Skip to main content

GET VPN - part two

This is the second post about GET VPN. Today I will add second KS (R2) to increase their availability.

getvpn-1.jpg

I need to check first if the certificate on the 1st KS can be exported:

R1#sh crypto key mypubkey rsa GETVPN-KEY
% Key pair was generated at: 14:53:12 UTC Dec 14 2014
Key name: GETVPN-KEY
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable. Redundancy enabled.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C30EE3
  27F24059 F08D903D 0BE7E5A5 BC1D5549 EC346B2E BDFF7B00 3C7C4DB9 46714282
  73CBC501 E42859C4 756805F3 A5EEE473 78E59148 5B417C76 B8002F61 258480A4
  4B66DDEA 9C9C65E5 7EEEB784 A724B548 F3A2F686 39E23662 19E10877 FF5B1E1A
  AC833FA1 E7650BBD 9645F101 23B0CDC0 7F2DBF77 6C8D300D 6D902323 03020301 0001
R1#

Now I export the certificate from the KS1:

R1(config)#crypto key export rsa GETVPN-KEY pem terminal 3des cisco123
% Key name: GETVPN-KEY
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDDuMn8kBZ8I2QPQvn5aW8HVVJ
7DRrLr3/ewA8fE25RnFCgnPLxQHkKFnEdWgF86Xu5HN45ZFIW0F8drgAL2ElhICk
S2bd6pycZeV+7reEpyS1SPOi9oY54jZiGeEId/9bHhqsgz+h52ULvZZF8QEjsM3A
fy2/d2yNMA1tkCMjAwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79F5B3A7B79265CF

jyBGdawqpDG648jbK16/NURNlEfWG1N7NRZ+XL9eCDkAu1azoY4oow/aA4wGZtLz
LBrsPSSTmGFhVQ1ENiAaYS/7WbOlTg3FWwuPfQUCZtWfAIrZ51ablVl5wbsykI4A
jY20ns++V4IgK9GZyYiPLc5EoXwvza4Bsa12xJbMzwYe6DKtKj5zUoyiJGxsri0N
JHrTErYbgC/qVbryd7VPa56NJwlFqwsCkplB9G0uGaNp0+CEUVMrr0LAdhD9TW2Z
alZEdJ8XJs1zXDnKaQqFZYSyN9toHHXqefXiX+OC1Rci/EUlZuId7c6T0G5S7/VD
9biJOgB85z4YFmpwhcxaypfQDKBsd/IN4QVpuFcSXchDEuhchE2+TvfAAl0a/9C8
DYLTdXlAGu5QaoR3YXgSjTk+lVzzyORea7jZCrCS+RPjChwN5YiIXIMNENLq1fHn
QMGpRKrKcOyZuRBhp2xX2GU9bOu4t3v1YpTthVYg+AHu2shrYxkpRNgEqqYn80mX
Se4LkEjk+aFbNjfSy77Um/wGF279HRlbHcuSknCY19nRrCIY9KSlsrd04QL8Bvbf
O/1vifHg8rdYR5/BxEl8AWPUCVWcuBJHYQN0zNNSZGeOJMz01ktG0SBhBk+7GTAF
avsBx37aJ6qJbN7C6ukNZ8Nfmq9BDxCI0JkqEZuLfLcN8QnIVoypYlnbQGl++mGQ
gp//G9+YWUv/i8pZLaFxhM3hkdzY1/4Vdx5Fvyy9vQFBF8SfSGOj+GzhTrJUcxAH
qYI5NpVbCQeZPQptHyqWxHVN/P79vyxmb9NESgkBfWTnpBvrPRaWpQ==
-----END RSA PRIVATE KEY-----

R1(config)#

and then I import it on the KS2:

R2(config)#crypto key import rsa GETVPN-KEY pem terminal cisco123
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDDuMn8kBZ8I2QPQvn5aW8HVVJ
7DRrLr3/ewA8fE25RnFCgnPLxQHkKFnEdWgF86Xu5HN45ZFIW0F8drgAL2ElhICk
S2bd6pycZeV+7reEpyS1SPOi9oY54jZiGeEId/9bHhqsgz+h52ULvZZF8QEjsM3A
fy2/d2yNMA1tkCMjAwIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79F5B3A7B79265CF

jyBGdawqpDG648jbK16/NURNlEfWG1N7NRZ+XL9eCDkAu1azoY4oow/aA4wGZtLz
LBrsPSSTmGFhVQ1ENiAaYS/7WbOlTg3FWwuPfQUCZtWfAIrZ51ablVl5wbsykI4A
jY20ns++V4IgK9GZyYiPLc5EoXwvza4Bsa12xJbMzwYe6DKtKj5zUoyiJGxsri0N
JHrTErYbgC/qVbryd7VPa56NJwlFqwsCkplB9G0uGaNp0+CEUVMrr0LAdhD9TW2Z
alZEdJ8XJs1zXDnKaQqFZYSyN9toHHXqefXiX+OC1Rci/EUlZuId7c6T0G5S7/VD
9biJOgB85z4YFmpwhcxaypfQDKBsd/IN4QVpuFcSXchDEuhchE2+TvfAAl0a/9C8
DYLTdXlAGu5QaoR3YXgSjTk+lVzzyORea7jZCrCS+RPjChwN5YiIXIMNENLq1fHn
QMGpRKrKcOyZuRBhp2xX2GU9bOu4t3v1YpTthVYg+AHu2shrYxkpRNgEqqYn80mX
Se4LkEjk+aFbNjfSy77Um/wGF279HRlbHcuSknCY19nRrCIY9KSlsrd04QL8Bvbf
O/1vifHg8rdYR5/BxEl8AWPUCVWcuBJHYQN0zNNSZGeOJMz01ktG0SBhBk+7GTAF
avsBx37aJ6qJbN7C6ukNZ8Nfmq9BDxCI0JkqEZuLfLcN8QnIVoypYlnbQGl++mGQ
gp//G9+YWUv/i8pZLaFxhM3hkdzY1/4Vdx5Fvyy9vQFBF8SfSGOj+GzhTrJUcxAH
qYI5NpVbCQeZPQptHyqWxHVN/P79vyxmb9NESgkBfWTnpBvrPRaWpQ==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.

