It uses the core network's ability to route and replicate the packets between various sites within the enterprise. Cisco IOS GETVPN preserves the original source and destination IP addresses information in the header of the encrypted packet for optimal routing.
This model perfectly fits private WANs built over MPLS cores (VPN in VPN) but might not work over Internet, if the customer is using private addressing (no overlay encapsulation).
A GETVPN deployment has primarily three components, Key Server (KS), Group Member (GM), and Group Domain of Interpretation (GDOI) protocol.
GMs do encrypt/decrypt the traffic and KS distribute the encryption key to all the group members.
Since all GMs use the same key, any GM can decrypt the traffic encrypted by any other GM. GDOI protocol is used between the GM and KS for group key and group SA management. Minimum one KS is required for a GETVPN deployment.
- GM
The group member registers with the key server to get the IPSec SA that is necessary to encrypt data traffic within the group. The group member provides the group ID to the key server to get the respective policy and keys for this group. These keys are refreshed periodically by KS, and before the current IPSec SAs expire, so that there is no loss of traffic.
- KS
Key server is responsible for maintaining security policies, authenticating the GMs and providing the session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after successful registration the GMs can participate in group SA.
A group member can register at any time and receive the most current policy and keys. When a GM registers with the key server, the key server verifies the group id number of the GM. If this id number is a valid and the GM has provided valid Internet Key Exchange (IKE) credentials, the key server sends the SA policy and the Keys to the group member.
There are two types of keys that the GM will receive from the KS: the Key Encryption Key (KEK) and the Traffic Encryption Key (TEK). The TEK becomes part of the IPSec SA with which the group members within the same group encrypt the data. KEK is used to secure rekey messages between the key server and the group members.
The Key Server sends out rekey messages either because of an impending IPSec SA expiration or because the security policy has changed on the key server. Keys can be distributed during re-key using either multicast or unicast transport. Multicast method is more scalable as keys need not be transmitted to each group member individually. Unlike in unicast, KS will not receive acknowledgement from GM about the success of the rekey reception in multicast rekey method. In unicast rekey method, KS will delete a GM from its database if three consecutive rekeys are not acknowledged by that particular GM.
- GDOI
GDOI protocol is used for Group key and group SA management. GDOI uses Internet Security Association Key Management Protocol (ISAKMP) for authenticating the GMs and KSs. All the standard ISAKMP authentication schemes like RSA Signature (certificates) and Pre-shared key can be used for GETVPN.
All the necessary crypto policies are configured only on the KS. This includes the crypto access list, crypto policies, life times etc.
Scenario:
- KS config
- ISAKMP
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 172.20.1.0 255.255.255.0
- IPsec
crypto ipsec transform-set GETVPN esp-3des esp-md5-hmac
crypto ipsec profile GETVPN_PROFILE
set transform-set GETVPN
- RSA keys to sign the re-keying messages
crypto key generate rsa general-keys label GETVPN_KEYS
modulus 1024 exportable
- GDOI
crypto gdoi group GETVPN_GROUP_1
identity number 1
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN_KEYS
rekey transport unicast
sa ipsec 1
profile GETVPN_PROFILE
match address ipv4 GETVPN_TRAFFIC
replay time window-size 3
address ipv4 4.4.4.4
- ACL
ip access-list extended GETVPN_TRAFFIC
deny ip host 1.1.1.1 host 2.2.2.2
deny ip host 2.2.2.2 host 1.1.1.1
permit ip any any
Only traffic which matches the "permit" lines will be encrypted
- GM config
- ISAKMP
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 4.4.4.4
- GDOI
crypto gdoi group GETVPN_GROUP
identity number 1
server address ipv4 4.4.4.4
crypto map GETVPN 10 gdoi
set group GETVPN_GROUP
interface FastEthernet1/0
crypto map GETVPN
Verification:
- KS
KS# show crypto gdoi ks
Total group members registered to this box: 0
Key Server Information For Group GETVPN_GROUP_1:
Group Name : GETVPN_GROUP_1
Group Identity : 1
Group Members : 0
IPSec SA Direction : Both
ACL Configured:
access-list GETVPN_TRAFFIC
KS# show crypto gdoi group GETVPN_GROUP_1
Group Name : GETVPN_GROUP_1 (Unicast)
Group Identity : 1
Group Members : 0
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85960 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : GETVPN_PROFILE
Replay method : Time Based
Replay Window Size : 3
SA Rekey
Remaining Lifetime : 3161 secs
ACL Configured : access-list GETVPN_TRAFFIC
Group Server list : Local
KS# show crypto gdoi ks rekey
Group GETVPN_GROUP_1 (Unicast)
Number of Rekeys sent : 0
Number of Rekeys retransmitted : 0
KEK rekey lifetime (sec) : 86400
Remaining lifetime (sec) : 85791
Retransmit period : 10
Number of retransmissions : 2
IPSec SA 1 lifetime (sec) : 3600
Remaining lifetime (sec) : 2992
- GM
R1#show crypto gdoi gm
Group Member Information For Group GETVPN_GROUP:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_GETVPN_GROUP_temp_acl
Re-register
Remaining time : 2498 secs
R1#show crypto gdoi gm acl
Group Name: GETVPN_GROUP
ACL Downloaded From KS 4.4.4.4:
access-list deny ip host 1.1.1.1 host 2.2.2.2
access-list deny ip host 2.2.2.2 host 1.1.1.1
access-list permit ip any any
ACL Configured Locally:
R1#show crypto gdoi group GETVPN_GROUP
Group Name : GETVPN_GROUP
Group Identity : 1
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 4.4.4.4
Group Server list : 4.4.4.4
GM Reregisters in : 2274 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
Rekey Acks sent : 0
ACL Downloaded From KS 4.4.4.4:
access-list deny ip host 1.1.1.1 host 2.2.2.2
access-list deny ip host 2.2.2.2 host 1.1.1.1
access-list permit ip any any
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86237
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
FastEthernet1/0:
IPsec SA:
sa direction:inbound
spi: 0x4D42DDBA(1296227770)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1822)
Anti-Replay(Time Based) : 3 sec interval
IPsec SA:
sa direction:outbound
spi: 0x4D42DDBA(1296227770)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1822)
Anti-Replay(Time Based) : 3 sec interval
No comments:
Post a Comment