Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS Release 15.2M&T
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Cisco Group Encrypted Transport VPN
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
Cisco Group Encrypted Transport VPNLast Updated: September 26, 2012
Cisco Group Encrypted Transport Virtual Private Network (GET VPN) is a set of features that are necessary to secure IP multicast group traffic or unicast traffic over a private WAN that originates on or flows through a Cisco IOS device. GET VPN combines the keying protocol Group Domain of Interpretation (GDOI) with IP security (IPsec) encryption to provide users with an efficient method to secure IP multicast traffic or unicast traffic. GET VPN enables the router to apply encryption to nontunneled (that is, "native") IP multicast and unicast packets and eliminates the requirement to configure tunnels to protect multicast and unicast traffic. This document describes how to configure, verify, and troubleshoot Cisco GET VPN. Cisco Group Encrypted Transport VPN provides the following benefits:
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Cisco Group Encrypted Transport VPN
Restrictions for Cisco Group Encrypted Transport VPN
Information About Cisco Group Encrypted Transport VPN
Cisco Group Encrypted Transport VPN OverviewNetworked applications such as voice and video increase the need for instantaneous, branch-interconnected, and QoS-enabled WANs. The distributed nature of these applications results in increased demands for scale. At the same time, enterprise WAN technologies force businesses to trade off between QoS-enabled branch interconnectivity and transport security. As network security risks increase and regulatory compliance becomes essential, GET VPN, a next-generation WAN encryption technology, eliminates the need to compromise between network intelligence and data privacy. With GET, Cisco provides tunnelless VPN, which eliminates the need for tunnels. Meshed networks, by removing the need for point-to-point tunnels, can scale higher while maintaining network-intelligence features critical to voice and video quality. GET is a standards-based security model that is based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPsec tunnel relationship. Also, "any-any" networks, by using trusted groups instead of point-to-point tunnels, can scale higher while maintaining network-intelligence features (such as QoS, routing, and multicast), which are critical to voice and video quality. GET-based networks can be used in a variety of WAN environments, including IP and MPLS. MPLS VPNs that use this encryption technology are highly scalable, manageable, and cost-effective, and they meet government-mandated encryption requirements. The flexible nature of GET allows security-conscious enterprises either to manage their own network security over a service provider WAN service or to offload encryption services to their providers. GET simplifies securing large Layer 2 or MPLS networks that require partial or full-mesh connectivity. Cisco Group Encrypted Transport VPN ArchitectureGET VPN encompasses Multicast Rekeying, a way to enable encryption for "native" multicast packets, and unicast rekeying over a private WAN. Multicast Rekeying and GET VPN is based on GDOI as defined in Internet Engineering Task Force (IETF) RFC 3547. In addition, there are similarities to IPsec in the area of header preservation and SA lookup. Dynamic distribution of IPsec SAs has been added, and tunnel overlay properties of IPsec have been removed. The diagram below further illustrates the GET VPN concepts and relationships. This section has the following subsections:
Key Distribution Group Domain of Interpretation
GDOIGDOI is defined as the Internet Security Association Key Management Protocol (ISAKMP) Domain of Interpretation (DOI) for group key management. In a group management model, the GDOI protocol operates between a group member and a group controller or key server (GCKS), which establishes SAs among authorized group members. The ISAKMP defines two phases of negotiation. GDOI is protected by a Phase 1 ISAKMP security association. The Phase 2 exchange is defined in IETF RFC 3547. The topology shown in the figure below and the corresponding explanation show how this protocol works. Group MemberThe group member registers with the key server to get the IPsec SA or SAs that are necessary to communicate with the group. The group member provides the group ID to the key server to get the respective policy and keys for this group. These keys are refreshed periodically, and before the current IPsec SAs expire, so that there is no loss of traffic. The output of the show crypto isakmp sa detail command will show the security association (SA) Authentication as "rsig" because the RSA signature is used for key encryption key (KEK) rekey authentication in GET VPN. Key ServerThe responsibilities of the key server include maintaining the policy and creating and maintaining the keys for the group. When a group member registers, the key server downloads this policy and the keys to the group member. The key server also rekeys the group before existing keys expire. The key server has two responsibilities: servicing registration requests and sending rekeys. A group member can register at any time and receive the most current policy and keys. When a group member registers with the key server, the key server verifies the group ID that the group member is attempting to join. If this ID is a valid group ID, the key server sends the SA policy to the group member. After the group member acknowledges that it can handle the downloaded policy, the key server downloads the respective keys. There are two types of keys that the key server can download: the key encryption key (KEK) and the traffic encryption key (TEK). The TEK becomes the IPsec SA with which the group members within the same group communicate. The KEK encrypts the rekey message. The GDOI server sends out rekey messages if an impending IPsec SA expiration occurs or if the policy has changed on the key server (using the command-line interface [CLI]). A rekey can also happen if the KEK timer has expired, and the key server sends out a KEK rekey. The rekey messages may also be retransmitted periodically to account for possible packet loss. Packet loss can occur because rekey messages are sent without the use of any reliable transport. If the rekey mechanism is multicast, there is no efficient feedback mechanism by which receivers can indicate that they did not receive a rekey message, so retransmission seeks to bring all receivers up to date. If the rekey mechanism is unicast, the receivers will send an acknowledgment message. The topology shows the protocol flows that are necessary for group members to participate in a group, which are as follows:
How Protocol Messages Work with Cisco IOS SoftwareMulticast Rekeying uses the GDOI protocol (IETF RFC 3547) to distribute the policy and keys for the group. The GDOI protocol is between a key server and a group member. The key server creates and maintains the policy and keys, and it downloads the policy and keys to the authenticated group members. The GDOI protocol is protected by an ISAKMP Phase 1 exchange. The GDOI key server and the GDOI group member must have the same ISAKMP policy. This Phase 1 ISAKMP policy should be strong enough to protect the GDOI protocol that follows. The GDOI protocol is a four-message exchange that follows the Phase 1 ISAKMP policy. The Phase 1 ISAKMP exchange can occur in main mode or aggressive mode. The figure below shows the ISAKMP Phase 1 exchange. The ISAKMP Phase 1 messages and the four GDOI protocol messages are referred to as the GDOI registration, and the entire exchange that is shown is a unicast exchange between the group member and the key server. During the registration, if the rekey mechanism is multicast, the group member receives the address of the multicast group and registers with the multicast group that is required to receive the multicast rekeys. The GDOI protocol uses User Datagram Protocol (UDP) port 848 (with Network Address Translation-Traversal (NAT-T), it floats to 4500). IPsecIPsec is a well-known RFC that defines an architecture to provide various security services for traffic at the IP layer. The components and how they fit together with each other and into the IP environment are described in IETF RFC 2401. Communication Flow Between Key Servers and Group Members to Update IPsec SAsKey servers and group members are the two components of the GET VPN architecture. The key server holds and supplies group authentication keys and IPsec SAs to the group members. Group members provide encryption service to the interesting traffic (traffic that is worthy of being encrypted and secured by IPsec). Communication among the key server and group members is encrypted and secured. GDOI supports the use of two keys: the TEK and the KEK. The TEK is downloaded by the key server to all the group members. The downloaded TEK is used by all the group members to communicate securely among each other. This key is essentially the group key that is shared by all the group members. The group policies and IPsec SAs are refreshed by the key server using periodic rekey messages to the group members. The KEK is also downloaded by the key server and is used by the group members to decrypt the incoming rekey messages from the key server. The key server generates the group policy and IPsec SAs for the GDOI group. The information generated by the key server includes multiple TEK attributes, traffic encryption policy, lifetime, source and destination, a Security Parameter Index (SPI) ID that is associated with each TEK, and the rekey policy (one KEK). The figure below illustrates the communication flow between group members and the key server. The key server, after receiving registration messages from a group member, generates the information that contains the group policy and new IPsec SAs. The new IPsec SA is then downloaded to the group member. The key server maintains a table that contains the IP address of each group member per group. When a group member registers, the key server adds its IP address in its associated group table, thus allowing the key server to monitor an active group member. A key server can support multiple groups. A group member can be part of multiple groups. IPsec and ISAKMP TimersIPsec and ISAKMP SAs are maintained by the following timers:
Address PreservationThe following section describes address preservation in GET VPN. As shown in the figure below, IPsec-protected data packets carry the original source and destination in the outer IP header rather than replacing them with tunnel endpoint addresses. This technique is known as IPsec Tunnel Mode with Address Preservation. Address preservation allows GET VPN to use the routing functionality present within the core network. Address preservation allows routing to deliver the packets to any customer-edge (CE) device in the network that advertises a route to the destination address. Any source and destination matching the policy for the group will be treated in a similar manner. In the situation where a link between IPsec peers is not available, address preservation also helps combat traffic "black-hole" situations. Header preservation also maintains routing continuity throughout the enterprise address space and in the WAN. As a result, end host addresses of the campus are exposed in the WAN (for MPLS, this applies to the edge of the WAN). For this reason, GET VPN is applicable only when the WAN network acts as a "private" network (for example, in an MPLS network). Secure Data Plane MulticastThe multicast sender uses the TEK that is obtained from the key server and encrypts the multicast data packet with header preservation before it switches out the packet. The replication of the multicast packet is carried out in the core on the basis of the (S, G) state that is retained in the multicast data packet. This process is illustrated in the figure below. Cisco Group Encrypted Transport VPN FeaturesThis section includes the following subsections:
RekeyingRekey messages are used to refresh IPsec SAs. When the IPsec SAs or the rekey SAs are about to expire, one single rekey message for a particular group is generated on the key server. No new IKE sessions are created for the rekey message distribution. The rekey messages are distributed by the key server over an existing IKE SA. Rekeying can use multicast or unicast messages. GET VPN supports both unicast and multicast rekeying. The following subsections give detailed rekeying information:
Rekey Sequence-Number CheckThe rekey sequence-number check between the key server and the group member is conducted as follows:
Multicast RekeyingMulticast rekeys are sent out using an efficient multicast rekey. Following a successful registration, the group member registers with a particular multicast group. All the group members that are registered to the group receives this multicast rekey. Multicast rekeys are sent out periodically on the basis of the configured lifetime on the key server. Multicast rekeys are also sent out if the IPsec or rekey policy is changed on the key server. Triggered by the configuration change, the rekey sends out the new updated policy to all the group members with an efficient multicast rekey. The key server pushes the rekey time back as follows: 1. If the TEK timeout is 300 seconds: tek_rekey_offset = 90 (because 300 < 900) If retransmissions are configured, the rekey timer is moved back more. For three retransmissions every 10 seconds: 3 x 10 So the rekey will actually happen at (300 - 90 - 30) = 180 seconds 2. If the TEK timeout is 3600 seconds: tek_rekey_offset = 3600 x 10 percent = 360 seconds If retransmissions are configured, the rekey timer is moved back more. For three retransmissions every 10 seconds: 3 x 10 So the rekey will actually happen at (3600 - 360 - 30) = 3210 seconds When a KEK expires and when the transport mode is multicast, a multicast KEK rekey is sent. When a multicast KEK rekey is sent, the group member replaces the old KEK with the new KEK. Because it is a multicast rekey, and the retransmissions are sent, the old KEK continues to be used for encryption. This situation occurs because the group member does not receive the new KEK rekey. Hence the group member that received the multicast KEK rekey does not have the old KEK, and hence it drops these retransmissions. The group member that did not initially receive the KEK key now receives the KEK retransmission and replaces the old KEK with the new KEK and will drop the retransmissions that will follow. For example, if five retransmissions are configured and a multicast KEK rekey with sequence number 1 is received at group member 1, all the other retransmissions with sequence numbers 2 3 4 5 6 will be dropped at the group member because the group member does not have the old KEK. If group member 2 does not get the KEK rekey with sequence number 1 and it receives the retransmission with sequence number 2, it will drop the other retransmissions 3, 4, 5, 6. Configuration Requirements for Multicast RekeyingWhen a group member registers to a key server, it installs the KEK SA into its database. When the rekey transport is multicast the group member will use IGMP to join the multicast stream defined by the key server. The IGMP join is transmitted from the interface that contains the crypto map.
When the key server is not reachable via the same interface as the one configured with the crypto map, it will have to manually join the stream. Unicast Rekeying and SAsIn a large unicast group, to alleviate latency issues, the key server generates rekey messages for only a small number of group members at a time. The key server is ensured that all group members receive the same rekey messages for the new SA before the expiration of the old SA. Also, in a unicast group, after receiving the rekey message from the key server, a group member sends an encrypted acknowledge (ACK) message to the key server using the keys that were received as part of the rekey message. When the key server receives this ACK message, it notes this receipt in its associated group table, which accomplishes the following:
In addition, in a unicast group, the key server removes the group member from its active list and stops sending the rekey messages to that particular group member if the key server does not receive an ACK message for three consecutive rekeys. If no ACK message is received for three consecutive rekeys, the group member has to fully re-register with the key server after its current SA expires if the group member is still interested in receiving the rekey messages. The ejection of a nonresponsive group member is accomplished only when the key server is operating in the unicast rekey mode. The key server does not eject group members in the multicast rekey mode because group members cannot send ACK messages in that mode. As in multicast rekeying, if retransmission is configured, each rekey will be retransmitted the configured number of times. Rekey transport modes and authentication can be configured under a GDOI group. If unicast rekey transport mode is not defined, multicast is applied by default. If the TEK rekey is not received, the group member re-registers with the key server 60 seconds before the current IPsec SA expires. The key server has to send out the rekey before the group member re-registration occurs. If no retransmission is configured, the key server sends the rekey tek_rekey_offset before the SA expires. The tek_rekey_offset is calculated based on the configured rekey lifetime. If the TEK rekey lifetime is less than 900 seconds, the tek_rekey_offset is set to 90 seconds. If the TEK rekey lifetime is configured as more than 900 seconds, the tek_rekey_offset = (configured TEK rekey lifetime)/10. If retransmission is configured, the rekey occurs earlier than the tek_rekey_offset to let the last retransmission be sent 90 seconds before the SA expires. The key server uses the formula in the following example to calculate when to start sending the rekey to all unicast group members. The unicast rekey process on the key server sends rekeys to unicast group members in groups of 50 within a loop. The time spent within this loop is estimated to be 5 seconds. A key server rekeys group members in groups of 50, which equals two loops. For example, for 100 group members: Number of rekey loops = (100 group members)/50 = 2 loops:
So the key server pushes the rekey time back as follows: But the start has to be earlier than the TEK expiry (as in the multicast case):
If retransmissions are configured, the rekey timer is moved back more:
But the start has to be earlier than the TEK expiry (as in the multicast case):
If retransmissions are configured, the rekey timer is moved back more: The tek_rekey_offset formula applies to unicast and multicast rekeying. Rekey Behavior After Policy ChangesThe table below provides a list of rekey behavior based on the security policy changes.
Enter the following commands for the policy changes to take effect immediately:
IPsec SA Usage on the Group MembersWhen a rekey is received and processed on a group member, the new IPsec SA (the SPI) is installed. There is a period of time when the old and the new IPsec SAs are used. After a certain specified interval, the old IPsec SA is deleted. This overlap ensures that all group members receive the current rekey and insert the new IPsec SAs. This behavior is independent of the transport method (multicast or unicast rekey transport) for the rekeys from the key server. Approximately 30 seconds before the old SA expires, the group member starts to use the new SA in the outbound direction to encrypt the packet. Approximately 60 seconds before the old SA expires, if no new SA is received on the group member side via a rekey from the key server, the group member re-registers. In the figure below, time T2 is when the old SA expires. T1 is 30 seconds before T2, which is when the group member (GM) starts to use the new SA in the outbound direction. T0 is another 30 seconds before T2. If no new SA is received at T0, the group member has to re-register. T is another 30 seconds from T0. The key server should send a rekey at T. Configuration Changes Can Trigger a Rekey By a Key Server
Configuration changes on a key server can trigger a rekey by the key server. Please refer to the following sample configuration as you read through the changes that will or will not cause a rekey that are described following the example. crypto ipsec transform-set gdoi-p esp-aes esp-sha-hmac ! crypto ipsec profile gdoi-p set security-association lifetime seconds 900 set transform-set gdoi-p ! crypto gdoi group diffint identity number 3333 server local rekey algorithm aes 128 rekey address ipv4 121 rekey lifetime seconds 3600 no rekey retransmit rekey authentication mypubkey rsa mykeys sa ipsec 1 profile gdoi-p match address ipv4 120 replay counter window-size 3 The following configuration changes on the key server will trigger a rekey from the key server:
The following configuration changes on the key server will not trigger a rekey from the key server:
Commands That Trigger a RekeyThe table below is a comprehensive list of GET VPN command changes, and it shows which commands will or will not trigger a rekey. Commands are broken out based on the configuration mode in which they are entered. The table also shows when the commands take effect, regardless of whether they trigger a rekey.
When a timeout is caused by a pseudotime synchronization, the key server checks if either the KEK or the TEK timer is scheduled to expire in next 60 seconds, and if so, combines that timeout with the pseudotime synchronization timeout. That is, the rekey acts as both a TEK or KEK rekey and a pseudotime synchronization timeout rekey. See the "Time-Based Antireplay" section for more information on pseudotime synchronization. Retransmitting a RekeyMulticast rekeys are retransmitted by default. For unicast rekeys, if the key server does not receive the ACK, it retransmits the rekey. In either case, before retransmitting a rekey, the key server checks if there is a TEK or KEK rekey scheduled in the next 120 seconds. If so, it stops the current retransmission and waits for the scheduled rekey to happen. Group Member Access Control ListFor GET VPN, the traffic that has to be protected is defined statically on the key server using the ACL. The group member gets information about what has to be protected from the key server. This structure allows the key server to choose and change the policy dynamically as needed. In Secure Multicast, the key server ACL is defined inclusively. The ACL includes only the exact traffic that should be encrypted, with an implicit deny causing all other traffic to be allowed in the clear (that is, if there is no permit, all other traffic is allowed). GET VPN employs a different philosophy: The definition of which packets should be encrypted is delivered independently. GET VPN supports only statically defined traffic selectors. Policy can be defined by using both deny and permit ACLs on the key server. Only the deny ACL is allowed to be manually configured on a group member. The policies that are downloaded from the key server and configured on the group member are merged. Any ACL that is configured on the group member has predominance over what is downloaded from the key server. After the group member gets the ACL from the key server, the group member creates a temporary ACL and inserts it into the database. This ACL will be deleted if the group member is removed from the GDOI group for any reason. The packets that are going out of the interface are dropped by the group member if a packet matches the ACL but no IPsec SA exists for that packet. The key server can send a set of traffic selectors, which may not exactly match the group member ACL on the group member. If such differences occur, the differences have to be merged and resolved. Because the group member is more aware of its topology than the key server, the downloaded ACLs are appended to the group member ACL. The group member ACL (except the implicit deny) is inserted into the database first, followed by the downloaded key server ACL. The database is prioritized, and the database search stops whenever a matched entry is found. For information about configuring a group member ACL, see the "Configuring Group Member ACLs" section. Behavior of a Group Member When Security Policy ChangesThe behavior of a group member changes when ACL changes or any other policy changes are made in the key server. The effect of different policy changes on the behavior of the group members is explained in the following three scenarios. Scenario 1In the following example, the ACL has been initially configured to permit host A and host B. ip access-list extended get-acl permit ip host A host B permit ip host B host A Then the ACL is changed to permit host C and host D in the key server: ip access-list extended get-acl permit ip host C host D permit ip host D host C ACL changes affect the behavior of the group member in the following ways:
Scenario 2The behavior of a group member changes when policy updates and transform set and time-based antireplay (TBAR) changes are made to the key server. In this scenario, it is assumed that:
These policy changes affect the behavior of the group member in the following ways:
Scenario 3The behavior of a group member changes when other policy updates in the key server involve both ACL changes and other changes like the transform set or TBAR. In this scenario it is assumed that:
ACL changes and other policy updates affect the behavior of the group member in the following ways:
Fail-Close ModeUntil a group member registers with a key server, traffic passing through the group member is not encrypted. This state is called "fail open." To prevent unencrypted traffic from passing through a group member before that member is registered, you can configure the Fail-Close feature. If the feature is configured, an implicit "permit ip any any" policy is installed, and all unencrypted traffic passing through the group member is dropped (this state is called fail-close mode). The fail-close function can also be achieved by configuring an interface ACL. However, the Fail-Close feature is more manageable and is easier to implement than ACL lists. If you configure the Fail-Close feature, you can still allow specific unencrypted traffic to pass through the group member by configuring the match address command (match address {ipv4 | ipv6}{access-list-number | access-list-name}). (You must use the ipv4 keyword for IPv4 groups and the ipv6 keyword for IPv6 groups. You must use a named (not numbered) access list for IPv6 configurations.) This explicit "deny" ACL is added before the implicit "permit ip any any" to allow denied (unencrypted) traffic to pass through the group member. After the group member has successfully completed its registration, the fail-close policy, both explicit and implicit, is removed, and the group member behaves as it did before the Fail-Close feature was configured. Guidelines for Using the Fail-Close FeatureWhen you are configuring a crypto map to work in fail-close mode, you must be careful. If the fail-close ACL is defined improperly, you may lock yourself out of the router. For example, if you use Secure Shell (SSH) to log in to the router through the interface with the crypto map applied, you have to include the deny tcp any eq port host address command line under the fail-close ACL. You may also need to include the routing protocol that the router is using (such as deny ospf any any) to find the path to the key server. It is suggested that you configure fail-close and its ACL first, and then verify the fail-close ACL using the show crypto map gdoi fail-close map-name command. After you have checked your fail-close ACL and are confident that it is correct, you can make the crypto map work in the fail-close mode by configuring the activate command. Fail-close is not activated until you have configured the activate command. The fail-close ACL is configured from the group-member perspective. The fail-close ACL is configured on group member as follows: access-list 125 deny ip host host1-ip-addr host2-ip-addr In fail-close mode, all IP traffic from host1 to host2 will be sent out by group member 1 in clear text. In addition, the inbound mirrored traffic (that is, IP traffic from host2 to host1) is also accepted by GM1 in clear text.
The inbound traffic is matched to the mirrored access list. The fail-close access list follows the same rules as the group member access list. For more information, see the "Group Member Access Control List" section. You need not configure the deny udp any eq 848 any eq 848 command to make the GDOI registration go through. The code itself checks whether it is a GDOI packet for a particular group member from the key server to which it is configured. If it is a GDOI packet for this group member, the packet is processed. But for a scenario in which the key server is behind group member 1, if group member 1 cannot register successfully with the key server, other group members also will not be able to register unless an explicit deny udp any eq 848 any eq 848 command line is configured for group member 1. However, if the Fail-Close feature is properly configured, even if a group member fails to register with a key server, you will be able to ensure that no unwanted traffic can go out "in the clear." But you can allow specified traffic to go out in the clear, in which case registration packets from other group members will be able to reach the key server through group member 1 even if it fails to get registered. For information on configuring fail-close mode, see the "Activating Fail-Close Mode" section. To verify whether fail-close mode is activated, use the show crypto map gdoi fail-close command. Time-Based AntireplayAntireplay is an important feature in a data encryption protocol such as IPSec (RFC 2401). Antireplay prevents a third party from eavesdropping on an IPsec conversation, stealing packets, and injecting those packets into a session at a later time. The time-based antireplay mechanism helps ensure that invalid packets are discarded by detecting the replayed packets that have already arrived at an earlier time. GET VPN uses the Synchronous Antireplay (SAR) mechanism to provide antireplay protection for multisender traffic. SAR is independent of real-world Network Time Protocol (NTP) clock or sequential-counter mechanisms (which guarantee packets are received and processed in order). A SAR clock advances regularly. The time tracked by this clock is called pseudotime. The pseudotime is maintained on the key server and is sent periodically to the group members within a rekey message as a time-stamp field called pseudoTimeStamp. GET VPN uses a Cisco proprietary protocol called Metadata to encapsulate the pseudoTimeStamp. Group members have to be resynchronized to the pseudotime of the key server periodically. The pseudotime of the key server starts ticking from when the first group member registers. Initially, the key server sends the current pseudotime value of the key server and window size to group members during the registration process. New attributes, such as time-based replay-enabled information, window size, and the pseudotime of the key server, is sent under the SA payload (TEK). The group members use the pseudotime to prevent replay as follows: the pseudoTimeStamp contains the pseudotime value at which a sender created a packet. A receiver compares the pseudotime value of senders with its own pseudotime value to determine whether a packet is a replayed packet. The receiver uses a time-based antireplay "window" to accept packets that contain a time-stamp value within that window. The window size is configured on the key server and is sent to all group members.
the figure below illustrates an antireplay window in which the value PTr denotes the local pseudotime of the receiver, and W is the window size. Clock SynchronizationClocks of the group members can slip and lose synchronization with the key server. To keep the clocks synchronized, a rekey message (multicast or unicast, as appropriate), including the current pseudotime value of the key server, is sent periodically, either in a rekey message or at a minimum of every 30 minutes to the group member. If a packet fails this antireplay check, the pseudotime of both the sender and receiver is printed, an error message is generated, and a count is increased. To display antireplay statistics, use the show crypto gdoi group group-name gm replay command on both the sender and receiver devices. If the configuration is changed by the administrator to affect the replay method of the size configuration, the key server initiates a rekey message. Interval DurationA tick is the interval duration of the SAR clock. Packets sent in this duration have the same pseudoTimeStamp. The tick is also downloaded to group members, along with the pseudotime from the key server. For example, as shown in the figure below, packets sent between T0 and T1 would have the same pseudoTimeStamp T0. SAR provides loose antireplay protection. The replayed packets are accepted if they are replayed during the window. The default window size is 100 seconds. It is recommended that you keep the window size small to minimize packet replay. Antireplay ConfigurationsThe Antireplay feature can be enabled under IPsec SA on a key server by using the following commands:
Control-Plane Time-Based AntireplayRekey Pseudotime CheckThe rekey pseudotime check between key servers and group members is conducted as follows:
*Jul 28 22:56:37.503: %GDOI-3-PSEUDO_TIME_LARGE: Pseudotime difference between key server (20008 sec) and GM (10057 sec) is larger than expected in group GET. Adjust to new pseudotime
*Jul 28 23:37:59.699: %GDOI-3-PSEUDO_TIME_TOO_OLD: Rekey received in group GET is too old and fail PST check: my_pst is 22490 sec, peer_pst is 10026 sec, allowable_skew is 30 sec ANN Message Pseudotime Handling in the Secondary Key ServerCooperative key server announcement (ANN) messages are used to synchronize policy and group-member information between cooperative key servers. The secondary key server handles ANN messages as follows:.
*Jul 28 23:48:56.871: %GDOI-4-GDOI_ANN_TIMESTAMP_LARGE: COOP_KS ANN received from KS 10.0.8.1 in group GET has pseudotime bigger than myself. Adjust to new pseudotime: my_old_pst is 23147 sec, peer_pst is 30005 sec
*Jul 28 23:42:12.603: %GDOI-4-GDOI_ANN_TIMESTAMP_TOO_OLD: COOP_KS ANN from KS 10.0.8.1 in group GET is too old and fail PST check: my_pst is 22743 sec, peer_pst is 103 sec, allowable_skew is 10 sec If, after three retransmit requests, the secondary key server has still not received any ANN message with a valid pseudotime, it starts blocking new group-member registrations, as follows: *Jul 28 23:38:57.859: %GDOI-5-COOP_KS_VALID_ANN_TIMER_EXPIRED: This sec-KS has NOT received an ANN with valid pseudotime for an extended period in group GET. It will block new group members registration temporarily until a valid ANN is received *Jul 29 00:08:47.775: %GDOI-5-COOP_KS_BLOCK_NEW_GM_REGISTER: This key server temporarily blocks group member with ip-addr 10.0.0.2 from registering in group GET as it has not received an ANN with valid pseudotime for prolonged period The secondary key server resumes its group member registration functionality if any of the following happens:
ANN Message Pseudotime Handling in the Primary Key ServerThe primary key server handles ANN messages as follows:
During a network merge, the following conditions apply:
*Jul 28 23:42:41.311: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GET (Previous Primary = NONE) *Jul 28 23:42:41.311: %GDOI-4-GDOI_ANN_TIMESTAMP_LARGE: COOP_KS ANN received from KS 10.0.9.1 in group GET has PST bigger than myself. Adjust to new pseudotime: my_old_pst is 0 sec, peer_pst is 22772 sec *Jul 28 23:43:16.335: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 10.0.8.1 in group GET transitioned to Primary (Previous Primary = NONE) *Jul 28 23:43:16.347: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GET from address 10.0.8.1 with seq # 1 Cooperative Key ServerThe figure below illustrates cooperative key server key distribution. The text following the illustration explains the Cooperative Key Server feature. Cooperative key servers provide redundancy to GET VPN. Multiple key servers are supported by GET VPN to ensure redundancy, high availability, and fast recovery if the primary key server fails. Cooperating GDOI key servers jointly manage the GDOI registrations for the group. Each key server is an active key server, handling GDOI registration requests from group members. Because the key servers are cooperating, each key server distributes the same state to the group members that register with it. Load balancing is achieved because each of the GDOI key servers can service a portion of the GDOI registrations. The primary key server is responsible for creating and distributing group policy. When cooperative key server key distribution occurs, one key server declares itself as primary, creates a policy, and sends the policy to the other secondary key server. The secondary key server declares the primary key server as primary key server when it gets the policy and ends the election mode. The secondary key server now also blocks GM registration while the cooperative key server key distribution is in progress. This change allows the cooperative key server distribution to become more efficient because it saves time. For example, the syslog warning message similar to the following is displayed during distribution: 00:00:16: %GDOI-5-COOP_KS_BLOCK_NEW_GM_REGISTER_ELECTION: This KS temporarily blocks GM with ip-addr 10.0.4.1 from registering in group diffint as the KS election is underway The primary key server periodically sends out (or broadcasts) group information updates to all other key servers to keep those servers in synchronization. If the secondary key servers somehow miss the updates, they contact the primary key server to directly request information updates. The secondary key servers mark the primary key server as unreachable (that is, "dead") if the updates are not received for an extended period. When a new policy is created on a primary key server, regardless of which key server a group member may be registered with, it is the responsibility of the primary key server to distribute rekey messages to GDOI group members. In a cooperative-key-server setting, the rekey sequence number is synchronized between the primary and secondary key servers. In a network merge, the key servers pick the larger of the rekey sequence numbers that they have between them. If you are supporting more than 300 group members in your cooperative key server setup, you should increase the buffer size by using the buffers huge size command. Announcement MessagesAnnouncement messages are secured by IKE Phase 1 and are sent as IKE notify messages. Authentication and confidentiality that are provided by IKE is used to secure the messaging between the key servers. Antireplay protection is provided by the sequence numbers in the announcement messages. Announcement messages are periodically sent from primary to secondary key servers. Announcement messages include the components, described in the following sections that help maintain the current state. Sender Priority of a Key ServerThis value describes the priority of the sender, which is configurable using the CLI. The key server with the highest priority becomes the primary key server. If the priority values are the same, the key server with the highest IP address becomes the primary key server. Maintaining the Role of the SenderDuring the synchronization period, if the key servers are at geographically dispersed locations, they may suffer a network-partitioning event. If a network-partitioning event occurs, more than one key server can become the primary key server for a period of time. When the network is operating normally again and all the key servers find each other, they need to be told the current role of the sender so the key servers can attain their proper roles. Request for a Return Packet FlagAll messages are defined as one-way messages. When needed, a key server can request the current state from a peer to find out its role or request the current state of the group. Group PoliciesThe group policies are the policies that are maintained for a group, such as group member information and IPsec SAs and keys. Antireplay functionalities and incorporated Cooperative announcement messages are supported. The primary key server updates the pseudotime value, sending it to all secondary key servers in the group. The secondary key servers should synchronize their SAR clocks to this updated value. ANN Message Sequence Number Check Between Cooperative Key ServersThe following describes the sequence number check between cooperative key servers:
Change Key Server RoleIn a network of cooperative key servers, the primary server is elected based on its highest priority at the time of election. The other key servers have secondary status. If the primary key server is detected as being dead or if its role changes, the clear crypto gdoi ks cooperative role command allows you to reset the cooperative role of the primary key server. If the clear crypto gdoi ks cooperative role command is executed on a secondary key server, the election is triggered on that secondary key server although that server would most likely remain a secondary key server because there has been an elected primary key server. However, if the clear crypto gdoi ks cooperative role command is executed on the primary key server, the primary key server is reassigned to a secondary role, and as a result, a new election that involves all the key servers is triggered. If the previous primary server has the highest priority (of all the key servers), it again becomes the primary server. If the previous primary server does not have the highest priority, the server having the highest priority is elected as the new primary server. Receive Only SAFor multicast traffic using the GDOI protocol, bidirectional SAs are installed. The Receive Only feature enables an incremental deployment so that only a few sites can be verified before bringing up an entire network. To test the sites, one of the group members should send encrypted traffic to all the other group members and have them decrypt the traffic and forward the traffic "in the clear." Receive Only SA mode allows encryption in only the inbound direction for a period of time. (See the steps for the Receive Only SA process.) If you configure the sa receive-only command on the key server, Steps 2 and 3 happen automatically. This action allows the group members to install SAs in the inbound direction only. Receive-only SAs can be configured under a crypto group. (See the "Configuring the Group ID Server Type and SA Type" section.) If the sa receive-only command is configured, all TEKs under this group are going to be marked "receive only" by the key server when they are sent to the group member. Every time a GDOI group member receives an IPsec SA from the key server that is marked as "receive only," the group member installs this IPsec SA only in the inbound direction rather than in both incoming and outgoing directions.
