Friday, September 24, 2010

GET VPN with a VRF twist.

I couldn't find this properly documented with an example so here goes.
 
Since GET was designed to secure large private networks, like MPLS clouds,  it is understandable that some VRF features would soon make it to this world.

Cisco documents it here:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_encrypt_trns_vpn_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1235754

You can have crypto map applied on a particular interface in VRF and still reach your KS via global VRF.

KS is completely oblivious to VRF configuration, so it will not be shown here.

GM configuration (relevant parts)
----------------------------
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto gdoi group GET
 identity number 1111
 server address ipv4 172.16.1.1
 client registration interface Loopback0
!
!
crypto map MAP 10 gdoi
 set group GET
-------------

interfaces' config:


---------
interface Loopback0
 ip address 172.16.1.2 255.255.255.255
!
interface Loopback1
 ip vrf forwarding RED
 ip address 172.16.1.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip vrf forwarding RED
 ip address 10.0.0.2 255.255.255.0
 crypto map MAP
-----------------

OSPF:
------------
GM1-VRF#sh run | s router
router ospf 100 vrf RED
 network 10.0.0.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0
router ospf 1001
 network 10.0.0.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0
------------

Result:
----------------
GM1-VRF#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GET
    Group Identity           : 1111
    Rekeys received          : 0
    IPSec SA Direction       : Both

     Group Server list       : 172.16.1.1

    Group member             : 172.16.1.2       vrf: None
       Registration status   : Registered
       Registered with       : 172.16.1.1
       Re-registers in       : 2568 sec
       Succeeded registration: 1
       Attempted registration: 2
       Last rekey from       : 0.0.0.0
       Last rekey seq num    : 0
       Unicast rekey received: 0
       Rekey ACKs sent       : 0
       Rekey Received        : never
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 0
       After latest register : 0
       Rekey Acks sents      : 0

 ACL Downloaded From KS 172.16.1.1:
   access-list  deny ospf any any
   access-list  permit ip any any

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 86400
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0.10:
    IPsec SA:
        spi: 0x730377E0(1929607136)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2687)
        Anti-Replay :  Disabled

GM1-VRF#ping vrf RED 172.16.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
---------------

No comments: