The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The GET VPN Resiliency feature improves the resiliency of Cisco Group Encrypted Transport (GET) VPN so that data traffic disruption is prevented or minimized when errors occur.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The long security association (SA) lifetime functionality extends the maximum lifetime of the key encryption key (KEK) and traffic encryption key (TEK) from 24 hours to 30 days. This functionality also lets you configure key servers (KSs) to continue to send periodic reminder rekeys to group members (GMs) that do not respond with an acknowledgment in the last scheduled rekey.
By using a long SA lifetime in combination with periodic reminder rekeys, a KS can effectively synchronize GMs if they miss a scheduled rekey before the keys roll over.
Note | For a lifetime longer than 24 hours, the encryption algorithm must be Advanced Encryption Standard-cipher block chaining (AES-CBC) or Advanced Encryption Standard-Galois/Counter Mode (AES-GCM) with an AES key of 128 bits or stronger. |
You can use the long SA lifetime functionality along with the GETVPN Suite-B feature to use AES-GSM and Galois Message Authentication Code-Advanced Encryption Standard (GMAC-AES) as traffic encryption key (TEK) policy transforms in a group for packets encapsulated with GCM-AES and GMAC-AES.
When migrating to the long SA lifetime functionality (greater than one day), the following rules apply:
When the Long SA feature is enabled in KS, it will block registration from GMs running older Cisco IOS releases, which does not support this feature.
Sometimes with longer security association (SA) lifetimes, a group member (GM) may not receive updates from a key server for a longer duration. This may result in group members experiencing clock skew for key encryption key (KEK) lifetime, traffic encryption key (TEK) lifetime, and Time-Based Anti-Replay (TBAR) pseudotime. The refresh rekey and rollover to new outbound IPsec SA helps GMs in mitigating clock skew issues.
If the traffic encryption key (TEK) lifetime is set for a duration greater than two days and Time-Based Anti-Replay (TBAR) is disabled, a key server sends a refresh rekey every 24 hours which updates the key encryption key (KEK) lifetime, TEK lifetime, and TBAR pseudotime on all group members (GMs). In simple terms, a refresh rekey is a retransmission of the current KEK policy, TEK policy, and TBAR pseudotime (if enabled) to all GMs, regardless of the status of receiving a unicast acknowledgment (ACK) for the last rekey. If TBAR is enabled, the refresh rekey is sent every two hours to synchronize the pseudotime, so that an additional refresh rekey is not required.
When a long SA lifetime (greater than one day) is configured, the rollover happens when the remaining lifetime of the traffic encryption key (TEK) reaches 1% of the old TEK configured lifetime that has a lower limit of 30 seconds and not 30 seconds of the old TEK’s remaining lifetime. This allows a greater clock skew between the group members (GMs) before discarding traffic from one GM rolling over to the new TEK late (after the other GM has already deleted the old TEK). This mitigates the GM from being “offline” (disconnected from the KS) for a long duration and from being unable to receive the refresh rekeys to mitigate the clock skew.
The periodic reminder sync-up rekey functionality in the key server (KS) lets you to send periodic reminder rekeys to group members (GMs) who do not respond with an acknowledgment (ACK) in the last scheduled rekey. This functionality in combination with the long SA lifetime functionality is effective for a KS to synchronize with GMs when they miss a scheduled rekey before the keys rollover. In a KS group configuration, a new keyword periodic is added to the rekey retransmit command when configuring the rekey retransmission.
Each periodic rekey increments the sequence number, similar to rekey retransmissions. The GM is removed from the database on the KS after 3 scheduled rekeys (not retransmissions) for which the GM does not send an ACK.
The pre-positioned rekey functionality allows the key server (KS) to send a rekey earlier than half the duration of the SA lifetime, when a longer SA lifetime (greater than one day) is configured. The normal behavior of sending the rekey is used for a short SA lifetime. When group members (GMs) receive this early rekey, they continue to use the old TEK as outbound until rolled over to the new TEK as outbound. The pre-positioned rekey feature along with the Long SA Lifetime feature improves key rollover stability. This functionality allows the (KS) sufficient time to recover rekey errors, such as periodic reminder rekeys and synchronize rekeys.