First, individually convert each of the group members to passive mode (this change tells the outbound check that there is a valid SA) and then to bidirectional mode. The following method can be used when the testing phase is over and "receive only" SAs have to be converted to bidirectional SAs. Global ConversionRemove the sa receive-only command under the group. Removing the sa receive-only command creates new IPsec SAs for this group and causes a rekey. On receipt, group members reinstall the SA in both directions and begin to use it in passive mode. Because the SA cannot remain in passive mode forever, the group members change those SAs to receive or send mode if there is no rekey in 5 minutes. The conversion from passive mode to bidirectional encryption mode is automatic and does not require the administrator to do anything. Passive SAThe Passive SA feature allows you to configure a group member so that it is in passive mode permanently. By using the Passive SA feature, you will avoid having to use the crypto gdoi gm ipsec direction inbound optional privileged EXEC command, which is not persistent after a router reload and can be overridden by key server configuration from a rekey. Having the group member in passive mode benefits network testing and debugging during migration to GET VPN, and it provides complete encryption protection during the migration. The group-member passive-mode configuration has higher priority over a key server configuration. The crypto gdoi gm ipsec direction inbound optional privileged EXEC command can override the configuration until the next rekey, which will bring back the group member and key server configuration. To configure the Passive SA feature, see the "Configuring Passive SA" section. Enhanced Solutions ManageabilitySeveral show and debug commands are supported to help verify functionality. See the "Activating Fail-Close Mode" section for details. Support with VRF-Lite InterfacesThe VRF-Lite application supports segmentation of traffic in the control and forwarding planes by keeping the routing tables separate for each user group (or VPN) and forwarding the traffic on the associated or dedicated interfaces of each user group. There are some deployment scenarios in which remote sites that are connecting to an MPLS VPN network might be extending segmentation from a campus to the WAN. In such an extended segmentation case, a CE-PE interface on a CE (group member or key server) device "bounds" to its associated virtual routing and forwarding (VRF) instance. This VRF interface connects to an MPLS PE device where it is directly mapped to its associated Border Gateway Protocol (BGP) VRF process, in which case the crypto map is applied to a VRF interface. No other configuration changes are necessary. GET VPN VRF-Aware GDOI on GMThe GET VPN VRF-Aware GDOI on GM feature adds to the GET VPN feature. The GET VPN VRF-Aware GDOI on GM feature allows control plane traffic (for example, GDOI registration) to be placed in a separate VRF (for example, a dedicated management VRF). Multiple entities placed in different MPLS VPNs (VRFs) can share the same key servers. Use the client registration interface command to allow GDOI crypto maps to route registrations and receive rekeys through a different VRF. The GET VPN GM requires VRF-lite in its data path. VRF-lite means that all the traffic traversing in a particular VRF should use the same VRF after route lookup. VRF-lite does not cover route leaking. If route leaking is configured on the GM, packets will be sent out in clear text from the crypto map applied interface. The scenarios are described in the following sections.
Shared GDOI Groups Policies and Crypto MapsThe same crypto map is applied to multiple subinterfaces, and each subinterface is in a different VRF context or the same VRF context, and the key server is accessible through a different VRF or global VRF table. This is addressed by separating out the control traffic. There is one group member registration for all the crypto maps applied to different subinterfaces. After successful registration, policies are downloaded to where the crypto maps are. Different Groups Policies with Different Crypto Maps Sharing a Key ServerDifferent groups are applied to different interfaces, and each of these interfaces is in a different VRF context or the same VRF context. All these groups are accessing the same key server, and this key server is accessible through a different VRF or global VRF table. This is addressed by having individual group members registering for each group. So for every group, there is one registration and also one unicast rekey received. All these group members would be using the same IKE SA, which is established between the CE and the key server. Different Groups Policies with Different Crypto Maps on Different Key ServersDifferent groups are applied to different interfaces, and each of these interfaces is in a different VRF context or the same VRF context. All these groups are accessing different key servers, and these key servers are accessible through a different VRF or the global VRF table. This is addressed by having a group member registering for each group. So for every group, there is one registration and also one unicase rekey received. Because every registration is with a different key server, a different IKE SA is established for every registration. Authentication Policy for GM RegistrationGMs can authenticate to the key server at registration time using preshared keys or Public Key Infrastructure (PKI). Preshared keys are easy to deploy but must be managed proactively. We recommend that you deploy a peer-based preshared key instead of defining a default key (the key defined with an address of 0.0.0.0) for all the devices in the network. Preshared keys should be updated regularly (every few months). PKI uses its infrastructure to overcome the key management difficulties encountered when preshared keys are used. The PKI infrastructure acts as a certificate authority (CA) where router certificates are issued and maintained. However, using PKI during IKE authentication is computationally intensive. In PKI deployments, key server capacity, design, and placement become important. For added security, GET VPN also supports GM authorization using either preshared keys or PKI. For more information, see the "GET VPN Authorization" section. GET VPN GM AuthorizationGET VPN GM authorization can be done using preshared keys or PKI. It is a best practice to turn on GET VPN authorization. When a key server serves multiple GDOI groups, key server authorization is required to prevent a GM in one group from requesting keys and policies from another group. The ISAKMP authorization confirms that the GM is allowed to request GDOI attributes from the key server while the GDOI authorization confirms that the GM is allowed to request GDOI attributes from a specific group configured in the key server. GDOI authorization is based on the ISAKMP identity sent by a GM. If a GM sends an IP address as an identity, then only an authorization address is used for authorization. If a GM sends a distinguished name (DN) or hostname, then an authorization identity is used. Using an IP address as an identity will bypass authorization matching a DN or hostname and vice versa. To ensure that only GMs with a specific DN can connect (and no GMs using another identity can connect), you must specify deny any in the authorization address. GM Authorization Using Preshared KeysGET VPN supports GM authorization using the IP address when preshared keys are used. An ACL matching the WAN addresses (or subnets) of the GM can be defined and applied to the GET VPN group configuration. Any GM whose IP addresses match the ACL authorizes successfully and can register to the key server. If a GM IP address does not match the ACL, the key server rejects the GM registration request. In cases of unsuccessful authorization, the following syslog message is generated: %GDOI-1-UNAUTHORIZED_IPADDR: Group getvpn received registration from unauthorized ip address: 10.1.1.9 GM Authorization Using PKIGET VPN supports GM authorization using the commonly used DN or fully qualified domain name (FQDN) when PKI is used. The authorization identity command is used to activate GM authorization. A crypto identity matching certain fields in the GM certificate (typically--organizational unit [OU]) can be defined and applied to the GET VPN group configuration. Use the crypto identity command to define a crypto identity. Any GM whose certificate credentials match the ISAKMP identity is authorized and can register to the key server. For example, if all GM certificates are issued with OU=GETVPN, a key server can be configured to check (authorize) that all GMs present a certificate having OU=GETVPN. If the OU in the certificate presented by a GM is set to something else, the GM will not be authorized to register to the key server. If authorization is unsuccessful, the following syslog message is generated: %GDOI-1-UNAUTHORIZED_IDENTITY: Group getvpn received registration from unauthorized identity: Dist.name: hostname=GroupMember-1, ou=TEST Rekey Functionality in Protocol Independent Multicast-Sparse ModeMulticast rekeying can be used with all modes of multicast. The rekey retransmit command should be used whenever the Protocol Independent Multicast-sparse mode (PIM-SM) is configured because the PIM-SM shortest path tree (SPT) can be torn down if it does not receive continuing traffic. When traffic resumes, PIM-SM must reestablish the SPT. Retransmitting rekey packets increases the chance that group members receive the rekeys when PIM-SM is setting up the SPT. GM Removal and Policy TriggerThis feature lets you easily remove unwanted GMs from the GET VPN network, provides a rekey triggering method to install new SAs and remove obsolete SAs, and lets you check whether devices are running versions of GET VPN software that support the above capabilities. GET VPN Software VersioningGET VPN software versions are of the form major-version.minor-version.mini-version where
For example, the base version (for all prior GET VPN features) is 1.0.1. Also, for example, the version that contains the GM removal feature and the policy replacement feature is 1.0.2, which means that these features are fully backward compatible with the base version (despite the introduction of behavior in these features for triggered rekeys). GMs send the GET VPN software version to the KS in the vendor-ID payload during IKE phase 1 negotiation (which is defined in RFC 2408). KSs send the software version to other cooperative KSs in the version field of the ANN messages. Cooperative KSs also synchronize their lists of versions that each GM is using. The GM removal feature and the policy replacement feature each provide a command that you run on the KS (or primary KS) to find devices in the group that do not support that feature. GM RemovalWithout the GM removal and policy replacement features, you would need to complete the following steps to remove unwanted GMs from a group:
The third step is time-consuming when a GET VPN group serves thousands of GMs. Also, clearing the entire group in a production network might cause a network disruption. This feature automates this process by introducing a command that you enter on the KS (or primary KS) to create a new set of TEK and KEK keys and propagate them to the GMs.
GM Removal Compatibility with Other GET VPN Software VersionsYou should use this feature only after all devices in the GET VPN network are upgraded to GET VPN software versions that support this feature. Otherwise, secondary KSs or GMs running older software will ignore the GM removal message and continue to encrypt and decrypt traffic using the old SAs. This causes network traffic disruption. This feature provides a command that you use on the KS (or primary KS) to check whether all devices in the network are running versions that support GM removal. When the primary KS tries to remove GMs in a network containing devices that do not support GM removal, a warning message appears. For more information, see the "Ensuring That GMs Are Running Software Versions That Support GM Removal" section. GM Removal with Transient IPsec SAsThis feature provides a command that you use on the KS (or primary KS) to trigger GM removal with transient IPsec SAs. This shortens key lifetimes for all GMs and causes them to re-register before keys expire. During GM removal, no network disruption is expected, because traffic continues to be encrypted and decrypted using the transient IPsec SA until its lifetime expires. For more information, see the "Removing GMs with Transient IPsec SAs" section. GM Removal with Immediate IPsec SA DeletionThis feature provides an optional keyword that you can use on the KS (or primary KS) to force GMs to delete old TEKs and KEKs immediately (without using transient SAs) and re-register. However, this can cause a disruption to the data plane, so you should use this method only for important security reasons. For more information, see the "Removing GMs and Deleting IPsec SAs Immediately" section. Policy Replacement and Rekey TriggeringThis feature provides a new rekey triggering method to remove obsolete SAs and install new SAs.
Inconsistencies Regarding Which TEK and KEK Policy Changes Will Trigger RekeysWithout this feature, there are inconsistencies regarding which TEK and KEK policy changes will trigger rekeys:
For example, if the KS changes the policy from DES to AES, when the GM receives this triggered rekey, it installs the new SAs (for example, for AES) and shortens the lifetimes of the old SAs (for example, for DES). The GM continues to encrypt and decrypt traffic using the old SAs until their shortened lifetimes expire. Following is the formula to calculate the shortened lifetime: TEK_SLT = MIN(TEK_RLT, MAX(90s, MIN(5%(TEK_CLT), 3600s))) where
The following table summarizes the inconsistencies regarding rekeys.
