Here is the topology for our GET VPN tests:
Layer3 connectivity between the routers are provided by Ospf.There are two Key Servers and two Group Members.And there is also an ISP router which provides connectivity between routers.
Here is the configurations of routers:
Keyserver-1:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ciscokey123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 15 periodic
crypto ipsec transform-set getvpn esp-3des esp-sha-hmac
crypto ipsec profile getvpn
set security-association lifetime seconds 7200
set transform-set getvpn
crypto gdoi group getvpn
identity number 1903
server local
rekey lifetime seconds 3600
rekey retransmit 40 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
sa ipsec 1
profile getvpn
match address ipv4 111
replay counter window-size 64
address ipv4 10.0.0.1
redundancy
local priority 100
peer address ipv4 192.168.4.2
interface FastEthernet1/0
ip address 10.0.0.1 255.255.255.0
ip ospf 1 area 0
router ospf 1
log-adjacency-changes
access-list 101 permit ip any 192.168.0.0 0.0.255.255
access-list 111 deny ip host 2.2.2.2 host 5.5.5.5
access-list 111 deny ip host 5.5.5.5 host 2.2.2.2
access-list 111 deny ip 192.168.4.0 0.0.0.255 any
access-list 111 deny ip any 192.168.4.0 0.0.0.255
access-list 111 deny ip host 192.168.4.2 any
access-list 111 deny ip any host 192.168.4.2
access-list 111 deny ospf any any
access-list 111 permit ip any any
access-list 115 deny ip any host 224.0.0.5
access-list 115 permit ip any any
Keyserver-2:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ciscokey123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 15 periodic
crypto ipsec transform-set getvpn esp-3des esp-sha-hmac
crypto ipsec profile getvpn
set security-association lifetime seconds 7200
set transform-set getvpn
crypto gdoi group getvpn
identity number 1903
server local
rekey address ipv4 101
rekey lifetime seconds 300
rekey retransmit 40 number 2
rekey authentication mypubkey rsa getvpnrsa
rekey transport unicast
sa ipsec 1
profile getvpn
match address ipv4 111
replay counter window-size 64
address ipv4 192.168.4.2
redundancy
local priority 75
peer address ipv4 10.0.0.1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0
interface FastEthernet1/0
ip address 192.168.4.2 255.255.255.0
ip ospf 1 area 0
router ospf 1
log-adjacency-changes
access-list 101 permit ip any 192.168.0.0 0.0.255.255
access-list 111 deny ip host 2.2.2.2 host 5.5.5.5
access-list 111 deny ip host 5.5.5.5 host 2.2.2.2
access-list 111 deny ip 192.168.4.0 0.0.0.255 any
access-list 111 deny ip any 192.168.4.0 0.0.0.255
access-list 111 deny ip host 192.168.4.2 any
access-list 111 deny ip any host 192.168.4.2
access-list 111 deny ospf any any
access-list 111 permit ip any any
Group Member 1:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ciscokey123 address 10.0.0.1
crypto isakmp key ciscokey123 address 0.0.0.0 0.0.0.0
crypto gdoi group getvpn
identity number 1903
server address ipv4 10.0.0.1
server address ipv4 192.168.4.2
crypto map getvpnmap 10 gdoi
set group getvpn
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
interface Loopback20
ip address 20.20.20.20 255.255.255.255
ip ospf 1 area 0
interface FastEthernet1/0
ip address 10.0.0.2 255.255.255.0
ip ospf 1 area 0
interface FastEthernet1/1
ip address 192.168.2.2 255.255.255.0
ip ospf 1 area 0
crypto map getvpnmap
router ospf 1
log-adjacency-changes
Group Member 2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ciscokey123 address 0.0.0.0 0.0.0.0
crypto gdoi group getvpn
identity number 1903
server address ipv4 10.0.0.1
server address ipv4 192.168.4.2
crypto map getvpnmap 10 gdoi
set group getvpn
interface Loopback0
ip address 5.5.5.5 255.255.255.255
ip ospf 1 area 0
interface Loopback50
ip address 50.50.50.50 255.255.255.255
ip ospf 1 area 0
interface FastEthernet1/0
ip address 192.168.5.2 255.255.255.0
ip ospf 1 area 0
crypto map getvpnmap
router ospf 1
log-adjacency-changes
ISP router
interface FastEthernet1/0
ip address 192.168.2.1 255.255.255.0
no ip route-cache cef
no ip route-cache
ip ospf 1 area 0
interface FastEthernet1/1
ip address 192.168.4.1 255.255.255.0
ip ospf 1 area 0
interface FastEthernet2/0
ip address 192.168.5.1 255.255.255.0
ip ospf 1 area 0
router ospf 1
log-adjacency-changes
Lets test the connectivity;
There is connectivity between group members.Encapsulation and decapsulation counts are increasing:
GM2#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: getvpnmap, local addr 192.168.5.2
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
GM2#ping 20.20.20.20 source 50.50.50.50
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/179/212 ms
GM2#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: getvpnmap, local addr 192.168.5.2
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27
When we check the IP packets that traversing the ISP router, we see that source and destination IP addresses are original IP addresses and protocol number is 50 which is esp:
