Update to GET VPN - part four (multicast) - http://myitmicroblog.svbtle.com/get-vpn-part-four

On one of my GMs I found a problem. It was registered but I didn’t see any ‘rekeys received’:

R3sh crypto gdoi gm rekey
Group GDOI-GROUP-GREEN
    No rekey info available


Group GDOI-GROUP-RED (Multicast)
    Number of Rekeys received (cumulative)       : 0
    Number of Rekeys received after registration : 0
    Multicast destination address                : 239.192.1.190


R3

I saw following messages:

R3
*Dec 20 06:06:04.404: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-GROUP-RED may have expired/been cleared, or didn't go through. Re-register to KS.
R3
*Dec 20 06:06:04.412: %CRYPTO-5-GM_REGSTER: Start registration to KS 3.3.3.2 for group GDOI-GROUP-RED using address 7.7.7.2
*Dec 20 06:06:05.000: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Dec 20 06:06:05.008:

Today I would like to talk about high availability. The second KS is one example how we can increase its availability. Let’s think about GMs. If there are more paths than one to a KS we should consider using a loopback interface for communication with the KS.

We can add following command on the GM:

crypto map MAP-NAME local-address INT-NAME

We have to ensure that:

• the loopback interface is reachable from KS’
• FW access list accepts traffic from and to this IP

ISAKMP SA from a KS before change:

R2sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
6.6.6.2         4.4.4.2         GDOI_IDLE         1002 ACTIVE
3.3.3.2         6.6.6.2         GDOI_IDLE         1030 ACTIVE
7.7.7.2         6.6.6.2         GDOI_REKEY           0 ACTIVE
7.7.7.2         6.6.6.2         GDOI_REKEY           0 ACTIVE
6.6.6.2         5.5.5.2

Let’s consider scenario where we need to block traffic between some LANs but we don’t want to change proxy to not increase number of Security Association (SA).

My requirements are:

• ACL should be the same - access-list 102 permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
• permit LAN1-spoke1 (20.33.33.33) to LAN1-spoke2 (20.44.44.44)
• deny LAN1-spoke1 (20.33.33.33) to LAN1-spoke3 (20.55.55.55)

One of the recommend method is ‘match’ statement under a crypto map:

access-list 120 deny   ip host 20.33.33.33 host 20.55.55.55 

before I apply this access list I need to be sure I can ping hosts between sites:

R5ping vrf RED 20.33.33.33 source 20.55.55.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 20.55.55.55
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/98/100 ms
R5

I would like to analyze one scenario where a GM sends data before or during registration process. When the GM is registered the traffic is encrypted like we can see here:

Ping from R3 to R5 (GET VPN active, GM registered)

R3ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/104/128 ms
R3

Now I disable KS1 and KS2 and clear keys on GM1:

R3ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
.....
Success rate is 0 percent (0/5)
R3

As you see I didn’t receive any response but traffic was sent as a clear text. In my case it was just ping but...

Today I would like to test how GET VPN cooperates with NAT. I need to say but officially NAT for GET VPN is not supported by Cisco. You can encrypt traffic on a GM, just before encryption/decryption. Anyway I would like to test my below two case scenarios:

1) GM behind NAT

2)KS behind NAT

3) NAT on GM (supported)

I will work on the same design:

1) GM behind NAT

Now I add a NAT statement on the ASA for GM1 (R3):

object network R3-MNG-BN
 host 7.7.7.2
object network R3-MNG-AN
 host 77.77.77.2

nat (spoke1-mng,any) source static R3-MNG-BN R3-MNG-AN

On the ASA I need to add one acl entry:

access-list SPOKE1-MNG extended permit udp host 7.7.7.2 host 6.6.6.2 eq 4500
access-list SPOKE1-MNG extended permit udp host 7.7.7.2 host 3.3.3.2 eq 4500

and then we can see:

%ASA-6-302015: Built inbound UDP connection 62 for spoke1-mng:7.7.7.2/4500 (77.77.77.2/4500) to keys2:6.6.6.2/4500

Today I would like to configure VRF aware GETVPN. I’m going to work on the same scenario with some changes.

As you see there are two vrf networks and I need to provide secure and separated protection for business traffic using the same GETVPN.

Let’s start from KS1:

1) phase 1

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
!

2) phase 2

crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel

3) ipsec profile - we can have two different ipsec profiles

crypto ipsec profile IPSEC-PROFILE-GREEN
 set transform-set TS
!
crypto ipsec profile IPSEC-PROFILE-RED
 set transform-set TS

4) access list - for each VRF I need to define an ACL

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255

5) definition of gdoi group - for...

In this short post I would like to show one interesting feature that allows us to control which GM can register in a particular KS. I will use the same scenario I used in my previous posts.

There two methods how we can control it:

a) ACL

b) PKI

Let’s try with the first one:

I would like to limit the number of GMs to just only one 4.4.4.2. I need to add firs a standard access list:

access-list 50 permit 4.4.4.2

and then add the ACL to the gdoi group configuration (authorization address ipv4):

crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  authorization address ipv4 50
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer

For an enterprise solution some of my current setting can be ineffective. For example re-keying method via an unicast. GET VPN allows on a multicast re-keying method. Let’s try to configure it.

On KSs we need to add:

!
access-list 1 permit 239.192.1.190 0.0.0.0
!
ip multicast-routing
ip pim ssm range 1
!
interface fa0/0
ip pim sparse-mode
!
ip access-list extended GETVPN-MCAST
permit ip any host 239.192.1.190
!
crypto gdoi group GDOI-GROUP
server local
no rekey transport unicast
rekey address ipv4 GETVPN-MCAST
rekey retransmit 10 number 3

Once I applied the configuration I can see:

*Dec 15 01:03:10.979: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 6.6.6.2 on interface FastEthernet0/0
*Dec 15 01:03:11.355: %SYS-5-CONFIG_I: Configured from console by console
*Dec 15 01:03:11.355: %GDOI-5-POLICY_CHANGE: GDOI group GDOI-GROUP policy has changed. Use 'crypto gdoi ks rekey' to send

This is the third post about the GET VPN series. You should read my previous two posts before you start reading this one.

Today I will change the authentication method for ISAKMP (phase1) from pre-share key to the certification.

Let’s start with the CA:

R6(config)ip domain name mymicroblog.com
R6(config)

R6(config)crypto pki server PKI-SERVER
R6(cs-server)issuer-name CN=R6.mymicroblog.com
R6(cs-server)grant auto
R6(cs-server)
*Dec 14 23:07:14.059: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
R6(cs-server)no sh
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.

This is the second post about GET VPN. Today I will add second KS (R2) to increase their availability.

I need to check first if the certificate on the 1st KS can be exported:

R1sh crypto key mypubkey rsa GETVPN-KEY
% Key pair was generated at: 14:53:12 UTC Dec 14 2014
Key name: GETVPN-KEY
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable. Redundancy enabled.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C30EE3
  27F24059 F08D903D 0BE7E5A5 BC1D5549 EC346B2E BDFF7B00 3C7C4DB9 46714282
  73CBC501 E42859C4 756805F3 A5EEE473 78E59148 5B417C76 B8002F61 258480A4
  4B66DDEA 9C9C65E5 7EEEB784 A724B548 F3A2F686 39E23662 19E10877 FF5B1E1A
  AC833FA1 E7650BBD 9645F101 23B0CDC0 7F2DBF77 6C8D300D 6D902323 03020301 0001
R1

Now I export the certificate from the KS1:

R1(config)crypto key export rsa GETVPN-KEY pem