Minimalistic GET VPN Example

12:24:00 PM    No comments

Some time ago I mentioned that it is possible to configure a functional GET VPN scenario using just two routers. Normally, GET VPN requires a dedicated Key Server, which does not participate is user traffic encryption and only distributes keying information and encryption policies. All other routers – group members – register to the Key Server. A router could not register to itself when configured as a key server and group member simultaneously. However, there is a Key Server redundancy feature known as KOOP Key Servers that allows for two servers to synchronize the keying information and the group member to register to the redundant key servers.
Relying upon this feature, we may take two routers and configure them both in a KOOP key server pair. At the same time, every router is configured as a Group Member registering to another router. Since the keying information is being kept in sync, both routers will be able to properly exchange encrypted GET VPN traffic. Now, for the practical implementation we chose two directly connected routers: R4 and R5. GET VPN is supposed to encrypt traffic sent off respective VLAN4 and VLAN5 interfaces of these routers destined to the multicast groups in range 232.0.0.0/8. The IP addresses for VLAN4 and VLAN5 subnets are 173.X.4.0/24 and 173.X.5.0/24. Here is how we configure R4 for Key Server functionality. Notice the redundancy configuration using R5 as the peer.

KS-R4:
crypto isakmp keepalive 10 periodic
!
crypto isakmp policy 50
  encr 3des
  hash md5
  group 2
  authentication pre-share 

crypto isakmp key CISCO address 150.1.5.5

crypto ipsec transform-set GETVPN_TS esp-3des esp-md5-hmac 

crypto ipsec profile GETVPN_PROFILE
  set transform-set GETVPN_TS
!
crypto key generate rsa general-keys label GETVPN_KEYS modulus 1024 exportable
!
no access-list 100
access-list 100 permit ip 173.1.4.0 0.0.0.255 232.0.0.0 0.255.255.255
access-list 100 permit ip 173.1.5.0 0.0.0.255 232.0.0.0 0.255.255.255
!
crypto gdoi group GETVPN_GROUP
  identity number 1234
  server local
  rekey authentication mypubkey rsa GETVPN_KEYS
  rekey transport unicast
  sa ipsec 1
   profile GETVPN_PROFILE
   match address ipv4 100
   replay time window-size 5
  address ipv4 150.1.4.4
   redundancy
    local priority 100
    peer address ipv4 150.1.5.5
Now an important thing. GET VPN uses RSA signatures to authenticate GET VPN keying information. Because of that, both R4 and R5 should use the same private/public keys for signing. To accomplish this, export the keys from the first KS and import them in the second. For example, considering R4 was configured as the first KS, you may use the commands below to export/import RSA keys using IOS CLI (don’t forget the blank line between the public and private keys when importing).
Export Keys at R4:
crypto key export rsa GETVPN_KEYS pem terminal 3des CISCO1234 

Import Keys at R5:
crypto key import rsa GETVPN_KEYS pem exportable terminal CISCO1234
After you have imported the RSA keys in R5, configure R5 for the Key server functionality. Notice that the imported key pair is used for GET VPN keying information signing. 
KS-R5:
crypto isakmp keepalive 10 periodic
!
crypto isakmp policy 10
  encr 3des
  hash md5
  group 2
  authentication pre-share 

crypto isakmp key CISCO address 150.1.4.4

crypto ipsec transform-set GETVPN_TS esp-3des esp-md5-hmac 

crypto ipsec profile GETVPN_PROFILE
  set transform-set GETVPN_TS
!
access-list 100 permit ip 173.1.4.0 0.0.0.255 232.0.0.0 0.255.255.255
access-list 100 permit ip 173.1.5.0 0.0.0.255 232.0.0.0 0.255.255.255
!
crypto gdoi group GETVPN_GROUP
  identity number 1234
  server local
  rekey authentication mypubkey rsa GETVPN_KEYS
  rekey transport unicast
  sa ipsec 1
   profile GETVPN_PROFILE
   match address ipv4 100
   replay time window-size 5
  address ipv4 150.1.5.5
    redundancy
    local priority 50
    peer address ipv4 150.1.4.4
This completes the KOOP Key Server configuration part. The next part, which is relatively simple, is configuring both routers as group members. As a group member, R4 should register to R5 and vice versa. Notice that there could be a separate ISAKMP policy used for GM/KS communications, but we just re-use the same settings.
GM-R4:
crypto isakmp policy 50
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto gdoi group GETVPN_GROUP_GM
 identity number 1234
  server address ipv4 150.1.5.5

crypto map GETVPN_MAP local-address Loopback0
crypto map GETVPN_MAP 10 gdoi
  set group GETVPN_GROUP_GM
!
interface Serial0/1/0
  crypto map GETVPN_MAP 

