GETVPN : Group Encrypted Transport VPN

Schema Here it comes. We will use the same topology as the last two blog posts.
This time we will play with GETVPN. GETVPN is a Cisco technology. One of the advantage of GETVPN is that we are able to build somespoke-to-spoke IPSEC tunnel without Tunnel interface and it is highly scalable.

We could say to me : ok, man ! but you could do this by means of static tunnels. Yes you can, BUT with GETVPN you can maintain easily full mesh networks by means of Key Server and the GETVPN technology.

Tunnel is build between GM (Group Member). The Key Server (KS) maintains security policies and is not part of the Forwarding Path. This server is here to provide security policy and make it possible to GM to build a encrypted tunnel between each other. No need to pass through a central node. GETVPN is a answer, DMVPN phase 3 is another 🙂

We have R4 as KS with a loopback address : 4.4.4.4/32
We have R2 and R3 as our spokes. These routers has each other a loopback 99 with a different /24 subnet.

  • R2 : 99.99.99.0/24
  • R3 : 100.100.100.0/24

Let’s go and see how it is configured. Begin with the Key Server :

crypto key generate rsa modulus 1024 label REKEYRSA

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET
crypto gdoi group GDOI-GROUP1
 identity number 12345
 server local
  rekey algorithm aes 128
  rekey authentication mypubkey rsa REKEYRSA
  rekey transport unicast
  sa ipsec 1
   profile PROFILE
   match address ipv4 getvpn-acl
   replay time window-size 5
   no tag
  address ipv4 4.4.4.4

ip access-list extended getvpn-acl
 permit ip 99.99.99.0 0.0.0.255 100.100.100.0 0.0.0.255
 permit ip 100.100.100.0 0.0.0.255 99.99.99.0 0.0.0.255
 deny   ip any any

Now R2 and R3 :

R2 : 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET
crypto gdoi group GDOI-GROUP1
 identity number 12345
 server address ipv4 4.4.4.4
crypto map gdoimap 1 gdoi
 set group GDOI-GROUP1
 crypto map gdoimap

interface Ethernet0/1
 ip address 123.0.0.2 255.255.255.0
 ip router isis
 crypto map gdoimap
R3 : 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET
crypto gdoi group GDOI-GROUP1
 identity number 12345
 server address ipv4 4.4.4.4
crypto map gdoimap 1 gdoi
 set group GDOI-GROUP1
 crypto map gdoimap

GM use and interact with the KS to build their IPSec SA. Here, the security policy is identified by “identity number 12345”.

To make my topology works I have been obliged to add a static route towards my remote endpoints. I have been obliged to due to a bug on my IOS. It crashes if I add a “reverse-route” command in my crypto map.

Now, we could try to ping each other :

R2#  ping 100.100.100.3 so lo 99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.3, timeout is 2 seconds:
Packet sent with a source address of 99.99.99.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/7 ms
R2#

Good ! it pings. Let’s see if it is encrypted :

https://www.cloudshark.org/captures/a99bd1404eaa or http://www.clucas.fr/downloads/GETVPN.pcap

Great it works 🙂

Now see some troubleshooting commands :

R2#show crypto session
Crypto session current status

Interface: Ethernet0/1
Session status: UP-ACTIVE
Peer: 0.0.0.0 port 500
  Session ID: 0
  IKEv1 SA: local 123.0.0.2/848 remote 4.4.4.4/848 Active
  IPSEC FLOW: deny ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 100.100.100.0/255.255.255.0 99.99.99.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 99.99.99.0/255.255.255.0 100.100.100.0/255.255.255.0
        Active SAs: 2, origin: crypto map

R2#
R2#show crypto gdoi gm
Group Member Information For Group GDOI-GROUP1:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_GDOI-GROUP1_temp_acl

    Group member             : 123.0.0.2       vrf: None
       Local addr/port       : 123.0.0.2/848
       Remote addr/port      : 4.4.4.4/848
       fvrf/ivrf             : None/None
       Version               : 1.0.8
       Registration status   : Registered
       Registered with       : 4.4.4.4
       Re-registers in       : 2673 sec
       Succeeded registration: 1
       Attempted registration: 1
       Last rekey from       : 4.4.4.4
       Last rekey seq num    : 10
       Unicast rekey received: 2
       Rekey ACKs sent       : 2
       Rekey Rcvd(hh:mm:ss)  : 00:11:50
       DP Error Monitoring   : OFF

R2#
R2# show crypto ipsec sa

interface: Ethernet0/1
    Crypto map tag: gdoimap, local addr 123.0.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (99.99.99.0/255.255.255.0/0/0)
   Group: GDOI-GROUP1
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
[...]
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (99.99.99.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
   Group: GDOI-GROUP1
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
[...]

Ok each SA encrypt and decrypts the correct number of packets 🙂

KS side :

R4#show crypto gdoi ks
Total group members registered to this box: 2

Key Server Information For Group GDOI-GROUP1:
    Group Name               : GDOI-GROUP1
    Re-auth on new CRL       : Disabled
    Group Identity           : 12345
    Group Members            : 2
    IPSec SA Direction       : Both
    ACL Configured:
	access-list getvpn-acl


R4#show crypto gdoi ks acl
Group Name: GDOI-GROUP1
 Configured ACL:
   access-list getvpn-acl  permit ip 99.99.99.0 0.0.0.255 100.100.100.0 0.0.0.255
   access-list getvpn-acl  permit ip 100.100.100.0 0.0.0.255 99.99.99.0 0.0.0.255
   access-list getvpn-acl  deny ip any any


R4#

For more information : http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

Have fun with GETVPN !!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.