This feature solves these problems by ensuring consistency. With this feature, GET VPN policy changes alone will no longer trigger a rekey. When you change the policy (and exit from global configuration mode), a syslog message appears on the primary KS indicating that the policy has changed and a rekey is needed. This feature provides a new command that you then enter on the KS (or primary KS) to send a rekey (that is based on the latest security policy in the running configuration). This feature also provides an extra keyword to the new command to force a GM receiving the rekey to remove the old TEKs and KEK immediately and install the new TEKs and KEK. Therefore, the new policy takes effect immediately without waiting for old policy SAs to expire. (However, using this keyword could cause a temporary traffic discontinuity, because all GMs might not receive the rekey message at the same time.) Policy Replacement and Rekey Triggering Compatibility with Other GET VPN Software VersionsYou should use rekey triggering only after all devices in the GET VPN network are upgraded to GET VPN software versions that support this feature. For GMs running older versions that do not yet support the crypto gdoi ks command, the primary KS uses the software versioning feature to detect those versions and only triggers a rekey without sending instruction for policy replacement. Therefore, when a GM receives the rekey, it installs the new SAs but does not shorten the lifetimes of the old SAs. (This behavior is the same as the prior rekey method and ensures backward compatibility for devices that cannot support policy replacement.) This feature provides a command that you use on the KS (or primary KS) to check whether all the devices in the network are running versions that support policy replacement. For more information, see the "Ensuring That GMs Are Running Software Versions That Support Policy Replacement" section. GDOI MIB Support for GET VPNThe existing MIBs in crypto are the IKE and IPSec MIBs, which are not sufficient for GDOI. The GDOI MIB Support for GET VPN feature adds MIB support for RFC 3547, The Group Domain of Interpretation; it supports only the objects related to the GDOI MIB IETF standard. You can import the GDOI MIB .my file into an SNMP management station and parse it to retrieve the table objects and hierarchy information. The GDOI MIB consists of objects and notifications (formerly called traps) that include information about GDOI groups, GM and KS peers, and the policies that are created or downloaded. Only "get" operations are supported for GDOI. To configure GDOI MIB support for GET VPN, see the "Configuring GDOI MIB Support for GET VPN" section.
GDOI MIB Compatibility with Other GET VPN Software VersionsThe GDOI MIB Support for GET VPN feature provides a command that you use on the KS (or primary KS) to check whether all the devices in the network are running versions that support the GDOI MIB. For more information, see the "Ensuring that GMs Are Running Software Versions That Support the GDOI MIB" section. GDOI MIB Table HierarchyThe GDOI MIB objects are organized into the following GDOI MIB tables. Following is the relationship (hierarchy) among the tables: GDOI MIB Table ObjectsFollowing is a list of the MIB table objects (listed per group). Group table objects:
KS table objects:
GM table:
KS KEK table:
KS TEK selector table (corresponds to the ACLs that are configured as part of the IPsec SA in the GDOI group configuration on the KS):
KS TEK policy table:
GM KEK table:
GM TEK selector table (corresponds to the ACLs that are downloaded to the GM as part of the TEK policy from the KS):
GM TEK policy table:
GDOI MIB NotificationsThe GDOI MIB supports the SNMP notifications in the following table. The GDOI MIB contains two kinds of notifications--those generated by the KS and those generated by each GM. You can enable any combination of notifications (or all notifications).
For more information, see the "Enabling GDOI MIB Notifications" section. GET VPN Support for IPv6 in the Data PlaneThis feature secures IPv6 traffic in the data plane (while maintaining usage of IPv4 in the control plane) over private IP WANs such as MPLS. This means that a GM using this feature must be a dual-stack device. The feature does not support "mixed mode," which means that a group cannot be configured with both IPv6 and IPv4 policies. Also, IPsec crypto maps do not support mixed mode. An IPv6 crypto map accepts only the assignment of an IPv6 group. Because GET VPN is a technology that is based on groups, all devices in the same group (including the KS, cooperative KSs, and GMs) must support the GET VPN for IPv6 in the Data Plane feature before the group's KS can enable the feature. The feature provides a command that you use on the KS (or primary KS) to check whether all devices in the network are running versions that support it. For more information, see the "Ensuring That GMs Are Running GET VPN Software Versions Compatible with IPv6 in the Data Plane" section. The feature uses the control plane to download IPv6 policies, registrations, and rekeys via IPv4 and then creates IPv6 IPsec SAs. KEKS continue to use IPv4, while downloaded TEKs are IPv6 policies using an IPv6 IPsec SA. When a GM downloads the policy from the KS, the GM checks if the policy is in IPv6. If not, the policy is rejected, and the GM attempts to re-register to another KS on its KS list. The feature is supported only on those platforms that support IPv6 crypto maps. For other platforms, the applicable configuration commands are disabled. Because control traffic is IPv4 and data traffic is IPv6, you must separate these two types of traffic. To do so, you can use the GET VPN VRF-Aware GDOI on GM feature (which will be needed for certain deployments to separate the control and data traffic). For other deployments, a dual-stack interface can be used to route the control and data traffic. (Control plane traffic for GDOI is for registration and rekeys.) Cisco Group Encrypted Transport VPN System Logging MessagesThe table below lists GET VPN system logging (also called syslog) messages and explanations.
How to Configure Cisco Group Encrypted Transport VPN
Ensuring That GMs Are Running GET VPN Software Versions Compatible with IPv6 in the Data PlaneBecause GET VPN is a technology that is based on groups, all devices in the same group (including the KS, cooperative KSs, and GMs) must support the GET VPN for IPv6 in the Data Plane feature before the group's KS can enable the feature. If you want to enable the feature for a group, you must ensure that all devices in the group are running compatible versions of the GET VPN software. Note that a single KS can configure multiple IPv4 groups, multiple IPv6 groups, or a combination of multiple IPv4 and IPv6 groups (each group with a unique group ID). For the IPv4 groups, their KSs, cooperative KSs, and GMs are running IPv4 data plane encryption and decryption. For the IPv6 groups, their KSs, cooperative KSs, and GMs are running IPv6 data plane encryption and decryption. You can check the versions and compatibility while on the KS (or primary KS) or on a GM (which displays the information for the GM but not for the KS or other GMs). To do so, perform the following steps. DETAILED STEPS Configuring a Key Server
PrerequisitesBefore creating the GDOI group, you must first configure IKE and the IPsec transform set, and you must create an IPsec profile. For information about how to configure IKE and the IPsec transform set and to create an IPsec profile, see the "Related Documents" subsection of the "Additional References" section. Configuring RSA Keys to Sign Rekey Messages
To configure RSA keys that will be used to sign rekey messages, perform the following steps. Omit this subtask if rekey is not in use. DETAILED STEPS Configuring the Group ID Server Type and SA TypeFor a large number of sites, it is better to take precautions and add functionality incrementally, especially when migrating from any other encryption solutions like Dual Multipoint VPN (DMVPN). For example, instead of setting up all the CPE devices to encrypt the traffic bidirectionally, it is possible to configure one-way encryption so that only one or fewer members of a group are allowed to send encrypted traffic. Others are allowed to receive only encrypted traffic. After the one-way encryption is validated for one or a few members, bidirectional encryption can be turned on for all the members. This "inbound only" traffic can be controlled using the sa receive only command under a crypto group. To configure the group ID, server type, and SA type, perform the following steps. DETAILED STEPS Configuring the RekeyThis section includes the following optional tasks: Rekey is used in the control plane by the key server to periodically refresh the policy and IPsec SAs of the group. On the group-member side, instead of fully re-registering when timers expire for any other reasons, refreshing the registration with a rekey is more efficient. The initial registration is always a unicast registration. The key server can be configured to send rekeys in unicast or multicast mode. The rekey transport mode is determined by whether the key server can use IP multicast to distribute the rekeys. If multicast capability is not present within the network of the customer, the key server will have to be configured to send rekeys using unicast messages. Additional options for rekey use the rekey authentication, rekey retransmit, and rekey address ipv4 commands. If unicast transport mode is configured, the source address command will have to be included to specify the source address of this unicast rekey message. Multicast is the default transport type for rekey messages. The following bulleted items explain when to use rekey transport type multicast or unicast:
If the no rekey transport unicast command is used, members in the GDOI group that are unable to receive the multicast rekey messages need to re-register with the key server to get the latest group policies. The re-registration forces the default transport type to multicast. If no transport type was configured previously, the multicast transport type will apply by default. PrerequisitesBefore configuring the rekey authentication command, you must have configured the router to have an RSA key generated using the crypto key generate rsa command and general-keys and label keywords (for example, "crypto key generate rsa general-key label my keys"). Configuring a Unicast RekeyIn the configuration task table, the address "ipv4 10.0.5.2" specifies the interface on the key server by which the unicast or multicast rekey messages are sent. This address is required for unicast rekeys, but it is optional for multicast rekeys. For multicast rekeys, the source address of the key server can be retrieved from the rekey ACL. To configure a unicast rekey, perform the following steps. DETAILED STEPS Configuring a Multicast Rekey
SUMMARY STEPS
DETAILED STEPS Configuring Group Member ACLsAll IP traffic matching deny entries are sent out by the group member in clear text. The inbound traffic is matched to the mirrored access list. To configure group member ACLs, perform this task (note that a group member access list can contain only deny statements). DETAILED STEPS
Configuring an IPsec Lifetime TimerTo configure an IPsec lifetime timer for a profile, perform the following steps. If this configuration task is not performed, the default is the maximum IPsec SA lifetime of 3600 seconds. The TEK lifetime value should be more than 900 seconds. DETAILED STEPS
Configuring an ISAKMP Lifetime Timer
SUMMARY STEPS
DETAILED STEPS
Configuring the IPsec SAIf time-based antireplay is configured on the key server but the group member is not capable of supporting it, the GDOI-3-GM_NO_CRYPTO_ENGINE syslog message is logged to the group member. See the "Cisco Group Encrypted Transport VPN System Logging Messages" section for a list of system error messages. Mixed mode is not supported, which means that you cannot configure both IPv4 and IPv6 policies under the same group. If you configure an IPv6 GDOI group (by using the crypto gdoi group ipv6 command and keyword combination), the data plane must be using IPv6. Also, only matching of addresses using IPv6 ACLs (by using the match address ipv6 command and keyword combination) is allowed on the KS group configuration.
To configure the IPsec SA, perform the following steps. DETAILED STEPS
Configuring Time-Based Antireplay for a GDOI Group
SUMMARY STEPS
DETAILED STEPS
Configuring Passive SA
SUMMARY STEPS
DETAILED STEPS
Configuring a Group MemberTo configure a group member, perform the following subtasks:
Configuring the Group Name ID Key Server IP Address and Group Member RegistrationTo configure the group name, ID, key server IP address, and group member registration, perform the following steps. You can configure up to eight key server addresses. DETAILED STEPS
Creating a Crypto Map Entry
SUMMARY STEPS
DETAILED STEPS
Applying the Crypto Map to an Interface to Which the Traffic Must Be Encrypted
To apply the crypto map to an interface to which the traffic must be encrypted, perform the following steps. DETAILED STEPS
Activating Fail-Close ModeFail-close mode prevents unencrypted traffic from passing through a group member before that member is registered with a key server. To configure a crypto map to work in fail-close mode, perform the following steps: DETAILED STEPS
Configuring Acceptable Ciphers or Hash Algorithms for KEK
To configure the ciphers and hash algorithms for KEK to be allowed by the GM, perform the following steps. DETAILED STEPS
Configuring Acceptable Transform Sets for TEKTo configure the acceptable transform sets used by TEK for data encryption or authentication, perform the following steps. DETAILED STEPS
Configuring GET VPN GM AuthorizationGET VPN GM authorization can be done using preshared keys or PKI. It is a best practice to turn on GET VPN authorization. When a key server serves multiple GDOI groups, key server authorization is required to prevent a GM in one group from requesting keys and policies from another group. The ISAKMP authorization confirms that the GM is allowed to request GDOI attributes from the key server while the GDOI authorization confirms the GM is allowed to request GDOI attributes from a specific group configured in the key server. To configure GET VPN GM authorization, perform either of the following tasks: Configuring GM Authorization Using Preshared Keys
SUMMARY STEPS
DETAILED STEPS
Configuring GM Authorization Using PKI
SUMMARY STEPS
DETAILED STEPS
Removing GMs and Triggering RekeysThis feature lets you create a new set of TEK and KEK keys and send out messages to all GMs to delete old groups (and thus clean up their old TEK and KEK databases).
