GET-VPN with Redundant Keyservers
From IPFlow Netflow Collector
GET-VPN with Redundant Keyservers
This is a simple example of GET-VPN configuration with redundant keyservers on Cisco routers (using Dynamips and GNS3).
Author: Christophe Fillot - 24-Nov-2007
| Table of contents |
[edit]
Introduction
We enhance the previous GET-VPN example by adding a secondary keyserver.
[edit]
Topology
[edit]
IOS configurations
- keyserv (http://www.ipflow.utc.fr/configs/GETVPN_RedundantKS/keyserv.cfg)
- keyserv2 (http://www.ipflow.utc.fr/configs/GETVPN_RedundantKS/keyserv2.cfg)
- R0 (http://www.ipflow.utc.fr/configs/GETVPN_RedundantKS/R0.cfg)
- R1 (http://www.ipflow.utc.fr/configs/GETVPN_RedundantKS/R1.cfg)
- R2 (http://www.ipflow.utc.fr/configs/GETVPN_RedundantKS/R2.cfg)
[edit]
Transferring the RSA key to the secondary keyserver
First, we have to transfer the RSA key used for rekeying to the secondary keyserver.
On the primary keyserver:
keyserv(config)#crypto key export rsa rsa_key pem url bootflash:rsa_key.pem 3des cisco123
% Key name: rsa_key
Usage: General Purpose Key
Exporting public key...
Destination filename [rsa_key.pem.pub]?
Writing file to bootflash:rsa_key.pem.pub
Verifying checksum...
Exporting private key...
Destination filename [rsa_key.pem.prv]?
Writing file to bootflash:rsa_key.pem.prv
Verifying checksum...
keyserv(config)#tftp-server bootflash:rsa_key.pem.pub
keyserv(config)#tftp-server bootflash:rsa_key.pem.prv
keyserv#dir bootflash:
Directory of bootflash:/
1 -rw- 451 Nov 24 2007 17:37:49 +00:00 rsa_key.pem.pub
2 -rw- 1743 Nov 24 2007 17:37:49 +00:00 rsa_key.pem.prv
7602176 bytes total (7599724 bytes free)
On the secondary keyserver:
keyserv2(config)#crypto key import rsa rsa_key general-purpose url tftp://10.0.0.254/rsa_key.pem cisco123 % Importing public General Purpose key or certificate PEM file... Address or name of remote host [10.0.0.254]? Source filename [rsa_key.pem.pub]? Reading file from tftp://10.0.0.254/rsa_key.pem.pub Loading rsa_key.pem.pub from 10.0.0.254 (via FastEthernet0/0): ! [OK - 451 bytes] % Importing private General Purpose key PEM file... Address or name of remote host [10.0.0.254]? Source filename [rsa_key.pem.prv]? Reading file from tftp://10.0.0.254/rsa_key.pem.prv Loading rsa_key.pem.prv from 10.0.0.254 (via FastEthernet0/0): ! [OK - 1743 bytes] % Key pair import succeeded.
[edit]
Configuring the Keyservers
On "keyserv" router, we add:
crypto gdoi group GDOI-GROUP1 server local redundancy local priority 200 peer address ipv4 10.0.0.253 !
On "keyserv2", we take the original configuration of "keyserv" router and we add:
crypto gdoi group GDOI-GROUP1 server local redundancy local priority 100 peer address ipv4 10.0.0.254 !
Final configuration (here, on "keyserv"):
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 lifetime 3600 crypto isakmp key SECRET address 10.0.0.0 255.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set GDOI-TSET esp-aes 256 esp-sha-hmac ! crypto ipsec profile GDOI-PROFILE set security-association lifetime seconds 1800 set transform-set GDOI-TSET ! crypto gdoi group GDOI-GROUP1 identity number 1 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa rsa_key rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 101 no replay address ipv4 10.0.0.254 redundancy local priority 200 peer address ipv4 10.0.0.253 ! access-list 101 deny udp any any eq 848 access-list 101 deny udp any eq 848 any access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 101 permit ip 10.0.0.0 0.255.255.255 224.0.0.0 15.255.255.255 !
[edit]
Configuring the Group members
It is very easy, we only have to add the following lines:
crypto isakmp key SECRET address 10.0.0.253 ! crypto gdoi group group1 server address ipv4 10.0.0.253 !
The GDOI group is now configured as:
crypto gdoi group group1 identity number 1 server address ipv4 10.0.0.254 server address ipv4 10.0.0.253 !
[edit]
Useful commands
On "keyserv" router, we see that this router is the primary keyserver:
keyserv#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP1 (Unicast)
Group Identity : 1
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Redundancy : Configured
Local Address : 10.0.0.254
Local Priority : 200
Local KS Status : Alive
Local KS Role : Primary ! <==== Primary KS
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 70341 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 1800 secs
Profile Name : GDOI-PROFILE
Replay method : Disabled
SA Rekey
Remaining Lifetime : 907 secs
ACL Configured : access-list 101
Group Server list : Local
On the secondary keyserver, we have:
keyserv2#sh crypto gdoi
GROUP INFORMATION
Group Name : GDOI-GROUP1 (Unicast)
Group Identity : 1
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Redundancy : Configured
Local Address : 10.0.0.253
Local Priority : 100
Local KS Status : Alive
Local KS Role : Secondary ! <==== Secondary KS
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 70246 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 1800 secs
Profile Name : GDOI-PROFILE
Replay method : Disabled
SA Rekey
Remaining Lifetime : 813 secs
ACL Configured : access-list 101
Group Server list : Local
