Monday, December 22, 2014

GET VPN - part eight (fail-close)




I would like to analyze one scenario where a GM sends data before or during registration process. When the GM is registered the traffic is encrypted like we can see here:

Ping from R3 to R5 (GET VPN active, GM registered)
 
R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/104/128 ms
R3#

  
 


Now I disable KS1 and KS2 and clear keys on GM1:

R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
.....
Success rate is 0 percent (0/5)
R3#
 













As you see I didn’t receive any response but traffic was sent as a clear text. In my case it was just ping but you can imagine an application that tries to send some data that can be easily eavesdropped.
There is one feature – fail-close - which can block the traffic until a GM will be able to get all keys and start sending traffic over an encrypted tunnel (ESP). There are two methods how to implement it:

a) ACL on interface – you can add permit/deny entries for traffic that should be allowed or not

b) Crypto map – you can set it to work in fail-close mode

I configure the case ‘b’ as the first one is clear.

Assume we have to allow on icmp traffic before the member is registered with a key server but telnet traffic should be dropped:

1) Test if telnet and ping are allowed before I start:
 
R3#telnet 10.55.55.55 /vrf GREEN /source-interface loo0
Trying 10.55.55.55 ...
% Connection timed out; remote host not responding

R3#

And I see the traffic as a clear text:
 



2) Add the access list and enable the feature:
 
access-list 110 deny   icmp any any

crypto map MAPA-GREEN gdoi fail-close
 match address 110
 activate

3) Do the final tests

R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
.....
Success rate is 0 percent (0/5)
R3#





R3#telnet 10.55.55.55 /vrf GREEN /source-interface loo0
Trying 10.55.55.55 ...
% Connection timed out; remote host not responding

R3#
 
 
 
 
 
 
As you see above ping is sent as a clear text, telnet is dropped. ‘Deny’ statement means – do not dropped even GM is not registered yet.
Let’s do last test to check if you can ping and telnet once the GM is registered with the KS:

R3#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP-GREEN
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 0
    IPSec SA Direction       : Both

     Group Server list       : 3.3.3.2
                               6.6.6.2

    Group member             : 7.7.7.2          vrf: MNG
       Version               : 1.0.4
       Registration status   : Registered
       Registered with       : 3.3.3.2
       Re-registers in       : 148 sec
       Succeeded registration: 1
       Attempted registration: 1
       Last rekey from       : 0.0.0.0
       Last rekey seq num    : 0
       Unicast rekey received: 0
       Rekey ACKs sent       : 0
 
 
 
R3#ping vrf GREEN 10.55.55.55 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 100.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/106/116 ms
R3#
 
 
 
 
 
 
And now telnet:

R3#telnet 10.55.55.55 /vrf GREEN /source-interface loo0
Trying 10.55.55.55 ... Open


Password required, but none set

[Connection to 10.55.55.55 closed by foreign host]
R3#
 
 



Once the GM is registered we can ping and telnet and the traffic is encrypted.












No comments:

Post a Comment