GM-R5:
crypto isakmp policy 50
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto gdoi group GETVPN_GROUP_GM
 identity number 1234
  server address ipv4 150.1.4.4

crypto map GETVPN_MAP local-address Loopback0
crypto map GETVPN_MAP 10 gdoi
  set group GETVPN_GROUP_GM
!
interface Serial0/1/0
  crypto map GETVPN_MAP
Both GM crypto-maps use Loopback0 as the source interface, but this only affects the ISAMP phase, as GET VPN by design simply copies the original header. The last two steps complete the two-node GET VPN configuration. Now for verification. – start by checking for KOOP KS:
Rack1R4#show crypto gdoi ks 
Total group members registered to this box: 1

Key Server Information For Group GETVPN_GROUP:
    Group Name               : GETVPN_GROUP
    Group Identity           : 1234
    Group Members            : 1
    IPSec SA Direction       : Both
    ACL Configured:
        access-list 100
    Redundancy               : Configured
        Local Address        : 150.1.4.4
        Local Priority       : 100
        Local KS Status      : Alive
        Local KS Role        : Primary

Rack1R5#show crypto gdoi ks 
Total group members registered to this box: 2

Key Server Information For Group GETVPN_GROUP:
    Group Name               : GETVPN_GROUP
    Group Identity           : 1234
    Group Members            : 2
    IPSec SA Direction       : Both
    ACL Configured:
        access-list 100
    Redundancy               : Configured
        Local Address        : 150.1.5.5
        Local Priority       : 50
        Local KS Status      : Alive
        Local KS Role        : Secondary
Check the data-plane status (IPSec SAs):
Rack1R4#show crypto gdoi ipsec sa 

SA created for group GETVPN_GROUP:

SA created for group GETVPN_GROUP_GM:
  Serial0/1/0:
    protocol = ip
      local ident  = 173.1.4.0/24, port = 0
      remote ident = 232.0.0.0/8, port = 0
      direction: Both, replay(method/window): Time/5 sec
    protocol = ip
      local ident  = 173.1.5.0/24, port = 0
      remote ident = 232.0.0.0/8, port = 0
      direction: Both, replay(method/window): Time/5 sec

Rack1R5#show crypto gdoi ipsec sa 

SA created for group GETVPN_GROUP:

SA created for group GETVPN_GROUP_GM:
  Serial0/1/0:
    protocol = ip
      local ident  = 173.1.4.0/24, port = 0
      remote ident = 232.0.0.0/8, port = 0
      direction: Both, replay(method/window): Time/5 sec
    protocol = ip
      local ident  = 173.1.5.0/24, port = 0
      remote ident = 232.0.0.0/8, port = 0
      direction: Both, replay(method/window): Time/5 sec
Now initiate some multicast traffic and ensure it is getting encrypted: The test below assumes R4 has joined the respective multicast group:
Rack1R5#ping 232.1.1.1 source fastEthernet 0/1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 232.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 173.1.5.5 

Reply to request 0 from 173.1.45.4, 40 ms
Reply to request 1 from 173.1.45.4, 36 ms

Rack1R4#show crypto ipsec sa

interface: Serial0/1/0


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (173.1.5.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (232.0.0.0/255.0.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 107, #pkts decrypt: 107, #pkts verify: 107
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 150.1.4.4, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
     current outbound spi: 0xF66A6278(4134167160)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF66A6278(4134167160)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2011, flow_id: FPGA:11, sibling_flags 80000040, crypto map: GETVPN_MAP
        sa timing: remaining key lifetime (sec): (2387)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF66A6278(4134167160)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2012, flow_id: FPGA:12, sibling_flags 80000040, crypto map: GETVPN_MAP
        sa timing: remaining key lifetime (sec): (2387)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
This final test ensures that our two-node configuration is working. Finally, this type of configuration is just a curious example, which probably has little application in real life, where you probably want a dedicated GET VPN Server. However, from the CCIE Security Lab standpoint it is important to understand the interaction between GET VPN components and know the little tricks that could be used.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About US

Network Bulls is Best Institute for Cisco CCNA, CCNA Security, CCNA Voice, CCNP, CCNP Security, CCNP Voice, CCIP, CCIE RS, CCIE Security Version 4 and CCIE Voice Certification courses in India. Network Bulls is a complete Cisco Certification Training and Course Coaching Institute in Gurgaon/Delhi NCR region in India. Network Bulls has Biggest Cisco Training labs in India. Network Bulls offers all Cisco courses on Real Cisco Devices. Network Bulls has Biggest Team of CCIE Trainers in North India, with more than 90% of passing rate in First Attempt for CCIE Security Version 4 candidates.
  • Biggest Cisco Training Labs in India
  • More than 90% Passing Rate in First Attempt
  • CCIE Certified Trainers for All courses
  • 24x7 Lab Facility
  • 100% Job Guaranteed Courses
  • Awarded as Best Network Security Institute in 2011 by Times
  • Only Institute in India, to provide CCIE Security Version 4.0 Training
  • CCIE Security Version 4 Training available
  • Latest equipments available for CCIE Security Version 4