ISP#debug ip packet detail
IP: s=20.20.20.20 (FastEthernet1/0), d=50.50.50.50 (FastEthernet2/0), len 152, sending full packet, proto=50
Lets check the GET VPN status at the other side:
GM1#show crypto gdoi
GROUP INFORMATION
Group Name : getvpn
Group Identity : 1903
Rekeys received : 4
IPSec SA Direction : Both
Active Group Server : 10.0.0.1
Group Server list : 10.0.0.1
192.168.4.2
GM Reregisters in : 3789 secs
Rekey Received(hh:mm:ss) : 00:51:43
Rekeys received
Cumulative : 4
After registration : 4
Rekey Acks sent : 4
ACL Downloaded From KS 10.0.0.1:
access-list deny ip host 2.2.2.2 host 5.5.5.5
access-list deny ip host 5.5.5.5 host 2.2.2.2
access-list deny ip 192.168.4.0 0.0.0.255 any
access-list deny ip any 192.168.4.0 0.0.0.255
access-list deny ip host 192.168.4.2 any
access-list deny ip any host 192.168.4.2
access-list deny ospf any any
access-list permit ip any any
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 3599
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
Lets see that when we change the ACL at Keyserver-1, rekey messaging occurs to inform the Group Members about the new ACL
KS1#debug crypto gdoi ks rekey
GDOI Key Server Re-key Debug level: (Error, Terse)
KS1#show access-list 111
Extended IP access list 111
10 deny ip host 2.2.2.2 host 5.5.5.5
20 deny ip host 5.5.5.5 host 2.2.2.2
30 deny ip 192.168.4.0 0.0.0.255 any
40 deny ip any 192.168.4.0 0.0.0.255
50 deny ip host 192.168.4.2 any
60 deny ip any host 192.168.4.2
70 deny ospf any any
80 permit ip any any
KS1(config)#ip access-list extended 111
KS1(config-ext-nacl)#75 deny tcp any any eq bgp
KS1(config-ext-nacl)#end
%GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group getvpn from address 10.0.0.1 with seq # 661
Lets check the ACL at a Group Member:
GM1#show crypto gdoi
GROUP INFORMATION
Group Name : getvpn
Group Identity : 1903
Rekeys received : 5
IPSec SA Direction : Both
Active Group Server : 10.0.0.1
Group Server list : 10.0.0.1
192.168.4.2
GM Reregisters in : 6718 secs
Rekey Received(hh:mm:ss) : 00:03:16
Rekeys received
Cumulative : 5
After registration : 5
Rekey Acks sent : 5
ACL Downloaded From KS 10.0.0.1:
access-list deny ip host 2.2.2.2 host 5.5.5.5
access-list deny ip host 5.5.5.5 host 2.2.2.2
access-list deny ip 192.168.4.0 0.0.0.255 any
access-list deny ip any 192.168.4.0 0.0.0.255
access-list deny ip host 192.168.4.2 any
access-list deny ip any host 192.168.4.2
access-list deny ospf any any
access-list deny tcp any any port = 179
access-list permit ip any any
Lets test Redundancy of Key Servers:
KS2#show crypto gdoi ks coop
Crypto Gdoi Group Name :getvpn
Group handle: 2147483650, Local Key Server handle: 2147483650
Local Address: 192.168.4.2
Local Priority: 75
Local KS Role: Secondary , Local KS Status: Alive
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 24, Retries: 0
Invalid ANN PST recvd: 0
New GM Temporary Blocking Enforced?: No
Antireplay Sequence Number: 252
Peer Sessions:
Session 1:
Server handle: 2147483651
Peer Address: 10.0.0.1
Peer Priority: 100
Peer KS Role: Primary , Peer KS Status: Alive
Antireplay Sequence Number: 279
IKE status: Established
Counters:
Ann msgs sent: 6
Ann msgs sent with reply request: 116
Ann msgs recv: 256
Ann msgs recv with reply request: 0
Packet sent drops: 18
Packet Recv drops: 233
Total bytes sent: 47429
Total bytes recv: 157627
After we close the connection of the Key-Server 1, Key-Server 2 becomes Primary:
KS2#show crypto gdoi ks coop
Crypto Gdoi Group Name :getvpn
Group handle: 2147483650, Local Key Server handle: 2147483650
Local Address: 192.168.4.2
Local Priority: 75
Local KS Role: Primary , Local KS Status: Alive
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 9
Antireplay Sequence Number: 256
Peer Sessions:
Session 1:
Server handle: 2147483651
Peer Address: 10.0.0.1
Peer Priority: 1
Peer KS Role: Primary , Peer KS Status: Dead
Antireplay Sequence Number: 282
IKE status: In Progress
Counters:
Ann msgs sent: 6
Ann msgs sent with reply request: 116
Ann msgs recv: 259
Ann msgs recv with reply request: 0
Packet sent drops: 22
Packet Recv drops: 233
Total bytes sent: 47429
Total bytes recv: 160075
Lets check Key Server status at Group Members:
GM2#show crypto gdoi
GROUP INFORMATION
Group Name : getvpn
Group Identity : 1903
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 192.168.4.2
Group Server list : 10.0.0.1
192.168.4.2
GM Reregisters in : 6188 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 192.168.4.2:
access-list deny ip host 2.2.2.2 host 5.5.5.5
access-list deny ip host 5.5.5.5 host 2.2.2.2
access-list deny ip 192.168.4.0 0.0.0.255 any
access-list deny ip any 192.168.4.0 0.0.0.255
access-list deny ip host 192.168.4.2 any
access-list deny ip any host 192.168.4.2
access-list deny ospf any any
access-list permit ip any any
Here's a GET VPN configuration example:
ReplyDeletehttp://www.certvideos.com/get-vpn-configuration-example/