Ensuring That GMs Are Running Software Versions That Support GM RemovalYou should use this feature only after all devices in the GET VPN network are upgraded to GET VPN software versions that support this feature. Otherwise, secondary KSs or GMs that are running older software will ignore the GM removal message and continue to encrypt and decrypt traffic using the old SAs. This causes network traffic disruption. To check whether all devices in the network support GM removal, perform the following steps on the KS (or primary KS). DETAILED STEPS
Removing GMs with Transient IPsec SAsTo trigger removal of GMs with transient IPsec SAs, perform the following steps on the KS (or primary KS). DETAILED STEPS
ExamplesA message appears on the KS as follows: Router# clear crypto gdoi ks members % This GM-Removal message will shorten all GMs' key lifetimes and cause them to re-register before keys expiry. Are you sure you want to proceed? ? [yes/no]: yes Sending GM-Removal message to group GET... After each GM receives the GM removal message, the following syslog message appears on each GM: *Jan 28 08:37:03.103: %GDOI-4-GM_RECV_DELETE: GM received delete-msg from KS in group GET. TEKs lifetime are reduced and re-registration will start before SA expiry Each GM removes the KEK immediately and shortens the lifetimes of the old TEKs as follows: TEK_SLT = MIN(TEK_RLT, MAX(90s, MIN(5%(TEK_CLT), 3600s))) TEK_SLT: TEK shortened lifetime TEK_RLT: TEK Remaining LIfeTime TEK_CLT: TEK Configured LIfeTime Also, the GMs start re-registering to the KS to obtain the new TEKs and KEK according to the conventional re-registration timer and with jitter (random delay) applied. Jitter prevents all GMs from reregistering at the same time and overloading the key server CPU. Only GMs that pass the authentication based on the new credential installed on the KS will receive the new TEKs and KEK. GM removal should not cause a network disruption, because traffic continues to be encrypted and decrypted using the transient IPsec SA until its lifetime expires. If you try to use this command on the secondary KS, it is rejected as follows: Router# clear crypto gdoi ks members
ERROR for group GET: can only execute this command on Primary KS
Removing GMs and Deleting IPsec SAs ImmediatelyTo force GMs to delete old TEKs and KEKs immediately and re-register, perform the following steps on the KS (or primary KS). DETAILED STEPS
ExamplesA message appears on the KS as follows: Router# clear crypto gdoi ks members now % This GM-Removal immediate message will cleanup all GMs downloaded policies % This will cause all GMs to re-register. Are you sure you want to proceed? ? [yes/no]: yes Sending GM-Removal message to group GET... After you enter the above command, the KS sends a "remove now" message to each GM to trigger the following actions on each GM:
On each GM, the following syslog message is displayed to indicate that the GM will re-register in a random time period: *Jan 28 08:27:05.627: %GDOI-4-GM_RECV_DELETE_IMMEDIATE: GM receive REMOVAL-NOW in group GET to cleanup downloaded policy now. Re-registration will start in a randomly chosen period of 34 sec If you try to remove GMs in a network containing devices that do not support GM removal, a warning message appears: Router# clear crypto gdoi ks members now % This GM-Removal immediate message will cleanup all GMs downloaded policies % This will cause all GMs to re-register. Are you sure you want to proceed? ? [yes/no]: yes WARNING for group GET: some devices cannot support GM-REMOVAL and can cause network disruption. Please check 'show crypto gdoi feature'. Are you sure you want to proceed ? [yes/no]: no Ensuring that GMs Are Running Software Versions That Support Policy ReplacementTo check whether all devices in the network support policy replacement, perform the following steps on the KS (or primary KS). DETAILED STEPS
Triggering a RekeyIf you change the security policy (for example, from DES to AES) on the KS (or primary KS) and exit from global configuration mode, a syslog message appears on the KS indicating that the policy has changed and a rekey is needed. You enter the rekey triggering command as described below to send a rekey based on the latest policy in the running configuration. To trigger a rekey, perform the following steps on the KS (or primary KS). DETAILED STEPS
ExamplesA message appears on the KS as follows: Router# crypto gdoi ks rekey
Router#
*Jan 28 09:17:44.363: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey with
policy-replace for group GET from address 10.0.8.1 with seq # 2
After the policy change, when each GM receives this triggered rekey, it installs the new SAs (for example, for AES) and shortens the lifetimes of the old SAs (for example, for DES). Each GM continues to encrypt and decrypt traffic using the old SA until its shortened lifetime expires. If you try to trigger a rekey on the secondary KS, it rejects the command as shown below: Router# crypto gdoi ks rekey
ERROR for group GET: This command must be executed on Pri-KS
Configuring GDOI MIB Support for GET VPNThis feature provides a command that you use to determine which devices in the network are running versions that support the GDOI MIB. After you determine GDOI MIB support, you can configure those devices to use it.
Ensuring that GMs Are Running Software Versions That Support the GDOI MIBTo determine whether all devices in the GET VPN network support the GDOI MIB, perform the following steps on the KS (or primary KS). DETAILED STEPS
Creating Access Control for an SNMP CommunityYou specify an SNMP community access string to define the relationship between the SNMP manager and the SNMP agent on the KS or GM in order to permit access to SNMP. Your community access string acts like a password to regulate access to the agent on the router. To specify the community access string, perform the following steps. DETAILED STEPS
For more information about specifying a community access string, refer to the "Configuring SNMP Support" module in the SNMP Configuration Guide, Cisco IOS Release 15.2M&T. For more information about the snmp-server community command (including syntax and usage guidelines), refer to the Cisco IOS SNMP Support Command Reference. Enabling Communication with the SNMP ManagerTo enable communication between the SNMP agent on the KS or GM and the SNMP manager, perform the following steps. DETAILED STEPS
For more information about enabling communication with the SNMP manager, refer to the "Configuring SNMP Support" module in the SNMP Configuration Guide, Cisco IOS Release 15.2M&T. For more information about the snmp-server host command (including syntax and usage guidelines), refer to the Cisco IOS SNMP Support Command Reference. Enabling GDOI MIB Notifications
SUMMARY STEPS
DETAILED STEPS
Verifying and Troubleshooting Cisco Group Encrypted Transport VPN ConfigurationsThe following tasks can be used to verify and troubleshoot your GET VPN configurations. These tasks are optional and are used to gather information during troubleshooting.
Verifying States and Statistics for All Features and All Debug Levels
SUMMARY STEPS
DETAILED STEPS
Verifying the Active Encryption ACLs on a Key Server
SUMMARY STEPS
DETAILED STEPS
Verifying the Active Encryption ACLs on a Group MemberTo verify the active encryption ACLs for the groups to which a GM belongs, perform the following steps on the GM. DETAILED STEPS
Verifying Active Group Members on a Key Server
SUMMARY STEPS
DETAILED STEPS
Verifying Rekey-Related Statistics
SUMMARY STEPS
DETAILED STEPS
Verifying IPsec SAs That Were Created by GDOI on a Group Member
SUMMARY STEPS
DETAILED STEPS
Verifying IPsec SAs That Were Created by GDOI on a Key Server
SUMMARY STEPS
DETAILED STEPS
Verifying Key Server States and StatisticsYou can verify key server states and statistics for any (or all) features and any (or all) debug levels. To verify key server states and statistics, perform the following steps. DETAILED STEPS
Verifying Cooperative Key Server States and StatisticsTo verify cooperative key server states and statistics, perform the following steps, using one or both of the debug and show commands shown. DETAILED STEPS
Verifying Antireplay Pseudotime-Related StatisticsTo verify antireplay pseudotime-related statistics, perform the following steps using one or all of the clear, debug, and show commands. DETAILED STEPS
Verifying Group Member States and StatisticsYou can verify GM states and statistics for any (or all) features and any (or all) debug levels. To verify GM states and statistics, perform the following steps. DETAILED STEPS
Verifying the Downloaded RSA Public Key on the Group MemberThe key server sends the group member the RSA public key when the group member registers. When the key server sends a rekey, it signs it using the RSA private key. When the group member receives this rekey, it verifies the signature using the public key that it downloaded from the key server (therefore, the group member knows that it received the rekey from the key server). To verify the RSA public key that is downloaded from the key server, perform the following steps. DETAILED STEPS
Verifying the Fail-Close Mode Status of a Crypto Map
SUMMARY STEPS
DETAILED STEPS
Displaying GDOI Debug Conditional Filters
SUMMARY STEPS
DETAILED STEPS
Displaying Information About GDOI Event Traces
SUMMARY STEPS
DETAILED STEPS
Configuration Examples for Cisco Group Encrypted Transport VPN
Example: Key Server and Group Member Case StudyThe following case study includes encrypting traffic CE-CE in an MPLS VPN environment. The MPLS VPN core interconnects VPN sites as is shown in the figure below. VPN site CPEs, Group Member 1 through Group Member 4, are grouped into a single GDOI group that correlates with a VPN with which these sites are a part. This scenario is an intranet VPN scenario. All the key servers and Group Members are part of the same VPN. Key Server 1 and Key Server 2 are the cooperative key servers that support VPN members Group Member 1 through Group Member 4. Key Server 1 is the primary key server and Key Server 2 is the secondary key server. The following configuration examples are based on the case study in the figure above. Example: Configuring Key Server 1Key server 1 is the primary key server. service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service internal ! hostname KS1 ! logging buffered 100000 debugging no logging console ! no aaa new-model ! resource policy ! clock timezone EST 0 ip subnet-zero no ip domain lookup ip domain name cisco.com ! crypto isakmp policy 1 encr aes authentication pre-share group 14 lifetime 400 crypto isakmp key cisco address 10.1.1.13 crypto isakmp key cisco address 10.1.1.9 crypto isakmp key cisco address 10.1.1.1 crypto isakmp key cisco address 10.1.1.5 crypto isakmp key cisco address 10.1.1.21 crypto isakmp key cisco address 209.165.200.226 ! crypto ipsec transform-set gdoi-trans-group1 esp-aes esp-sha-hmac ! crypto ipsec profile gdoi-profile-group1 set security-association lifetime seconds 1800 set transform-set gdoi-trans-group1 ! crypto gdoi group group1 identity number 1 server local rekey lifetime seconds 86400 rekey retransmit 10 number 2 rekey authentication mypubkey rsa group1-export-general rekey transport unicast sa ipsec 1 profile gdoi-profile-group1 