Network Bulls Institute Gurgaon

Network Bulls Institute in Gurgaon is one of the best Cisco Certifications Training Centers in India. Network Bulls has Biggest Networking Training and Networking courses labs in North India. Network Bulls is offering Cisco Training courses on real Cisco Routers and Switches. Labs of Network Bulls Institute are 24x7 Available. There are many coaching Centers in Delhi, Gurgaon, Chandigarh, Jaipur, Surat, Mumbai, Bangalore, Hyderabad and Chennai, who are offering Cisco courses, but very few institutes out of that big list are offering Cisco Networking Training on real Cisco devices, with Live Projects. Network Bulls is not just an institute. Network Bulls is a Networking and Network Security Training and consultancy company, which is offering Cisco certifications Training as well support too. NB is awarded in January 2012, by Times, as Best Network Security and Cisco Training Institute for the year 2011. Network Bulls is also offering Summer Training in Gurgaon and Delhi. Network Bulls has collaboration with IT companies, from which Network Bulls is offering Networking courses in Summer Training and Industrial Training of Btech BE BCA MCA students on real Live projects. Job Oriented Training and Industrial Training on Live projects is also offered by network bulls in Gurgaon and Delhi NCR region. Network Bulls is also providing Cisco Networking Trainings to Corporates of Delhi, Gurgaon, bangalore, Jaipur, Nigeria, Chandigarh, Mohali, Haryana, Punjab, Bhiwani, Ambala, Chennai, Hyderabad.
Cisco Certification Exams are also conducted by Network Bulls in its Gurgaon Branch.
Network Bulls don't provide any Cisco CCNA, CCNP simulations for practice. They Provide High End Trainings on Real topologies for high tech troubleshooting on real Networks. There is a list of Top and best Training Institutes in India, which are providing CCNA and CCNP courses, but NB has a different image from market. Many students has given me their feedbacks and reviews about Network bulls Institute, but there were no complaints about any fraud from this institute. Network Bulls is such a wonderful place to get trained from Industry expert Trainers, under guidance of CCIE Certified Engineers.

About Blog

This Blog Contains Links shared by sites: Cisco Guides, Dumps collection, Exam collection, Career Cert, Ketam Mehta, GodsComp.co.cc.

NB

NB
Cisco Networking Certifications Training

Cisco Training in Delhi

ccna training in gurgaon. ccnp course institute in gurgaon, ccie coaching and bootcamp training near gurgaon and delhi. best institute of ccna course in delhi gurgaon india. network bulls provides ccna,ccnp,ccsp,ccie course training in gurgaon, new delhi and india. ccsp training new delhi, ccie security bootcamp in delhi.

Testimonials : Network Bulls

My Name is Rohit Sharma and i Have done CCNA and CCNP Training in Gurgaon Center of Network Bulls and it was a great experience for me to study in Network Bulls.

Cisco Networking Certifications

Myself Komal Verma and i took CCSP Training from Network Bulls in Gurgaon. The day i joined Network Bulls, the day i get addicted with Networking Technologies and I thank Mr. Vikas Sheokand for this wonderful session of Networking. :)
I must say that Network Bulls is Best Institute of CCNA CCNP CCSP CCIE Course Training in Gurgaon, New Delhi and in India too.
Komal Verma

About a wonderfull CCIE Training Institute in Gurgaon

I am Kiran shah from New Delhi. I have recently completed my CCNA CCNP & CCIE Training in Gurgaon from Network Bulls and i recommend Network Bulls for Cisco Training in India.

Kiran Shah

Cisco Coaching and Learning Center

Disclaimer: This site does not store any files on its server. I only index and link to content provided by other sites. If you see any file on server that is against copy right you can inform me at (sidd12341 [at] gmail.com). I will delete that materials within two days. This Website is not official Website of any Institute like INE, Network Bulls, IP Expert. Thanks

CCIE Security Version 4

Cisco Finally updated CCIE Security Lab exam blueprint. WSA Ironport and ISE devices are added in CCIE Security Version 4 Lab Exam Syllabus Blueprint. In Updated CCIE Security Version 4 Syllabus blueprint, new technologies like Mobile Security, VoIP Security and IPV6 Security along with Network Security, are added. As in CCIE Security Version 3 blueprint, Cisco had focused on Network Security only, but now as per market demand, Cisco is looking forward to produce Internet gear Security Engineer, not only Network Security engineers.
In CCIE Security Version 4 Bluerpint, Lab Exam is going to be more interested than before. What is Difference in CCIE Security Version 3 and Version 4? Just go through the CCIE Security Version 4 Lab Equipment and Lab Exam Syllabus Blueprints and find out!