Skip to main content

GET VPN - part six (VRF)

Today I would like to configure VRF aware GETVPN. I’m going to work on the same scenario with some changes.






As you see there are two vrf networks and I need to provide secure and separated protection for business traffic using the same GETVPN.

Let’s start from KS1:

1) phase 1
 
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
!

2) phase 2
 
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel

3) ipsec profile - we can have two different ipsec profiles

crypto ipsec profile IPSEC-PROFILE-GREEN
 set transform-set TS
!
crypto ipsec profile IPSEC-PROFILE-RED
 set transform-set TS

4) access list - for each VRF I need to define an ACL
 
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255

5) definition of gdoi group - for each VRF I define a separate group with different identity number, different ipsec profile and an access list with subnets for encryption
 
crypto gdoi group GDOI-GROUP-RED
 identity number 2
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE-RED
   match address ipv4 102
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2
!
crypto gdoi group GDOI-GROUP-GREEN
 identity number 1
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE-GREEN
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2
!

6) interface

interface FastEthernet0/0
 ip address 3.3.3.2 255.255.255.0

The same configuration I apply on the KS2 (of course excluding interface settings).
Now, it’s time to modify a group member configuration:

1) definition of VRFs
 
ip vrf GREEN
!
ip vrf MNG
!
ip vrf RED

2) keyring - very important, you can’t use standard command with crypto isakmp key for interface in non default VRF, the only way is to use keyring, where you can specify the VRF
 
crypto keyring KEYRING vrf MNG
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

3) isakmp policy
 
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

4) definition of the gdoi group for each VRF - like in my case where there is more than one outside interface we need to specify over which interface we want to register in KS
 
crypto gdoi group GDOI-GROUP-GREEN
 identity number 1
 server address ipv4 3.3.3.2
 server address ipv4 6.6.6.2
 client registration interface FastEthernet0/0.1
!
crypto gdoi group GDOI-GROUP-RED
 identity number 2
 server address ipv4 3.3.3.2
 server address ipv4 6.6.6.2
 client registration interface FastEthernet0/0.1

5) crypto map
 
crypto map MAPA-GREEN 10 gdoi
 set group GDOI-GROUP-GREEN
!
crypto map MAPA-RED 10 gdoi
 set group GDOI-GROUP-RED

6) interfaces - inside
 
interface Loopback0
 ip vrf forwarding GREEN
 ip address 10.33.33.33 255.255.255.0
!
interface Loopback1
 ip vrf forwarding RED
 ip address 20.33.33.33 255.255.255.0

7) interfaces - outside
 
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip vrf forwarding MNG
 ip address 7.7.7.2 255.255.255.0
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip vrf forwarding GREEN
 ip address 17.17.17.2 255.255.255.0
 crypto map MAPA-GREEN
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip vrf forwarding RED
 ip address 27.27.27.2 255.255.255.0
 crypto map MAPA-RED

8) routing
 
ip route vrf GREEN 0.0.0.0 0.0.0.0 17.17.17.1
ip route vrf MNG 0.0.0.0 0.0.0.0 7.7.7.1
ip route vrf RED 0.0.0.0 0.0.0.0 27.27.27.1

ASA Configuration :

1) interfaces
 
asa1# sh run int
!
interface GigabitEthernet0
 nameif keys1
 security-level 50
 ip address 3.3.3.1 255.255.255.0
!
interface GigabitEthernet1
 nameif keys2
 security-level 50
 ip address 6.6.6.1 255.255.255.0
!
interface GigabitEthernet2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet2.1
 vlan 10
 nameif spoke1-mng
 security-level 50
 ip address 7.7.7.1 255.255.255.0
!
interface GigabitEthernet2.2
 vlan 2
 nameif spoke1-green
 security-level 50
 ip address 17.17.17.1 255.255.255.0
!
interface GigabitEthernet2.3
 vlan 3
 nameif spoke1-red
 security-level 50
 ip address 27.27.27.1 255.255.255.0
!
interface GigabitEthernet3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3.1
 vlan 11
 nameif spoke2-mng
 security-level 50
 ip address 4.4.4.1 255.255.255.0
!
interface GigabitEthernet3.2
 vlan 12
 nameif spoke2-green
 security-level 50
 ip address 14.14.14.1 255.255.255.0
!
interface GigabitEthernet3.3
 vlan 13
 nameif spoke2-red
 security-level 50
 ip address 24.24.24.1 255.255.255.0
interface GigabitEthernet4.1
 vlan 51
 nameif spok3-mng
 security-level 50
 ip address 5.5.5.1 255.255.255.0
!
interface GigabitEthernet4.2
 vlan 52
 nameif spoke3-green
 security-level 50
 ip address 15.15.15.1 255.255.255.0
!
interface GigabitEthernet4.3
 vlan 53
 nameif spoke3-red
 security-level 50
 ip address 25.25.25.1 255.255.255.0