match address ipv4 101 replay counter window-size 64 address ipv4 209.165.200.225 redundancy local priority 10 peer address ipv4 209.165.200.225 ! interface Ethernet0/0 ip address 209.165.200.225 255.255.255.252 ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.18 ! access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 ! end Example: Configuring Key Server 2Key Server 2 is the secondary key server. service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service internal ! hostname KS2 ! logging buffered 100000 debugging no logging console ! no aaa new-model ! resource policy ! clock timezone EST 0 ip subnet-zero no ip domain lookup ip domain name cisco ! crypto isakmp policy 1 encr aes authentication pre-share group 14 lifetime 400 crypto isakmp key cisco address 10.1.1.9 crypto isakmp key cisco address 10.1.1.1 crypto isakmp key cisco address 10.1.1.5 crypto isakmp key cisco address 10.1.1.17 crypto isakmp key cisco address 10.1.1.13 crypto isakmp key cisco address 209.165.200.225 ! crypto ipsec transform-set gdoi-trans-group1 esp-aes esp-sha-hmac ! crypto ipsec profile gdoi-profile-group1 set security-association lifetime seconds 1800 set transform-set gdoi-trans-group1 ! crypto gdoi group group1 identity number 1 server local rekey lifetime seconds 86400 rekey retransmit 10 number 2 rekey authentication mypubkey rsa group1-export-general rekey transport unicast sa ipsec 1 profile gdoi-profile-group1 match address ipv4 101 replay counter window-size 64 address ipv4 10.1.1.21 redundancy local priority 1 peer address ipv4 10.1.1.17 ! interface Ethernet0/0 ip address 209.165.200.225 255.255.255.252 ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.22 ! access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 ! end Example: Configuring Group Member 1Group member 1 is part of a GDOI group that correlates with a VPN with which these sites are a part. service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname GM1 ! resource policy ! clock timezone EST 0 ip subnet-zero ! crypto isakmp policy 1 encr aes authentication pre-share group 14 lifetime 3600 crypto isakmp key cisco address 209.165.200.225 crypto isakmp key cisco address 209.165.201.1 ! crypto gdoi group group1 identity number 1 server address ipv4 209.165.200.225 server address ipv4 209.165.201.1 ! crypto map map-group1 10 gdoi set group group1 ! interface Ethernet0/0 ip address 209.165.200.225 255.255.255.252 crypto map map-group1 ! router bgp 1000 no synchronization bgp log-neighbor-changes network 10.1.1.0 mask 255.255.255.0 neighbor 10.1.1.2 remote-as 5000 no auto-summary ! ip classless ! End The same GDOI group cannot be applied to multiple interfaces. The following examples show unsupported cases: Example: Configuring Group Member 2Group member 2 is part of a GDOI group that correlates with a VPN with which these sites are a part. service timestamps debug datetime msec service timestamps log datetime msec ! hostname GM2 ! resource policy ! clock timezone EST 0 ip subnet-zero ! crypto isakmp policy 1 encr aes authentication pre-share group 14 lifetime 3600 crypto isakmp key cisco address 209.165.200.225 crypto isakmp key cisco address 209.165.201.1 ! crypto gdoi group group1 identity number 1 server address ipv4 209.165.201.1 server address ipv4 209.165.200.225 ! crypto map map-group1 10 gdoi set group group1 ! interface Ethernet0/0 ip address 209.165.200.225 255.255.255.252 crypto map map-group1 ! router bgp 2000 no synchronization bgp log-neighbor-changes network 10.1.2.0 mask 255.255.255.0 neighbor 10.1.1.6 remote-as 5000 no auto-summary ! ip classless ! end Example: Configuring Group Member 3Group member 3 is part of a GDOI group that correlates with a VPN with which these sites are a part. service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname GM3 ! resource policy ! clock timezone EST 0 ip subnet-zero ! crypto isakmp policy 1 encr aes authentication pre-share group 14 lifetime 3600 crypto isakmp key cisco address 209.165.200.225 crypto isakmp key cisco address 209.165.201.1 ! crypto ipsec transform-set gdoi-trans-group1 esp-aes esp-sha-hmac crypto gdoi group group1 identity number 1 server address ipv4 209.165.200.225 server address ipv4 209.165.201.1 ! crypto map map-group1 10 gdoi set group group1 ! interface Ethernet0/0 ip address 209.165.201.1 255.255.255.252 crypto map map-group1 ! router bgp 3000 no synchronization bgp log-neighbor-changes network 10.1.3.0 mask 255.255.255.0 neighbor 10.1.1.10 remote-as 5000 no auto-summary ! ip classless ! end Example: Configuring Group Member 4Group member 4 is part of a GDOI group that correlates with a VPN with which these sites are a part. service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname GM4 ! clock timezone EST 0 ip subnet-zero ! crypto isakmp policy 1 encr aes authentication pre-share group 14 lifetime 3600 crypto isakmp key cisco address 209.165.200.225 crypto isakmp key cisco address 209.165.201.1 ! crypto gdoi group group1 identity number 1 server address ipv4 209.165.200.225 server address ipv4 209.165.201.1 ! crypto map map-group1 10 gdoi set group group1 ! interface Ethernet0/0 ip address 209.165.201.1 255.255.255.252 crypto map map-group1 ! router bgp 4000 no synchronization bgp log-neighbor-changes network 10.1.4.0 mask 255.255.255.0 neighbor 10.1.1.14 remote-as 5000 no auto-summary ! ip classless ! end Example: Configuring Group Member 5If a group member has multiple interfaces that are part of the same GDOI group, you should use a loopback interface to source the crypto. If a loopback interface is not used, each interface that handles encrypted traffic must register individually with the key server. The key server sees these as separate requests and must keep multiple records for the same group member, which also means sending multiple rekeys. If crypto is sourced from the loopback interface instead, the group member registers only once with the key server. The following configuration shows how the group member registers once with the key server: ! interface GigabitEthernet0/1 description *** To AGG-1 *** crypto map dgvpn ! interface GigabitEthernet0/2 description *** To AGG-2 *** crypto map dgvpn ! interface Loopback0 ip address 209.165.201.1 255.255.255.255 ! crypto map dgvpn local-address Loopback0 ! Example: Verifying the Active Encryption ACLs on a Key ServerThe following example shows how to enter the command on a KS to display the encryption ACLs for groups. This example displays a numbered encryption ACL, which means that it is an IPv4 ACL (because IPv6 allows only named ACLs):
Router# show crypto gdoi ks acl
Group Name : diffint
Configured ACL : access-list 101 permit gre any any
The following example shows how to enter the command on a KS to display the encryption ACLs for groups. This example displays named encryption ACLs for two groups (an IPv4 group and an IPv6 group):
Router# show crypto gdoi ks acl
Group Name: GETV6
Configured ACL:
access-list ACL_GETV6_MIX deny tcp host 2001:DB8:1::1 host 2001:DB8:0:ABCD::1 sequence 10
access-list ACL_GETV6_MIX permit ipv6 host 2001:DB8:1::1 host 2001:DB8:0:ABCD::1 sequence 20
access-list ACL_GETV6_MIX permit ipv6 host 2001:DB8:0:ABCD::1 host 2001:DB8:1::1 sequence 30
access-list ACL_GETV6_MIX deny udp 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 40
access-list ACL_GETV6_MIX deny udp 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 50
access-list ACL_GETV6_MIX permit icmp 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 60
access-list ACL_GETV6_MIX permit icmp 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 70
Group Name: GETV4
Configured ACL:
access-list ACL_GETV4_HOST permit icmp host 192.0.2.2 host 192.0.2.3
access-list ACL_GETV4_HOST permit icmp host 192.0.2.3 host 192.0.2.2
Example: Verifying the Active Encryption ACLs on a Group MemberThe following example shows how to enter the command on a GM to display the encryption ACLs for the groups to which it belongs. Even though a GM can be in any combination of IPv4 and IPv6 groups, this example shows that the GM is a member of only one group (in this case, an IPv6 group):
Router# show crypto gdoi gm acl
Group Name: GETV6
ACL Downloaded From KS 192.0.2.1:
access-list permit ipv6 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 1
access-list permit ipv6 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 2
The following example shows how to enter the command on a GM to display the encryption ACLs for the groups to which it belongs. In this case, the GM belongs to two groups (an IPv4 group and an IPv6 group):
Router# show crypto gdoi gm acl
Group Name: GETV6
ACL Downloaded From KS 192.0.2.1:
access-list deny tcp host 2001:DB8:1::1 eq 0 host 2001:DB8:0:ABCD::1 eq 0 sequence 1
access-list permit ipv6 host 2001:DB8:1::1 host 2001:DB8:0:ABCD::1 sequence 2
access-list permit ipv6 host 2001:DB8:0:ABCD::1 host 2001:DB8:1::1 sequence 3
access-list deny udp 2001:DB8:0001::/48 eq 0 2001:DB8:0002::/48 eq 0 sequence 4
access-list deny udp 2001:DB8:0002::/48 eq 0 2001:DB8:0001::/48 eq 0 sequence 5
access-list permit icmp 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 6
access-list permit icmp 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 7
ACL Configured Locally:
Group Name: GETV4
ACL Downloaded From KS 192.0.2.1:
access-list permit icmp host 192.0.2.2 host 192.0.2.3
access-list permit icmp host 192.0.2.3 host 192.0.2.2
ACL Configured Locally:
Example: Passive SAThe following examples show how to display information about crypto rules on outgoing packets. Assuming that the KS has the following GET VPN IPv4 group ACL policy: ip access-list extended get-acl deny ospf any any deny ip any host 192.0.2.5 deny ip host 192.0.2.5 any permit ip any any crypto gdoi group GETVPN identity number 1111 server local rekey authentication mypubkey rsa mykeys rekey transport unicast sa ipsec 1 profile GET_PROFILE match address ipv4 get-acl replay time window-size 10 address ipv4 192.0.2.5 The following example shows information about the crypto rules on outgoing packets for the above policy:
Router# show crypto ruleset
Mtree:
11 192.0.2.1/500 ANY Forward, Forward
11 192.0.2.1/4500 ANY Forward, Forward
11 ANY/848 ANY Forward, Forward
11 ANY ANY/848 Forward, Forward
59 ANY ANY DENY
IP ANY 192.0.2.5 DENY
IP 192.0.2.5 ANY DENY
IP ANY ANY Discard, Encrypt
The following example shows the directional mode of the IPsec SA for the above policy:
Router# show crypto ruleset detail
Mtree:
199 VRF 0 11 192.0.2.1/500 ANY Forward, Forward
299 VRF 0 11 192.0.2.1/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
1000000000000201 VRF 0 59 ANY ANY DENY -> 1000000009999900
1000000000000301 VRF 0 IP ANY 192.0.2.5 DENY -> 1000000009999900
1000000000000401 VRF 0 IP 192.0.2.5 ANY DENY -> 1000000009999900
1000000000000501 VRF 0 IP ANY ANY Discard, Encrypt
Assuming that the KS has the following GET VPN IPv6 group ACL policy: ipv6 access-list ACL_GETV6_ANY permit ipv6 any any crypto gdoi group ipv6 GETV6 identity number 1111 server local rekey authentication mypubkey rsa GETKEY rekey transport unicast sa ipsec 1 profile IPSEC_PROF_GETV6 match address ipv6 ACL_GETV6_ANY replay time window-size 10 address ipv4 192.0.2.2 The following example shows information about the crypto rules on outgoing packets for the above policy:
Router# show crypto ruleset
Mtree:
