Cisco GET VPN Tests

Well on the 642-637 syllabus the GET (Group Encrypted Transport) VPN seems like a pretty important part, so I’ll be creating a test network with my 3 Cisco 1811 routers. The GET VPN seems to provide a pretty nice encryption solution to MPLS VPNs which we provide here at Gconnect and, as bit of the bonus the Key Server can be multi-tennanted, which makes it more bearable. On with the tests, I’ll use R1 as my Key Server and R2 and R3 as Group members. We are assuming that the MPLS VN is using the 172.16.0.0/24 network and the internal networks all fall within the 192.168.0.0 /16 network.

Configuring the Key Server

Task 1 – Create a Customer IKE Policy

R1(config)#crypto isakmp policy 10  
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 14
R1(config-isakmp)#encryption aes
R1(config-isakmp)#exit

Task 2 – Create PSKs for all the Group Members (I’ll cheat and use the same simple password)

R1(config)#crypto isakmp key mysimplekey address 172.16.0.2
R1(config)#crypto isakmp key mysimplekey address 172.16.0.3

Task 3 – Generate some RSA Keys for the Rekey process

crypto key generate rsa label GETKEYS modulus 2048 exportable

Task 4 – Create a transform set, IPSec profile and define the protected traffic

R1(config)#crypto ipsec transform-set GETSET esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile GET_PROFILE 
R1(ipsec-profile)#set transform-set GETSET
R1(ipsec-profile)#exit
R1(config)#ip access-list exte GETVPN_TRAFFIC
R1(config-ext-nacl)#permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R1(config-ext-nacl)#exit

Task 5 – Enable and Config The GET VPN server

R1(config)#crypto gdoi group GET_GDOI_GROUP
R1(config-gdoi-group)#identity number 12345
R1(config-gdoi-group)#server local
R1(gdoi-local-server)#address ipv4 172.16.0.1
R1(gdoi-local-server)#sa ipsec 10
R1(gdoi-sa-ipsec)#profile GET_PROFILE
R1(gdoi-sa-ipsec)#match address ipv4 GET_VPN_TRAFFIC
R1(gdoi-sa-ipsec)#exit
R1(gdoi-local-server)#exit
R1(config-gdoi-group)#exit

Task 6 – Arranging the deck chairs (well, assigning the keys and setting the rekey transport)

R1(config)#crypto gdoi group GET_GDOI_GROUP         
R1(config-gdoi-group)#server local
R1(gdoi-local-server)#rekey authentication mypubkey rsa GETKEYS
R1(gdoi-local-server)#rekey transport unicast 
R1(gdoi-local-server)#exit
R1(config-gdoi-group)#exit

Task 7 – Finally! Create the Crypto Map and slap it on an interface

R1(config)#crypto map GET_CRYPTO_MAP 10 gdoi 
% NOTE: This new crypto map will remain disabled until a valid
	group has been configured.
R1(config-crypto-map)#set group GET_GDOI_GROUP
R1(config-crypto-map)#exit
R1(config)#int fa0
R1(config-if)#crypto map GET_CRYPTO_MAP

Verification with:

R1#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GET_GDOI_GROUP (Unicast)
    Group Identity           : 12345
    Group Members            : 2
    IPSec SA Direction       : Both
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 82160 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 10
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : GET_PROFILE
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 2213 secs
      ACL Configured         : access-list GETVPN_TRAFFIC

     Group Server list       : Local

Configuration of the Group Members

Task 1 – Configure the custom IKE policy

R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#encryption aes
R2(config-isakmp)#group 14
R2(config-isakmp)#exit

Task 2 – Add the pre shared keys

R2(config)#crypto isakmp key mysimplekey address 172.16.0.1
R2(config)#crypto isakmp key mysimplekey address 172.16.0.2

Task 3 – Enable GET

R2(config)#crypto gdoi group GET_GDOI_GROUP
R2(config-gdoi-group)#identity number 12345
R2(config-gdoi-group)#server address ipv4 172.16.0.1
R2(config-gdoi-group)#exit

Task 4 – Create the crypto map and apply it

R2(config)#crypto gdoi group GET_GDOI_GROUP
R2(config-gdoi-group)#identity number 12345
R2(config-gdoi-group)#server address ipv4 172.16.0.1
R2(config-gdoi-group)#exit
R2(config)#crypto map GET_CRYPTO_MAP 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
	group has been configured.
R2(config-crypto-map)#set group GET_GDOI_GROUP
R2(config-crypto-map)#exit
R2(config)#int fa0
R2(config-if)#crypto map GET_CRYPTO_MAP

So you can verify the Group Member with the same command as the Key Server

R2#sh crypt gdoi
GROUP INFORMATION

    Group Name               : GET_GDOI_GROUP
    Group Identity           : 12345
    Rekeys received          : 0
    IPSec SA Direction       : Both

     Group Server list       : 172.16.0.1
                               
    Group member             : 172.16.0.2       vrf: None
       Registration status   : Registered
       Registered with       : 172.16.0.1
       Re-registers in       : 1810 sec
       Succeeded registration: 2
       Attempted registration: 5
       Last rekey from       : 0.0.0.0
       Last rekey seq num    : 3
       Unicast rekey received: 0
       Rekey ACKs sent       : 0
       Rekey Received        : never
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 0
       After latest register : 0
       Rekey Acks sents      : 0

 ACL Downloaded From KS 172.16.0.1:
   access-list  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 83342
    Encrypt Algorithm        : 3DES
    Key Size                 : 192     
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 2048    

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0:
    IPsec SA:
        spi: 0xEA1A7149(3927601481)
        transform: esp-aes esp-sha-hmac 
        sa timing:remaining key lifetime (sec): (1936)
        Anti-Replay :  Disabled

The ping tests work fine, but as this is tunnel-less they would have worked anyway. You can prevent data moving from site to site without encryption with a policy if its part of your requirement.

This entry was posted in Cisco and tagged . Bookmark the permalink.

Leave a Reply