GET-VPN Introduction
From IPFlow Netflow Collector
GET-VPN Example
This is a simple example of GET-VPN configuration on Cisco routers (using Dynamips and GNS3). It is based on this excellent presentation (http://dfw.cisco-users.org/downloads.htm) (look for "GET VPN").
Author: Christophe Fillot - 24-Nov-2007
| Table of contents |
[edit]
Introduction
From Cisco website (http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008078e4f9.html):
"GET VPN is a set of features that are necessary to secure IP multicast group traffic or unicast traffic over a private WAN that originates on or flows through a Cisco IOS device. GET VPN combines the keying protocol Group Domain of Interpretation (GDOI) with IPsec encryption to provide users with an efficient method to secure IP multicast traffic or unicast traffic. GET VPN enables the router to apply encryption to nontunneled (that is, "native") IP multicast and unicast packets and eliminates the requirement to configure tunnels to protect multicast and unicast traffic."
As we will see in this example, Cisco GET-VPN is a powerful, scalable and easy-to-deploy technology.
[edit]
Topology
[edit]
IOS configurations
- keyserv (http://www.ipflow.utc.fr/configs/GETVPN/keyserv.cfg)
- R0 (http://www.ipflow.utc.fr/configs/GETVPN/R0.cfg)
- R1 (http://www.ipflow.utc.fr/configs/GETVPN/R1.cfg)
- R2 (http://www.ipflow.utc.fr/configs/GETVPN/R2.cfg)
[edit]
Keyserver configuration
Generation of RSA key for rekeying (named "rsa_key"):
keyserv(config)#crypto key generate rsa exportable label rsa_key mod 2048 The name for the keys will be: rsa_key % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable...[OK] keyserv(config)#
Here is the relevant configuration:
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 lifetime 3600 crypto isakmp key SECRET address 10.0.0.0 255.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set GDOI-TSET esp-aes 256 esp-sha-hmac ! crypto ipsec profile GDOI-PROFILE set security-association lifetime seconds 1800 set transform-set GDOI-TSET ! crypto gdoi group GDOI-GROUP1 identity number 1 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa rsa_key rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 101 no replay address ipv4 10.0.0.254 ! access-list 101 deny udp any any eq 848 access-list 101 deny udp any eq 848 any access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 101 permit ip 10.0.0.0 0.255.255.255 224.0.0.0 15.255.255.255 ! interface FastEthernet0/0 ip address 10.0.0.254 255.255.255.0 !
The access-list 101 identifies which traffic will be encrypted by group members (the ACL will be downloaded by group members):
- We don't encrypt the GDOI protocol itself which runs on port 848/udp.
- We encrypt unicast and multicast traffic.
[edit]
Group member configuration
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 lifetime 3600 crypto isakmp key SECRET address 10.0.0.254 crypto isakmp keepalive 10 ! ! crypto gdoi group group1 identity number 1 server address ipv4 10.0.0.254 ! ! crypto map map-group1 local-address FastEthernet0/0 crypto map map-group1 10 gdoi set group group1 ! interface FastEthernet0/0 [...] crypto map map-group1 !
[edit]
Output of some commands
On key-server:
keyserv#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP1 (Unicast)
Group Identity : 1
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85759 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 1800 secs
Profile Name : GDOI-PROFILE
Replay method : Disabled
SA Rekey
Remaining Lifetime : 1160 secs
ACL Configured : access-list 101
Group Server list : Local
keyserv#sh crypto gdoi ks
Total group members registered to this box: 3
Key Server Information For Group GDOI-GROUP1:
Group Name : GDOI-GROUP1
Group Identity : 1
Group Members : 3
IPSec SA Direction : Both
ACL Configured:
access-list 101
keyserv#sh crypto gdoi ks members Group Member Information : Number of rekeys sent for group GDOI-GROUP1 : 1 Group Member ID : 10.0.0.1 Group ID : 1 Group Name : GDOI-GROUP1 Key Server ID : 10.0.0.254 Rekeys sent : 1 Rekey Acks Rcvd : 1 Rekey Acks missed : 0 Sent seq num : 1 0 0 0 Rcvd seq num : 1 0 0 0 Group Member ID : 10.0.0.2 Group ID : 1 Group Name : GDOI-GROUP1 Key Server ID : 10.0.0.254 Rekeys sent : 1 Rekey Acks Rcvd : 1 Rekey Acks missed : 0 Sent seq num : 1 0 0 0 Rcvd seq num : 1 0 0 0 Group Member ID : 10.0.0.3 Group ID : 1 Group Name : GDOI-GROUP1 Key Server ID : 10.0.0.254 Rekeys sent : 1 Rekey Acks Rcvd : 1 Rekey Acks missed : 0 Sent seq num : 1 0 0 0 Rcvd seq num : 1 0 0 0
On group-member R2:
R2#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-NO-IKE
Peer: port 848
IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 224.0.0.0/240.0.0.0
Active SAs: 2, origin: crypto map
Interface: FastEthernet0/0
Session status: DOWN
Peer: port 500
IPSEC FLOW: deny 17 0.0.0.0/0.0.0.0 port 848 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: deny 17 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 port 848
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 10.0.0.254 port 848
IKE SA: local 10.0.0.3/848 remote 10.0.0.254/848 Active
IKE SA: local 10.0.0.3/848 remote 10.0.0.254/848 Active
R2#sh crypto gdoi group group1
Group Name : group1
Group Identity : 1
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 10.0.0.254
Group Server list : 10.0.0.254
GM Reregisters in : 1653 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
Rekey Acks sent : 0
ACL Downloaded From KS 10.0.0.254:
access-list deny udp any any port = 848
access-list deny udp any port = 848 any
access-list permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list permit ip 10.0.0.0 0.255.255.255 224.0.0.0 15.255.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86399
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 2048
TEK POLICY:
FastEthernet0/0:
IPsec SA:
sa direction:inbound
spi: 0x45D21DA1(1171398049)
transform: esp-256-aes esp-sha-hmac
sa timing:remaining key lifetime (k/sec): (4397340/1707)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0x45D21DA1(1171398049)
transform: esp-256-aes esp-sha-hmac
sa timing:remaining key lifetime (k/sec): (4397340/1707)
Anti-Replay : Disabled
IPsec SA:
sa direction:inbound
spi: 0x45D21DA1(1171398049)
transform: esp-256-aes esp-sha-hmac
sa timing:remaining key lifetime (k/sec): (4461162/1707)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0x45D21DA1(1171398049)
transform: esp-256-aes esp-sha-hmac
sa timing:remaining key lifetime (k/sec): (4461164/1707)
Anti-Replay : Disabled
[edit]
Wireshark capture
We can see on the following example that unicast and multicast traffic is encrypted (the capture was done on R2 Fa0/0):