IPv6:
0/0/1/1
17 2001:DB8::A8BB:CCFF:FE01:2C02 500 ANY Forward, Forward
0/0/2/1
17 2001:DB8::A8BB:CCFF:FE01:2C02 4500 ANY Forward, Forward
0/2/1/1
17 ANY 848 ANY Forward, Forward
0/2/2/1
17 ANY ANY 848 Forward, Forward
10/0/2/0
IPV6 ANY ANY Discard, Encrypt
Mtree:
11 192.0.2.3/500 ANY Forward, Forward
11 192.0.2.3/4500 ANY Forward, Forward
11 ANY/848 ANY Forward, Forward
11 ANY ANY/848 Forward, Forward
01 192.0.2.3 192.0.2.4 Discard, Encrypt
01 192.0.2.4 192.0.2.3 Discard, Encrypt
The following example shows the directional mode of the IPsec SA for the above policy:
Router# show crypto ruleset detail
IPv6:
0/0/1/1
17 2001:DB8::A8BB:CCFF:FE01:2C02 500 ANY Forward, Forward
0/0/2/1
17 2001:DB8::A8BB:CCFF:FE01:2C02 4500 ANY Forward, Forward
0/2/1/1
17 ANY 848 ANY Forward, Forward
0/2/2/1
17 ANY ANY 848 Forward, Forward
10/0/2/0
IPV6 ANY ANY Discard, Encrypt
Mtree:
199 VRF 0 11 192.0.2.3/500 ANY Forward, Forward
299 VRF 0 11 192.0.2.3/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
1000000000000201 VRF 0 01 192.0.2.3 192.0.2.4 Discard, Encrypt
1000000000000301 VRF 0 01 192.0.2.4 192.0.2.3 Discard, Encrypt
Example: Configuring Fail-Close ModeThe following example shows how to activate fail-close mode for an IPv4 crypto map named map1. This example also defines two extended IP access lists. Unencrypted traffic from access list 102 is allowed before the group member is registered: Router> enable Router# configure terminal Router(config)# crypto map map1 gdoi fail-close Router(config-crypto-map-fail-close)# match address 102 Router(config-crypto-map-fail-close)# activate Router(config-crypto-map-fail-close)# exit Router(config)# crypto map map1 10 gdoi Router(config-crypto-map)# set group ks1_group Router(config-crypto-map)# match address 101 Router(config-crypto-map)# exit Router(config)# access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.1.0 0.0.0.255 Router(config)# access-list 102 deny tcp any eq telnet any Router(config)# end The following example shows how to activate fail-close mode for an IPv6 crypto map named map2. This example also defines two IPv6 access lists. Unencrypted traffic from access list ACL_GETV6_ANY6 is allowed before the group member is registered: Router> enable Router# configure terminal Router(config)# crypto map ipv6 map2 gdoi fail-close Router(config-crypto-map-fail-close)# match address ACL_GETV6_ANY6 Router(config-crypto-map-fail-close)# activate Router(config-crypto-map-fail-close)# exit Router(config)# crypto map ipv6 map2 20 gdoi Router(config-crypto-map)# set group ks2_group Router(config-crypto-map)# match address ACL_GETV6_ANY5 Router(config-crypto-map)# exit Router(config)# ipv6 access-list ACL_GETV6_ANY5 Router(config-ipv6-acl)# deny tcp 2001:DB8:0000::/48 2001:DB8:0001::/48 eq telnet Router(config-ipv6-acl)# exit Router(config)# ipv6 access-list ACL_GETV6_ANY6 Router(config-ipv6-acl)# deny tcp any eq telnet any Router(config-ipv6-acl)# end The following show crypto map gdoi fail-close command output shows that fail-close has been activated:
Router# show crypto map gdoi fail-close
Crypto Map: "svn"
Activate: yes
Fail-Close Access-List: (Deny = Forward In Clear, Permit = Drop)
access-list 105 deny tcp any port = 23 any
access-list 105 deny ospf any any
Example: Removing GMs from the GET VPN NetworkEnsuring That GMs Are Running Software Versions That Support GM RemovalThe following example shows how to use the GET VPN software versioning command on the KS (or primary KS) to check whether all the devices in the network support the GM removal feature.
Router# show crypto gdoi feature gm-removal
Group Name: GET
Key Server ID Version Feature Supported
10.0.8.1 1.0.2 Yes
10.0.9.1 1.0.2 Yes
10.0.10.1 1.0.2 Yes
10.0.11.1 1.0.2 Yes
Group Member ID Version Feature Supported
10.0.0.2 1.0.2 Yes
10.0.0.3 1.0.1 No
The following example shows how to find only those devices that do not support GM removal.
Router# show crypto gdoi feature gm-removal | include No
10.0.0.3 1.0.1 No
The above example shows that the GM with IP address 10.0.0.3 is running older software version 1.0.1 (which does not support GM removal) and should be upgraded. Removing GMs with Transient IPsec SAsThe following example shows how to trigger GM removal with transient IPsec SAs. You use this command on the KS (or primary KS). Router# clear crypto gdoi ks members % This GM-Removal message will shorten all GMs' key lifetimes and cause them to re-register before keys expiry. Are you sure you want to proceed? ? [yes/no]: yes Sending GM-Removal message to group GET... Removing GMs and Deleting IPsec SAs ImmediatelyThe following example shows how to force GMs to delete old TEKs and KEKs immediately and re-register. You use this command on the KS (or primary KS). Router# clear crypto gdoi ks members now % This GM-Removal immediate message will cleanup all GMs downloaded policies % This will cause all GMs to re-register. Are you sure you want to proceed? ? [yes/no]: yes Sending GM-Removal message to group GET... Example: Triggering Rekeys on Group MembersEnsuring That GMs Are Running Software Versions That Support Rekey TriggeringThe following example shows how to use the GET VPN software versioning command on the KS (or primary KS) to display the version of software on devices in the GET VPN network and display whether they support rekey triggering after a policy change.
Router# show crypto gdoi feature policy-replace
Key Server ID Version Feature Supported
10.0.8.1 1.0.2 Yes
10.0.9.1 1.0.2 Yes
10.0.10.1 1.0.2 Yes
10.0.11.1 1.0.2 Yes
Group Member ID Version Feature Supported
5.0.0.2 1.0.2 Yes
9.0.0.2 1.0.1 No
The following example shows how to find only those devices that do not support rekey triggering after policy replacement.
Router# show crypto gdoi feature policy-replace | include No
9.0.0.2 1.0.1 No
For these devices, the primary KS sends only the triggered rekey without instructions for policy replacement. Therefore, when a GM receives the rekey, it installs the new SAs but does not shorten the lifetimes of the old SAs. Triggering a RekeyThe following example shows how to trigger a rekey after you have performed a policy change. In this example, an IPsec policy change (for example, DES to AES) occurs with the profile gdoi-p2 command. Router# configure terminal Router(config)# crypto gdoi group GET Router(config-gdoi-group)# server local Router(gdoi-local-server)# sa ipsec 1 Router(gdoi-sa-ipsec)# no profile gdoi-p Router(gdoi-sa-ipsec)# profile gdoi-p2 Router(gdoi-sa-ipsec)# end Router# *Jan 28 09:15:15.527: %SYS-5-CONFIG_I: Configured from console by console *Jan 28 09:15:15.527: %GDOI-5-POLICY_CHANGE: GDOI group GET policy has changed. Use 'crypto gdoi ks rekey' to send a rekey, or the changes will be send in the next scheduled rekey Router# crypto gdoi ks rekey Router# *Jan 28 09:17:44.363: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey with policy-replace for group GET from address 10.0.8.1 with seq # 2 The following example shows the error message that appears if you try to trigger a rekey on the secondary KS. Router# crypto gdoi ks rekey
ERROR for group GET: This command must be executed on Pri-KS
Example: Configuring GDOI MIB Support for GET VPNEnsuring That GMs Are Running Software Versions That Support the GDOI MIBThe following example shows how to use the GET VPN software versioning command on the KS (or primary KS) to check whether all the devices in the network support the GDOI MIB.
Router# show crypto gdoi feature gdoi-mib
Group Name: GET
Key Server ID Version Feature Supported
10.0.8.1 1.0.2 Yes
10.0.9.1 1.0.2 Yes
10.0.10.1 1.0.2 Yes
10.0.11.1 1.0.2 Yes
Group Member ID Version Feature Supported
5.0.0.2 1.0.2 Yes
9.0.0.2 1.0.1 No
The following example shows how to find only those devices that do not support the GDOI MIB.
Router# show crypto gdoi feature gdoi-mib | include No
9.0.0.2 1.0.1 No
Creating Access Control for an SNMP CommunityThe following example shows how to specify an SNMP community string named mycommunity to define the relationship between the SNMP manager and the SNMP agent on the KS or GM in order to permit access to SNMP. Router> enable Router# configure terminal Router(config)# snmp-server community mycommunity Router(config)# end Enabling Communication with the SNMP ManagerThe following example shows how to enable communication with the SNMP manager. This example using a community string named mycommunity that has already been created. Router> enable Router# configure terminal Router(config)# snmp-server host 209.165.200.225 version 2c mycommunity Router(config)# end Example: Ensuring That GMs Are Running GET VPN Software Versions Compatible with IPv6 in the Data PlaneThe following example shows how to use the GET VPN software versioning command on the KS (or primary KS) to check whether all the devices in the GET VPN network support IPv6 encryption and decryption (and thus can be added to an IPv6 group):
Router# show crypto gdoi feature ipv6-crypto-path
Group Name: GET
Key Server ID Version Feature Supported
10.0.8.1 1.0.3 Yes
10.0.9.1 1.0.3 Yes
10.0.10.1 1.0.3 Yes
10.0.11.1 1.0.3 Yes
Group Member ID Version Feature Supported
5.0.0.2 1.0.3 Yes
10.0.0.3 1.0.1 No
You can also enter the above command on a GM (which will display the information for the GM but not for the KS or other GMs). The following example shows how to enter the command on the KS (or primary KS) find only those devices in the GET VPN network that do not support IPv6:
Router# show crypto gdoi feature ipv6-crypto-path | include No
10.0.0.3 1.0.1 No
Additional ReferencesRelated Documents
MIBsTechnical Assistance
Feature Information for Cisco Group Encrypted Transport VPNThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
GlossaryDOI--Domain of Interpretation. For Internet Security Association Key Management Protocol (ISAKMP), a value in the security association (SA) payload that describes in which context the key management message is being sent (IPsec or Group Domain of Interpretation). GDOI--Group Domain of Interpretation. For ISAKMP, a means of distributing and managing keys for groups of mutually trusted systems. group member--Device (Cisco IOS router) that registers with a group that is controlled by the key server for purposes of communicating with other group members. group security association--SA that is shared by all group members in a group. IPsec--IP security. Data encryption protocol for IP packets that are defined in a set of RFCs (see IETF RFC 2401). ISAKMP--Internet Security Association and Key Management Protocol. Protocol that provides a framework for cryptographic key management protocols. KEK--key encryption key. Key used to protect the rekey between the key server and group members. key server--Device (Cisco IOS router) that distributes keys and policies to group members. MTU--Maximum transmission unit. Size (in bytes) of the largest packet or frame that a given layer of a communications protocol can pass onward. SA--Security association. SA that is shared by all group members in a group. TEK--Traffic encryption key. Key that is used to protect the rekey between group members. Simple Network Management Protocol (SNMP)--An interoperable standards-based protocol that allows for external monitoring of a managed device through an SNMP agent. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||