asa1#

2) routing 
 
asa1# sh run | i route
route spoke1-green 10.33.33.0 255.255.255.0 17.17.17.2 1
route spoke2-green 10.44.44.0 255.255.255.0 14.14.14.2 1
route spoke3-green 10.55.55.0 255.255.255.0 15.15.15.2 1
route spoke1-red 20.33.33.0 255.255.255.0 27.27.27.2 1
route spoke2-red 20.44.44.0 255.255.255.0 24.24.24.2 1
route spoke3-red 20.55.55.0 255.255.255.0 25.25.25.2 1

Let’s check now how looks like the gdoi status on KS and GM:
 
R2#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP-RED (Unicast)
    Group Identity           : 2
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 300 secs
    Group Rekey
        Remaining Lifetime   : 267 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE-RED
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 1617 secs
      ACL Configured         : access-list 102

     Group Server list       : Local



GROUP INFORMATION

    Group Name               : GDOI-GROUP-GREEN (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 300 secs
    Group Rekey
        Remaining Lifetime   : 272 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE-GREEN
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 1622 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R2#
R2#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP-RED : 83

Group Member ID    : 7.7.7.2     GM Version: 1.0.4
 Group ID          : 2
 Group Name        : GDOI-GROUP-RED
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 18
 Rekeys retries    : 6
 Rekey Acks Rcvd   : 16
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 2
 Group Name        : GDOI-GROUP-RED
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 62
 Rekeys retries    : 14
 Rekey Acks Rcvd   : 58
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Group Member ID    : 5.5.5.2     GM Version: 1.0.4
 Group ID          : 2
 Group Name        : GDOI-GROUP-RED
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 35
 Rekeys retries    : 7
 Rekey Acks Rcvd   : 36
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Number of rekeys sent for group GDOI-GROUP-GREEN : 85

Group Member ID    : 5.5.5.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP-GREEN
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 15
 Rekeys retries    : 2
 Rekey Acks Rcvd   : 13
 Rekey Acks missed : 1

 Sent seq num : 1       2       1       2
Rcvd seq num :  0       0       0       0

Group Member ID    : 7.7.7.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP-GREEN
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 16
 Rekeys retries    : 1
 Rekey Acks Rcvd   : 16
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP-GREEN
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 53
 Rekeys retries    : 6
 Rekey Acks Rcvd   : 53
 Rekey Acks missed : 0

 Sent seq num : 1       1       1       1
Rcvd seq num :  1       1       1       1

R2#

R3#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP-GREEN
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 18
    IPSec SA Direction       : Both

     Group Server list       : 3.3.3.2
                               6.6.6.2

    Group member             : 7.7.7.2          vrf: MNG
       Version               : 1.0.4
       Registration status   : Registered
       Registered with       : 6.6.6.2
       Re-registers in       : 146 sec
       Succeeded registration: 3
       Attempted registration: 6
       Last rekey from       : 6.6.6.2
       Last rekey seq num    : 0
       Unicast rekey received: 21
       Rekey ACKs sent       : 21
       Rekey Rcvd(hh:mm:ss)  : 00:00:11
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 18
       After latest register : 18
       Rekey Acks sents      : 18

 ACL Downloaded From KS 6.6.6.2:
   access-list   permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 287
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0.2:
    IPsec SA:
        spi: 0x42A2925(69871909)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1563)
        Anti-Replay : Disabled


GROUP INFORMATION

    Group Name               : GDOI-GROUP-RED
    Group Identity           : 2
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 18
    IPSec SA Direction       : Both

     Group Server list       : 3.3.3.2
                               6.6.6.2

    Group member             : 7.7.7.2          vrf: MNG
       Version               : 1.0.4
       Registration status   : Registered
       Registered with       : 6.6.6.2
       Re-registers in       : 162 sec
       Succeeded registration: 2
       Attempted registration: 8
       Last rekey from       : 6.6.6.2
       Last rekey seq num    : 0
       Unicast rekey received: 20
       Rekey ACKs sent       : 20
       Rekey Rcvd(hh:mm:ss)  : 00:00:16
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 18
       After latest register : 18
       Rekey Acks sents      : 18

 ACL Downloaded From KS 6.6.6.2:
   access-list   permit ip 20.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 282
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0.3:
    IPsec SA:
        spi: 0xA1672E6B(2707893867)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1557)
        Anti-Replay : Disabled


R3#

Note: Key Server is not VRF aware.

More information you can find here:

http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07-624088.html
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more