You should use the Long SA Lifetime feature only after all devices in the GET VPN network are upgraded to GET VPN software versions that support this feature.
Perform this task on the key server (or primary key server) to ensure that all devices in the network support long SA lifetime.
1.
enable
2.
show crypto gdoi feature long-sa-lifetime
3.
show crypto gdoi feature long-sa-lifetime | include No
To configure long SA lifetime for traffic encryption key (TEK), perform the following steps.
1.
enable
2.
configure
terminal
3.
crypto ipsec
profile
name
4.
set security-association lifetime days days
5.
end
To configure long SA lifetime for key encryption key (TEK), perform the following steps.
1.
enable
2.
configure
terminal
3.
crypto gdoi
group
group-name
4.
identity number number
5.
server local
6.
rekey lifetime days days
7.
end
To configure the periodic reminder sync-up rekey, perform the following steps.
1.
enable
2.
configure terminal
3.
crypto gdoi group group-name
4.
identity number number
5.
server local
6.
rekey retransmit number-of-seconds periodic
7.
end
To view the configuration that is running on a key server (KS), use the show running-config command and the following commands.
1.
enable
2.
show crypto gdoi
3.
show crypto gdoi ks rekey
To view the configuration that is running on a group member (GM), use the show running-config command and the following commands.
1.
enable
2.
show crypto gdoi ks
rekey
3.
show crypto gdoi ks
policy
The following example shows how to use the GET VPN software versioning command on the KS (or primary KS) to check whether all the devices in each group support long SA lifetimes:
Device# show crypto gdoi feature long-sa-lifetime Group Name: GETVPN Key Server ID Version Feature Supported 10.0.5.2 1.0.4 Yes 10.0.6.2 1.0.4 Yes 10.0.7.2 1.0.3 No 10.0.8.2 1.0.2 No Group Member ID Version Feature Supported 10.0.1.2 1.0.2 No 10.0.2.5 1.0.3 No 10.0.3.1 1.0.4 Yes 10.0.3.2 1.0.4 Yes
You can also enter the above command on a GM (which will display the information for the GM but not for the KS or other GMs).
The following example shows how to enter the command on the KS (or primary KS) find only those devices in the GET VPN network that do not support long SA lifetimes:
Device# show crypto gdoi feature long-sa-lifetime | include No 10.0.7.2 1.0.3 No 10.0.8.2 1.0.2 No 10.0.1.2 1.0.2 No 10.0.2.5 1.0.3 No
The following example shows how to configure the long SA lifetime for traffic encryption key (TEK):
Device> enable Device# configure terminal Device(config)# crypto ipsec profile gdoi-p Device(ipsec-profile)# set security-association lifetime days 15 Device(ipsec-profile)# end
The following example shows how to configure the long SA lifetime for key encryption key (KEK):
Device> enable Device# configure terminal Device(config)# crypto gdoi group GET Device(config-gdoi-group)# identity number 3333 Device(config-gdoi-group)# server local Device(gdoi-local-server)# rekey lifetime days 20 Device(gdoi-local-server)# end
The following example shows how to configure the periodic reminder sync-up rekey:
Device> enable Device# configure terminal Device(config)# crypto gdoi group group1 Device(config-gdoi-group)# identity number 3333 Device(config-gdoi-group)# server local Device(gdoi-local-server)# rekey retransmit 10 periodic Device(gdoi-local-server)# end
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
Cisco IOS Master Command List, All Releases |
Cisco IOS security commands |
|
Basic deployment guidelines for enabling GET VPN in an enterprise network |
Cisco IOS GET VPN Solutions Deployment Guide |
Designing and implementing a GET VPN network |
Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide |
Standard/RFC |
Title |
---|---|
RFC 2401 |
Security Architecture for the Internet Protocol |
RFC 6407 |
The Group Domain of Interpretation |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
GET VPN Resiliency |
Cisco IOS XE Release 3.9S |
The GET VPN Resiliency feature improves the resiliency of Cisco Group Encrypted Transport (GET) VPN so that data traffic disruption is prevented or minimized when errors occur. The following commands were introduced or modified: rekey lifetime, rekey retransmit, set security-association lifetime, show crypto gdoi. |