Skip to main content

DMVPN & GET VPN

Today I would like to test an integration of DMVPN and GET VPN technologies. DMVPN can be used over the public network like Internet and GET VPN only over private like MPLS (because of IP preservation).
As you remember from my previous posts about DMVPN the best option is the phase 3. With thousands of spokes your hub has to keep the same number of SAs (security association).
As you remember, for the phase 3, the first packet was sent to the hub and then was redirected (NHRP) to the destination. Next packets were sent directly to the spoke:

R2#traceroute 100.33.33.33 source 100.22.22.22

Type escape sequence to abort.
Tracing the route to 100.33.33.33

  1 10.10.10.1 40 msec 56 msec 76 msec
  2 10.10.10.3 104 msec 88 msec 140 msec
R2# 



R2#traceroute 100.33.33.33 source 100.22.22.22

Type escape sequence to abort.
Tracing the route to 100.33.33.33

  1 10.10.10.3 104 msec 104 msec 72 msec
R2#

Let’s test how it works with GET VPN:

1) First I added a new spoke 3 which will be a Key Server for GET VPN.
dmvpn-getvpn-1.jpg
2) Next I have to remove a tunnel protection on the hub and all spokes:

interface Tunnel0
no  tunnel protection ipsec profile IPSEC-PRF

Once we remove the protection, I see on my firewall the new GRE connections (not ESP as before):
 
GRE spoke3 8.8.8.1:0 hub 5.5.5.1:0, idle 0:00:04, bytes 1088, flags E
GRE spoke2 7.7.7.1:0 hub 5.5.5.1:0, idle 0:00:04, bytes 1088, flags E
GRE spoke1 6.6.6.1:0 hub 5.5.5.1:0, idle 0:00:04, bytes 1088, flags E
GRE spoke2 7.7.7.1:0 hub 5.5.5.1:0, idle 0:00:00, bytes 1156, flags E
GRE spoke1 6.6.6.1:0 hub 5.5.5.1:0, idle 0:00:00, bytes 1156, flags E

I need to change the ACL for the new spoke:
 
asa1(config)# %ASA-4-106023: Deny protocol 47 src spoke3:8.8.8.1 dst hub:5.5.5.1 by access-group "SPOKE3" [0x0, 0x0]
access-list SPOKE3 ext permit gre host 8.8.8.1 host 5.5.5.1

3) Once I have unprotected GRE tunnels between all routers, I can start implementing GET VPN

a) key server:
 
crypto key generate rsa general-keys modulus 1024 label GETVPN-KEY

access-list 100 deny udp any eq 848 any eq 848
access-list 100 permit gre any any


!
crypto gdoi group GETVPN-GROUP
 identity number 1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PRF
   match address ipv4 100
   replay counter window-size 64
  address ipv4 8.8.8.1
!

b) group members:
 
crypto gdoi group GETVPN-GROUP
 identity number 1
 server address ipv4 8.8.8.1
!
crypto map MAPA 1 gdoi
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 crypto map MAPA
!

On the ASA I can see:
 
%ASA-4-106023: Deny udp src spoke3:8.8.8.1/848 dst hub:5.5.5.1/848 by access-group "SPOKE3" [0x0, 0x0]
%ASA-4-106023: Deny udp src spoke2:7.7.7.1/848 dst spoke3:8.8.8.1/848 by access-group "SPOKE2" [0x0, 0x0]
%ASA-4-106023: Deny udp src spoke1:6.6.6.1/848 dst spoke3:8.8.8.1/848 by access-group "SPOKE1" [0x0, 0x0]

Let’s fix it:
 
access-list SPOKE1 ext permit udp host 6.6.6.1 host 8.8.8.1 eq 848
access-list SPOKE2 ext permit udp host 7.7.7.1 host 8.8.8.1 eq 848
access-list SPOKE3 ext permit udp host 8.8.8.1 host 5.5.5.1 eq 848

Ok, let’s check how to works:

DMVPN:

a) hub
 
R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:3,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         6.6.6.1      10.10.10.2    UP 01:08:22 D
     2         7.7.7.1      10.10.10.3    UP 01:08:22 D
     1         8.8.8.1      10.10.10.4    UP 01:08:12 D

R1#

b) spoke - R2
 
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         5.5.5.1      10.10.10.1    UP 01:14:39 S
     1         7.7.7.1      10.10.10.3    UP 01:01:10 D

R2#sh ip nh
R2#sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 01:15:00, never expire
  Type: static, Flags: nat used
  NBMA address: 5.5.5.1
100.33.33.0/24 via 10.10.10.3, Tunnel0 created 01:01:17, expire 00:58:42
  Type: dynamic, Flags: router nat
  NBMA address: 7.7.7.1
R2#

On the Key Server (R4) I see 3 registered GMs:
 
R4#sh crypto gdoi
Group Information

    Group Name               : GETVPN-GROUP
    Group Identity           : 1
    Group Members            : 3
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 84047 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : IPSEC-PRF
      Replay method          : Count Based
      Replay Window Size     : 64
      ACL Configured         : access-list 100

    Group Server list        : Local


R4#

As the GET VPN is tunnel less on R2 we can see:
 
R2#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: MAPA, local addr 6.6.6.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer  port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 1

     local crypto endpt.: 6.6.6.1, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x714D2F06(1900883718)

     inbound esp sas:
      spi: 0x714D2F06(1900883718)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 53, flow_id: SW:53, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4458211/1083)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x714D2F06(1900883718)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 54, flow_id: SW:54, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4458211/1080)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R2#

I check now how the traffic from Lan2 is sent to Lan3:
 
R2#traceroute 100.33.33.33 source 100.22.22.22

Type escape sequence to abort.
Tracing the route to 100.33.33.33

  1 10.10.10.3 104 msec 80 msec 72 msec
R2#

As you see the first attempt is sent using spoke-to-spoke connection.
Let’s check if we can intercept traffic (inside IPs) as with the native GET VPN:

dmvpn-getvpn-2.jpg

so, I can assume it works as expected. We can’t see inside IP addresses. We don’t have many SAs as with native DMVPN and traffic between spokes is sent directly, even the first packet.

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...