Friday, September 24, 2010

GET VPN with a VRF twist.

I couldn't find this properly documented with an example so here goes.
Since GET was designed to secure large private networks, like MPLS clouds,  it is understandable that some VRF features would soon make it to this world.

Cisco documents it here:

You can have crypto map applied on a particular interface in VRF and still reach your KS via global VRF.

KS is completely oblivious to VRF configuration, so it will not be shown here.

GM configuration (relevant parts)
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address no-xauth
crypto gdoi group GET
 identity number 1111
 server address ipv4
 client registration interface Loopback0
crypto map MAP 10 gdoi
 set group GET

interfaces' config:

interface Loopback0
 ip address
interface Loopback1
 ip vrf forwarding RED
 ip address
interface FastEthernet0/0
 ip address
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip vrf forwarding RED
 ip address
 crypto map MAP

GM1-VRF#sh run | s router
router ospf 100 vrf RED
 network area 0
 network area 0
router ospf 1001
 network area 0
 network area 0

GM1-VRF#sh crypto gdoi

    Group Name               : GET
    Group Identity           : 1111
    Rekeys received          : 0
    IPSec SA Direction       : Both

     Group Server list       :

    Group member             :       vrf: None
       Registration status   : Registered
       Registered with       :
       Re-registers in       : 2568 sec
       Succeeded registration: 1
       Attempted registration: 2
       Last rekey from       :
       Last rekey seq num    : 0
       Unicast rekey received: 0
       Rekey ACKs sent       : 0
       Rekey Received        : never
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 0
       After latest register : 0
       Rekey Acks sents      : 0

 ACL Downloaded From KS
   access-list  deny ospf any any
   access-list  permit ip any any

    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 86400
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
    IPsec SA:
        spi: 0x730377E0(1929607136)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2687)
        Anti-Replay :  Disabled

GM1-VRF#ping vrf RED

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

No comments: