I couldn't find this properly documented with an example so here goes.
Since GET was designed to secure large private networks, like MPLS clouds, it is understandable that some VRF features would soon make it to this world.
Cisco documents it here:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_encrypt_trns_vpn_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1235754
You can have crypto map applied on a particular interface in VRF and still reach your KS via global VRF.
KS is completely oblivious to VRF configuration, so it will not be shown here.
GM configuration (relevant parts)
----------------------------
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto gdoi group GET
identity number 1111
server address ipv4 172.16.1.1
client registration interface Loopback0
!
!
crypto map MAP 10 gdoi
set group GET
-------------
interfaces' config:
---------
interface Loopback0
ip address 172.16.1.2 255.255.255.255
!
interface Loopback1
ip vrf forwarding RED
ip address 172.16.1.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.0.0.2 255.255.255.0
crypto map MAP
-----------------
OSPF:
------------
GM1-VRF#sh run | s router
router ospf 100 vrf RED
network 10.0.0.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
router ospf 1001
network 10.0.0.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
------------
Result:
----------------
GM1-VRF#sh crypto gdoi
GROUP INFORMATION
Group Name : GET
Group Identity : 1111
Rekeys received : 0
IPSec SA Direction : Both
Group Server list : 172.16.1.1
Group member : 172.16.1.2 vrf: None
Registration status : Registered
Registered with : 172.16.1.1
Re-registers in : 2568 sec
Succeeded registration: 1
Attempted registration: 2
Last rekey from : 0.0.0.0
Last rekey seq num : 0
Unicast rekey received: 0
Rekey ACKs sent : 0
Rekey Received : never
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 0
After latest register : 0
Rekey Acks sents : 0
ACL Downloaded From KS 172.16.1.1:
access-list deny ospf any any
access-list permit ip any any
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86400
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet0/0.10:
IPsec SA:
spi: 0x730377E0(1929607136)
transform: esp-3des esp-sha-hmac
sa timing:remaining key lifetime (sec): (2687)
Anti-Replay : Disabled
GM1-VRF#ping vrf RED 172.16.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
---------------
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment