Tuesday, December 16, 2014

GET VPN - part two

This is the second post about GET VPN. Today I will add second KS (R2) to increase their availability.

getvpn-1.jpg

I need to check first if the certificate on the 1st KS can be exported:

R1#sh crypto key mypubkey rsa GETVPN-KEY
% Key pair was generated at: 14:53:12 UTC Dec 14 2014
Key name: GETVPN-KEY
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable. Redundancy enabled.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C30EE3
  27F24059 F08D903D 0BE7E5A5 BC1D5549 EC346B2E BDFF7B00 3C7C4DB9 46714282
  73CBC501 E42859C4 756805F3 A5EEE473 78E59148 5B417C76 B8002F61 258480A4
  4B66DDEA 9C9C65E5 7EEEB784 A724B548 F3A2F686 39E23662 19E10877 FF5B1E1A
  AC833FA1 E7650BBD 9645F101 23B0CDC0 7F2DBF77 6C8D300D 6D902323 03020301 0001
R1#

Now I export the certificate from the KS1:

R1(config)#crypto key export rsa GETVPN-KEY pem terminal 3des cisco123
% Key name: GETVPN-KEY
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDDuMn8kBZ8I2QPQvn5aW8HVVJ
7DRrLr3/ewA8fE25RnFCgnPLxQHkKFnEdWgF86Xu5HN45ZFIW0F8drgAL2ElhICk
S2bd6pycZeV+7reEpyS1SPOi9oY54jZiGeEId/9bHhqsgz+h52ULvZZF8QEjsM3A
fy2/d2yNMA1tkCMjAwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79F5B3A7B79265CF

jyBGdawqpDG648jbK16/NURNlEfWG1N7NRZ+XL9eCDkAu1azoY4oow/aA4wGZtLz
LBrsPSSTmGFhVQ1ENiAaYS/7WbOlTg3FWwuPfQUCZtWfAIrZ51ablVl5wbsykI4A
jY20ns++V4IgK9GZyYiPLc5EoXwvza4Bsa12xJbMzwYe6DKtKj5zUoyiJGxsri0N
JHrTErYbgC/qVbryd7VPa56NJwlFqwsCkplB9G0uGaNp0+CEUVMrr0LAdhD9TW2Z
alZEdJ8XJs1zXDnKaQqFZYSyN9toHHXqefXiX+OC1Rci/EUlZuId7c6T0G5S7/VD
9biJOgB85z4YFmpwhcxaypfQDKBsd/IN4QVpuFcSXchDEuhchE2+TvfAAl0a/9C8
DYLTdXlAGu5QaoR3YXgSjTk+lVzzyORea7jZCrCS+RPjChwN5YiIXIMNENLq1fHn
QMGpRKrKcOyZuRBhp2xX2GU9bOu4t3v1YpTthVYg+AHu2shrYxkpRNgEqqYn80mX
Se4LkEjk+aFbNjfSy77Um/wGF279HRlbHcuSknCY19nRrCIY9KSlsrd04QL8Bvbf
O/1vifHg8rdYR5/BxEl8AWPUCVWcuBJHYQN0zNNSZGeOJMz01ktG0SBhBk+7GTAF
avsBx37aJ6qJbN7C6ukNZ8Nfmq9BDxCI0JkqEZuLfLcN8QnIVoypYlnbQGl++mGQ
gp//G9+YWUv/i8pZLaFxhM3hkdzY1/4Vdx5Fvyy9vQFBF8SfSGOj+GzhTrJUcxAH
qYI5NpVbCQeZPQptHyqWxHVN/P79vyxmb9NESgkBfWTnpBvrPRaWpQ==
-----END RSA PRIVATE KEY-----

R1(config)#

and then I import it on the KS2:

R2(config)#crypto key import rsa GETVPN-KEY pem terminal cisco123
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDDuMn8kBZ8I2QPQvn5aW8HVVJ
7DRrLr3/ewA8fE25RnFCgnPLxQHkKFnEdWgF86Xu5HN45ZFIW0F8drgAL2ElhICk
S2bd6pycZeV+7reEpyS1SPOi9oY54jZiGeEId/9bHhqsgz+h52ULvZZF8QEjsM3A
fy2/d2yNMA1tkCMjAwIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79F5B3A7B79265CF

jyBGdawqpDG648jbK16/NURNlEfWG1N7NRZ+XL9eCDkAu1azoY4oow/aA4wGZtLz
LBrsPSSTmGFhVQ1ENiAaYS/7WbOlTg3FWwuPfQUCZtWfAIrZ51ablVl5wbsykI4A
jY20ns++V4IgK9GZyYiPLc5EoXwvza4Bsa12xJbMzwYe6DKtKj5zUoyiJGxsri0N
JHrTErYbgC/qVbryd7VPa56NJwlFqwsCkplB9G0uGaNp0+CEUVMrr0LAdhD9TW2Z
alZEdJ8XJs1zXDnKaQqFZYSyN9toHHXqefXiX+OC1Rci/EUlZuId7c6T0G5S7/VD
9biJOgB85z4YFmpwhcxaypfQDKBsd/IN4QVpuFcSXchDEuhchE2+TvfAAl0a/9C8
DYLTdXlAGu5QaoR3YXgSjTk+lVzzyORea7jZCrCS+RPjChwN5YiIXIMNENLq1fHn
QMGpRKrKcOyZuRBhp2xX2GU9bOu4t3v1YpTthVYg+AHu2shrYxkpRNgEqqYn80mX
Se4LkEjk+aFbNjfSy77Um/wGF279HRlbHcuSknCY19nRrCIY9KSlsrd04QL8Bvbf
O/1vifHg8rdYR5/BxEl8AWPUCVWcuBJHYQN0zNNSZGeOJMz01ktG0SBhBk+7GTAF
avsBx37aJ6qJbN7C6ukNZ8Nfmq9BDxCI0JkqEZuLfLcN8QnIVoypYlnbQGl++mGQ
gp//G9+YWUv/i8pZLaFxhM3hkdzY1/4Vdx5Fvyy9vQFBF8SfSGOj+GzhTrJUcxAH
qYI5NpVbCQeZPQptHyqWxHVN/P79vyxmb9NESgkBfWTnpBvrPRaWpQ==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.

R2(config)#

Now I add following configuration to the KS1:

!
crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2
!

and now time to add the config on the KS2:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set TS
!
!
crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 6.6.6.2
  redundancy
   local priority 20
   peer address ipv4 3.3.3.2
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

Let’s check how looks like the communication between them:

R1(config)#
*Dec 14 21:45:09.422: %GDOI-5-COOP_KS_REACH: Reachability restored with Cooperative KS 6.6.6.2 in group GDOROUP.
R1(config)#

*Dec 14 21:45:09.351: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GDOI-GROUP (Previous Primary = NONE)
R2(gdoi-coop-ks-config)#
*Dec 14 21:45:19.523: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 3.3.3.2 in group GDOI-GROUP transitioned to Primary (Previous Primary = NONE)

As you see the new KS has been elected as secondary KS:

R1#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 3.3.3.2
        Local Priority       : 10
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 76290 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 3137 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R1#

R2#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Secondary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 76277 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 3124 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R2#

R3#sh crypto gdoi | i with
       Registered with       : 3.3.3.2
R3#

Now on all GMs I need to add the secondary KS:

crypto gdoi group GDOI-GROUP
 identity number 1
 server address ipv4 3.3.3.2
 server address ipv4 6.6.6.2

Now it’s time to test if the secondary KS is configured properly. I will shut down fa0/0 on the KS1:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#sh
R1(config-if)#

On the GM we can see:

R3#
*Dec 14 21:57:18.650: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.2 for group GDOI-GROUP using address 7.7.7.2
R3#
R3#sh crypto gdoi | i with
R3#

There is a problem, let’s check the ASA:

%ASA-4-106023: Deny udp src spoke1:7.7.7.2/848 dst keys2:6.6.6.2/848 by access-group "SPOKE1" [0x0, 0x0]

Ok, I need to add the secondary KS IP to the ACL:

access-list SPOKE2 extended permit udp host 4.4.4.2 host 6.6.6.2 eq 848
access-list SPOKE1 extended permit udp host 7.7.7.2 host 6.6.6.2 eq 848
access-list SPOKE3 extended permit udp host 5.5.5.2 host 6.6.6.2 eq 848

Now I will reset gdoi:

R3#clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.

Are you sure you want to proceed ? [yes/no]: yes
R3#
*Dec 14 22:02:19.618: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-GROUP may have expired/been cleared, or didn't go through. Re-register to KS.
R3#
*Dec 14 22:02:19.630: %CRYPTO-5-GM_REGSTER: Start registration to KS 3.3.3.2 for group GDOI-GROUP using address 7.7.7.2
R3#
*Dec 14 22:02:59.646: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.2 for group GDOI-GROUP using address 7.7.7.2
*Dec 14 22:03:00.158: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GDOI-GROUP transitioned to Unicast Rekey.
*Dec 14 22:03:00.162: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Dec 14 22:03:00.162: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec 14 22:03:00.294: %GDOI-5-GM_REGS_COMPL: Registration to KS 6.6.6.2 complete for group GDOI-GROUP using address 7.7.7.2
*Dec 14 22:03:00.302: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 6.6.6.2 for group GDOI-GROUP & gm identity  7.7.7.2
R3#
R3#sh crypto gdoi | i with
       Registered with       : 6.6.6.2
R3#

You can see below the KS2 is now primary one:
 
R2#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 75421 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 2268 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R2#

As you see I registered and installed policies from the KS2. Let’s test if I can ping between LANs:

R3#ping 10.44.44.44 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 10.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/100/120 ms
R3#

I can ping LAN2 from LAN1:

R4#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 3
    IPSec SA Direction       : Both

     Group Server list       : 3.3.3.2
                               6.6.6.2

    Group member             : 4.4.4.2          vrf: None
       Version               : 1.0.4
       Registration status   : Registered
       Registered with       : 3.3.3.2
       Re-registers in       : 1994 sec
       Succeeded registration: 1
       Attempted registration: 5
       Last rekey from       : 3.3.3.2
       Last rekey seq num    : 5
       Unicast rekey received: 3
       Rekey ACKs sent       : 3
       Rekey Rcvd(hh:mm:ss)  : 00:24:41
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 3
       After latest register : 3
       Rekey Acks sents      : 3

 ACL Downloaded From KS 3.3.3.2:
   access-list   permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 75272
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0x13B8FB0C(330889996)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2118)
        Anti-Replay : Disabled


R4#

As you see above the R4 is still registered in KS1, the re-key time is 1994 sec.

Let’s enable the interface on the KS1:

R1#
*Dec 14 22:10:26.598: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 6.6.6.2 in group GDOI-GROUP transitioned to Primary (Previous Primary = 3.3.3.2)
*Dec 14 22:10:26.994: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI-GROUP from address 3.3.3.2 with seq # 16
R1#

The KS1 automatically has been elected as primary one and next re-keying will be performed with KS1.

No comments:

Post a Comment