key name: GETVPN-KEY
Usage: General Purpose Key
Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDDuMn8kBZ8I2QPQvn5aW8HVVJ
7DRrLr3/ewA8fE25RnFCgnPLxQHkKFnEdWgF86Xu5HN45ZFIW0F8drgAL2ElhICk
S2bd6pycZeV+7reEpyS1SPOi9oY54jZiGeEId/9bHhqsgz+h52ULvZZF8QEjsM3A
fy2/d2yNMA1tkCMjAwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79F5B3A7B79265CF
jyBGdawqpDG648jbK16/NURNlEfWG1N7NRZ+XL9eCDkAu1azoY4oow/aA4wGZtLz
LBrsPSSTmGFhVQ1ENiAaYS/7WbOlTg3FWwuPfQUCZtWfAIrZ51ablVl5wbsykI4A
jY20ns++V4IgK9GZyYiPLc5EoXwvza4Bsa12xJbMzwYe6DKtKj5zUoyiJGxsri0N
JHrTErYbgC/qVbryd7VPa56NJwlFqwsCkplB9G0uGaNp0+CEUVMrr0LAdhD9TW2Z
alZEdJ8XJs1zXDnKaQqFZYSyN9toHHXqefXiX+OC1Rci/EUlZuId7c6T0G5S7/VD
9biJOgB85z4YFmpwhcxaypfQDKBsd/IN4QVpuFcSXchDEuhchE2+TvfAAl0a/9C8
DYLTdXlAGu5QaoR3YXgSjTk+lVzzyORea7jZCrCS+RPjChwN5YiIXIMNENLq1fHn
QMGpRKrKcOyZuRBhp2xX2GU9bOu4t3v1YpTthVYg+AHu2shrYxkpRNgEqqYn80mX
Se4LkEjk+aFbNjfSy77Um/wGF279HRlbHcuSknCY19nRrCIY9KSlsrd04QL8Bvbf
O/1vifHg8rdYR5/BxEl8AWPUCVWcuBJHYQN0zNNSZGeOJMz01ktG0SBhBk+7GTAF
avsBx37aJ6qJbN7C6ukNZ8Nfmq9BDxCI0JkqEZuLfLcN8QnIVoypYlnbQGl++mGQ
gp//G9+YWUv/i8pZLaFxhM3hkdzY1/4Vdx5Fvyy9vQFBF8SfSGOj+GzhTrJUcxAH
qYI5NpVbCQeZPQptHyqWxHVN/P79vyxmb9NESgkBfWTnpBvrPRaWpQ==
-----END RSA PRIVATE KEY-----
R1(config)#
and then I import it on the KS2:
R2(config)#crypto key import rsa GETVPN-KEY pem terminal cisco123
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDDuMn8kBZ8I2QPQvn5aW8HVVJ
7DRrLr3/ewA8fE25RnFCgnPLxQHkKFnEdWgF86Xu5HN45ZFIW0F8drgAL2ElhICk
S2bd6pycZeV+7reEpyS1SPOi9oY54jZiGeEId/9bHhqsgz+h52ULvZZF8QEjsM3A
fy2/d2yNMA1tkCMjAwIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79F5B3A7B79265CF
jyBGdawqpDG648jbK16/NURNlEfWG1N7NRZ+XL9eCDkAu1azoY4oow/aA4wGZtLz
LBrsPSSTmGFhVQ1ENiAaYS/7WbOlTg3FWwuPfQUCZtWfAIrZ51ablVl5wbsykI4A
jY20ns++V4IgK9GZyYiPLc5EoXwvza4Bsa12xJbMzwYe6DKtKj5zUoyiJGxsri0N
JHrTErYbgC/qVbryd7VPa56NJwlFqwsCkplB9G0uGaNp0+CEUVMrr0LAdhD9TW2Z
alZEdJ8XJs1zXDnKaQqFZYSyN9toHHXqefXiX+OC1Rci/EUlZuId7c6T0G5S7/VD
9biJOgB85z4YFmpwhcxaypfQDKBsd/IN4QVpuFcSXchDEuhchE2+TvfAAl0a/9C8
DYLTdXlAGu5QaoR3YXgSjTk+lVzzyORea7jZCrCS+RPjChwN5YiIXIMNENLq1fHn
QMGpRKrKcOyZuRBhp2xX2GU9bOu4t3v1YpTthVYg+AHu2shrYxkpRNgEqqYn80mX
Se4LkEjk+aFbNjfSy77Um/wGF279HRlbHcuSknCY19nRrCIY9KSlsrd04QL8Bvbf
O/1vifHg8rdYR5/BxEl8AWPUCVWcuBJHYQN0zNNSZGeOJMz01ktG0SBhBk+7GTAF
avsBx37aJ6qJbN7C6ukNZ8Nfmq9BDxCI0JkqEZuLfLcN8QnIVoypYlnbQGl++mGQ
gp//G9+YWUv/i8pZLaFxhM3hkdzY1/4Vdx5Fvyy9vQFBF8SfSGOj+GzhTrJUcxAH
qYI5NpVbCQeZPQptHyqWxHVN/P79vyxmb9NESgkBfWTnpBvrPRaWpQ==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.
R2(config)#
Now I add following configuration to the KS1:
!
crypto gdoi group GDOI-GROUP
identity number 1
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN-KEY
rekey transport unicast
sa ipsec 1
profile IPSEC-PROFILE
match address ipv4 101
replay counter window-size 64
address ipv4 3.3.3.2
redundancy
local priority 10
peer address ipv4 6.6.6.2
!
and now time to add the config on the KS2:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TS
!