R2(config)#

Now I add following configuration to the KS1:

!
crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2
!

and now time to add the config on the KS2:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set TS
!
!
crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 6.6.6.2
  redundancy
   local priority 20
   peer address ipv4 3.3.3.2
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

Let’s check how looks like the communication between them:

R1(config)#
*Dec 14 21:45:09.422: %GDOI-5-COOP_KS_REACH: Reachability restored with Cooperative KS 6.6.6.2 in group GDOROUP.
R1(config)#

*Dec 14 21:45:09.351: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GDOI-GROUP (Previous Primary = NONE)
R2(gdoi-coop-ks-config)#
*Dec 14 21:45:19.523: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 3.3.3.2 in group GDOI-GROUP transitioned to Primary (Previous Primary = NONE)

As you see the new KS has been elected as secondary KS:

R1#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 3.3.3.2
        Local Priority       : 10
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 76290 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 3137 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R1#

R2#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Secondary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 76277 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 3124 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R2#

R3#sh crypto gdoi | i with
       Registered with       : 3.3.3.2
R3#

Now on all GMs I need to add the secondary KS:

crypto gdoi group GDOI-GROUP
 identity number 1
 server address ipv4 3.3.3.2
 server address ipv4 6.6.6.2

Now it’s time to test if the secondary KS is configured properly. I will shut down fa0/0 on the KS1:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#sh
R1(config-if)#

On the GM we can see:

R3#
*Dec 14 21:57:18.650: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.2 for group GDOI-GROUP using address 7.7.7.2
R3#
R3#sh crypto gdoi | i with
R3#

There is a problem, let’s check the ASA:

%ASA-4-106023: Deny udp src spoke1:7.7.7.2/848 dst keys2:6.6.6.2/848 by access-group "SPOKE1" [0x0, 0x0]

Ok, I need to add the secondary KS IP to the ACL:

access-list SPOKE2 extended permit udp host 4.4.4.2 host 6.6.6.2 eq 848
access-list SPOKE1 extended permit udp host 7.7.7.2 host 6.6.6.2 eq 848
access-list SPOKE3 extended permit udp host 5.5.5.2 host 6.6.6.2 eq 848

Now I will reset gdoi:

R3#clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.

Are you sure you want to proceed ? [yes/no]: yes
R3#
*Dec 14 22:02:19.618: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-GROUP may have expired/been cleared, or didn't go through. Re-register to KS.
R3#
*Dec 14 22:02:19.630: %CRYPTO-5-GM_REGSTER: Start registration to KS 3.3.3.2 for group GDOI-GROUP using address 7.7.7.2
R3#
*Dec 14 22:02:59.646: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.2 for group GDOI-GROUP using address 7.7.7.2
*Dec 14 22:03:00.158: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GDOI-GROUP transitioned to Unicast Rekey.
*Dec 14 22:03:00.162: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Dec 14 22:03:00.162: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec 14 22:03:00.294: %GDOI-5-GM_REGS_COMPL: Registration to KS 6.6.6.2 complete for group GDOI-GROUP using address 7.7.7.2
*Dec 14 22:03:00.302: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 6.6.6.2 for group GDOI-GROUP & gm identity  7.7.7.2
R3#
R3#sh crypto gdoi | i with
       Registered with       : 6.6.6.2
R3#

You can see below the KS2 is now primary one:
 
R2#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP (Unicast)
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 3
    IPSec SA Direction       : Both
    Redundancy               : Configured
        Local Address        : 6.6.6.2
        Local Priority       : 20
        Local KS Status      : Alive
        Local KS Role        : Primary
        Local KS Version     : 1.0.4
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 75421 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PROFILE
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 2268 secs
      ACL Configured         : access-list 101

     Group Server list       : Local



R2#

As you see I registered and installed policies from the KS2. Let’s test if I can ping between LANs:

R3#ping 10.44.44.44 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 10.33.33.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/100/120 ms
R3#

I can ping LAN2 from LAN1:

R4#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-GROUP
    Group Identity           : 1
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 3
    IPSec SA Direction       : Both

     Group Server list       : 3.3.3.2
                               6.6.6.2

    Group member             : 4.4.4.2          vrf: None
       Version               : 1.0.4
       Registration status   : Registered
       Registered with       : 3.3.3.2
       Re-registers in       : 1994 sec
       Succeeded registration: 1
       Attempted registration: 5
       Last rekey from       : 3.3.3.2
       Last rekey seq num    : 5
       Unicast rekey received: 3
       Rekey ACKs sent       : 3
       Rekey Rcvd(hh:mm:ss)  : 00:24:41
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 3
       After latest register : 3
       Rekey Acks sents      : 3

 ACL Downloaded From KS 3.3.3.2:
   access-list   permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 75272
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0x13B8FB0C(330889996)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2118)
        Anti-Replay : Disabled


R4#

As you see above the R4 is still registered in KS1, the re-key time is 1994 sec.

Let’s enable the interface on the KS1:

R1#
*Dec 14 22:10:26.598: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 6.6.6.2 in group GDOI-GROUP transitioned to Primary (Previous Primary = 3.3.3.2)
*Dec 14 22:10:26.994: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI-GROUP from address 3.3.3.2 with seq # 16
R1#

The KS1 automatically has been elected as primary one and next re-keying will be performed with KS1.

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo