Friday, December 19, 2014

GET VPN - part five (Group Member Authorization List)

In this short post I would like to show one interesting feature that allows us to control which GM can register in a particular KS. I will use the same scenario I used in my previous posts.






There two methods how we can control it:
a) ACL
b) PKI

Let’s try with the first one:

I would like to limit the number of GMs to just only one 4.4.4.2. I need to add firs a standard access list:
 
access-list 50 permit 4.4.4.2

and then add the ACL to the gdoi group configuration (authorization address ipv4):
 
crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  authorization address ipv4 50
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2

When I check the member list I see only one: (you need first issue two commands: clear crypto isakmp, clear crypto gdoi):
 
R1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP : 0

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

R1#

You can find following message:
 
R2#
*Dec 15 18:54:48.835: %GDOI-1-UNAUTHORIZED_IPADDR: Group GDOI-GROUP received registration from unauthorized ip address: 7.7.7.2
R2#

Next method, PKI, is described by Cisco here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-D334DB6B-C3EC-4792-AA0F-B13C25006B5B

and I try to implement it now.
On all clients (R3,R4 and R5) I need to add:
 
 crypto pki trustpoint CA-TP
 subject-name CN=R3.mymicroblog.com,OU=HR

assume that only OU=HR should be able to register at the KS, so on the R5 I change it to:
 
 crypto pki trustpoint CA-TP
 subject-name CN=R3.mymicroblog.com,OU=IT

On all clients I need to change isakmp identity:
 
 crypto isakmp identity dn

On servers I have to add a new crypto identity:
 
crypto identity PKI
 dn OU=HR

so, only clients with organization unit equals ‘HR’ should register. Now I need to add this authorization identity to the crypto gdoi group:
 
crypto gdoi group GDOI-GROUP
 identity number 1
 server local
 authorization identity PKI

On the KS1 I see following message:
 
R1#
*Dec 15 21:04:20.243: %GDOI-1-UNAUTHORIZED_IDENTITY: Group GDOI-GROUP received registration from unauthorized identity:       Dist. name parsing failed. Peer Address: 5.5.5.2
R1#

It means the authorization works fine. Let’s check member list:
 
R1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP : 0

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

Group Member ID    : 7.7.7.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

R1#

There are only two members, the one excluded has not registered.

No comments:

Post a Comment