!
crypto gdoi group GDOI-GROUP
identity number 1
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN-KEY
rekey transport unicast
sa ipsec 1
profile IPSEC-PROFILE
match address ipv4 101
replay counter window-size 64
address ipv4 6.6.6.2
redundancy
local priority 20
peer address ipv4 3.3.3.2
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Let’s check how looks like the communication between them:
R1(config)#
*Dec 14 21:45:09.422: %GDOI-5-COOP_KS_REACH: Reachability restored with Cooperative KS 6.6.6.2 in group GDOROUP.
R1(config)#
*Dec 14 21:45:09.351: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GDOI-GROUP (Previous Primary = NONE)
R2(gdoi-coop-ks-config)#
*Dec 14 21:45:19.523: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 3.3.3.2 in group GDOI-GROUP transitioned to Primary (Previous Primary = NONE)
As you see the new KS has been elected as secondary KS:
R1#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP (Unicast)
Group Identity : 1
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 3
IPSec SA Direction : Both
Redundancy : Configured
Local Address : 3.3.3.2
Local Priority : 10
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.4
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 76290 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 3137 secs
ACL Configured : access-list 101
Group Server list : Local
R1#
R2#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP (Unicast)
Group Identity : 1
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 3
IPSec SA Direction : Both
Redundancy : Configured
Local Address : 6.6.6.2
Local Priority : 20
Local KS Status : Alive
Local KS Role : Secondary
Local KS Version : 1.0.4
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 76277 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 3124 secs
ACL Configured : access-list 101
Group Server list : Local
R2#
R3#sh crypto gdoi | i with
Registered with : 3.3.3.2
R3#
Now on all GMs I need to add the secondary KS:
crypto gdoi group GDOI-GROUP
identity number 1
server address ipv4 3.3.3.2
server address ipv4 6.6.6.2
Now it’s time to test if the secondary KS is configured properly. I will shut down fa0/0 on the KS1:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#sh
R1(config-if)#
On the GM we can see:
R3#
*Dec 14 21:57:18.650: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.2 for group GDOI-GROUP using address 7.7.7.2
R3#
R3#sh crypto gdoi | i with
R3#
There is a problem, let’s check the ASA:
%ASA-4-106023: Deny udp src spoke1:7.7.7.2/848 dst keys2:6.6.6.2/848 by access-group "SPOKE1" [0x0, 0x0]
Ok, I need to add the secondary KS IP to the ACL:
access-list SPOKE2 extended permit udp host 4.4.4.2 host 6.6.6.2 eq 848
access-list SPOKE1 extended permit udp host 7.7.7.2 host 6.6.6.2 eq 848
access-list SPOKE3 extended permit udp host 5.5.5.2 host 6.6.6.2 eq 848
Now I will reset gdoi:
R3#clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.
Are you sure you want to proceed ? [yes/no]: yes
R3#
*Dec 14 22:02:19.618: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-GROUP may have expired/been cleared, or didn't go through. Re-register to KS.
R3#
*Dec 14 22:02:19.630: %CRYPTO-5-GM_REGSTER: Start registration to KS 3.3.3.2 for group GDOI-GROUP using address 7.7.7.2
R3#
*Dec 14 22:02:59.646: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.2 for group GDOI-GROUP using address 7.7.7.2
*Dec 14 22:03:00.158: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GDOI-GROUP transitioned to Unicast Rekey.
*Dec 14 22:03:00.162: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Dec 14 22:03:00.162: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec 14 22:03:00.294: %GDOI-5-GM_REGS_COMPL: Registration to KS 6.6.6.2 complete for group GDOI-GROUP using address 7.7.7.2
*Dec 14 22:03:00.302: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 6.6.6.2 for group GDOI-GROUP & gm identity 7.7.7.2
R3#
R3#sh crypto gdoi | i with
Registered with : 6.6.6.2
R3#
You can see below the KS2 is now primary one:
R2#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP (Unicast)
Group Identity : 1
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 3
IPSec SA Direction : Both
Redundancy : Configured
Local Address : 6.6.6.2
Local Priority : 20
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.4
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 75421 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 2268 secs
ACL Configured : access-list 101
Group Server list : Local
R2#
As you see I registered and installed policies from the KS2. Let’s test if I can ping between LANs:
R3#ping 10.44.44.44 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 10.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/100/120 ms
R3#
I can ping LAN2 from LAN1:
R4#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP
Group Identity : 1
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 3
IPSec SA Direction : Both
Group Server list : 3.3.3.2
6.6.6.2
Group member : 4.4.4.2 vrf: None
Version : 1.0.4
Registration status : Registered
Registered with : 3.3.3.2
Re-registers in : 1994 sec
Succeeded registration: 1
Attempted registration: 5
Last rekey from : 3.3.3.2
Last rekey seq num : 5
Unicast rekey received: 3
Rekey ACKs sent : 3
Rekey Rcvd(hh:mm:ss) : 00:24:41
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 3
After latest register : 3
Rekey Acks sents : 3
ACL Downloaded From KS 3.3.3.2:
access-list permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 75272
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet0/0:
IPsec SA:
spi: 0x13B8FB0C(330889996)
transform: esp-3des esp-sha-hmac
sa timing:remaining key lifetime (sec): (2118)
Anti-Replay : Disabled
R4#
As you see above the R4 is still registered in KS1, the re-key time is 1994 sec.
Let’s enable the interface on the KS1:
R1#
*Dec 14 22:10:26.598: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 6.6.6.2 in group GDOI-GROUP transitioned to Primary (Previous Primary = 3.3.3.2)
*Dec 14 22:10:26.994: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI-GROUP from address 3.3.3.2 with seq # 16
R1#
The KS1 automatically has been elected as primary one and next re-keying will be performed with KS1.
5
Kudos
5
Kudos