GETVPN - GDOI
This is the GETVPN topology with Dual Key-Servers and two Group-Members.
Key Servers
KEY SERVER 1 | Config
hostname KS-1
ip domain name WQNET.LAB
no ip domain look
!
crypto key generate rsa general-keys label WQNET-GDOI-KEYS mod 4096 export
!crypto key export rsa WQNET-GDOI-KEYS pem terminal aes this15THEWAY
!crypto key import rsa WQNET-GDOI-KEYS exportable pem terminal this15THEWAY
!
crypto isakmp policy 10
encryption aes 256
hash sha512
authentication pre-share
group 21
crypto isakmp key this15THEWAY address 0.0.0.0
!
crypto ipsec transform-set WQNET-GDOI-IPSEC-TS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile WQNET-GDOI-IPSEC-PROFILE
set security-association lifetime seconds 120
set transform-set WQNET-GDOI-IPSEC-TS
exit
!
ip access-list extended WQNET-GDOI-ACL
20 permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
exit
!
!
crypto gdoi group WQNET-GODI-KS
identity number 777
server local
rekey transport unicast
rekey lifetime seconds 86400
rekey retransmit 15 number 3
rekey authentication mypubkey rsa WQNET-GDOI-KEYS
sa ipsec 1
profile WQNET-GDOI-IPSEC-PROFILE
match address ipv4 WQNET-GDOI-ACL
replay counter window-size 64
no tag
address ipv4 192.0.0.8
no pfs
redundancy
local priority 10
peer address ipv4 192.0.0.9
no pfs
!
interface Ethernet0/0
no shutdown
ip address 192.0.0.8 255.255.255.0
ip ospf 1 area 0
!
exit
exit
wr
!KS-1 - Export RSA-KEY
Export the Certificate from KS-1.
KS-1#crypto key export rsa WQNET-GDOI-KEYS pem terminal aes this15THEWAYKS-2 - Import RSA-KEY
Import the Certificate to KS-2.
KS-2#crypto key import rsa WQNET-GDOI-KEYS exportable pem terminal this15THEWAY
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
quit
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
quitKEY SERVER 2 | Config
hostname KS-2
ip domain name WQNET.LAB
no ip domain look
!
crypto isakmp policy 10
encryption aes 256
hash sha512
authentication pre-share
group 21
crypto isakmp key this15THEWAY address 0.0.0.0
!
crypto ipsec transform-set WQNET-GDOI-IPSEC-TS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile WQNET-GDOI-IPSEC-PROFILE
set security-association lifetime seconds 120
set transform-set WQNET-GDOI-IPSEC-TS
!
ip access-list extended WQNET-GDOI-ACL
20 permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
exit
!
crypto gdoi group WQNET-GODI-KS
identity number 777
server local
rekey transport unicast
rekey lifetime seconds 86400
rekey retransmit 15 number 3
rekey authentication mypubkey rsa WQNET-GDOI-KEYS
sa ipsec 1
profile WQNET-GDOI-IPSEC-PROFILE
match address ipv4 WQNET-GDOI-ACL
replay counter window-size 64
no tag
address ipv4 192.0.0.9
no pfs
redundancy
local priority 5
peer address ipv4 192.0.0.8
no pfs
!
!
interface Ethernet0/0
no shutdown
ip address 192.0.0.9 255.255.255.0
ip ospf 1 area 0
!
exit
exit
wr
!KS-1 och och KS-2 | ACL
This is ACL that will be pushed out to Group Members from the Key Server, so the know that to protect. Only the Primary Key Server push out policys and do rekeying.
ip access-list extended WQNET-GDOI-ACL
20 permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
exit Verify KS-1 och och KS-2 | show crypto gdoi ks coop
Take an extra look at:
- Peer KS Role: Secondary Peer KS Status: Alive
- IKE status: Established
KS-1#show crypto gdoi ks coop
Crypto Gdoi Group Name :WQNET-GODI-KS
Group handle: 1073741826, Local Key Server handle: 1073741826
Local Address: 192.0.0.8
Local Priority: 10
Local KS Role: Primary , Local KS Status: Alive
Local KS version: 1.0.27
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 7
Per-user timer remaining time: 0
Antireplay Sequence Number: 12
Peer Sessions:
Session 1:
Server handle: 1073741827
Peer Address: 192.0.0.9
Peer Version: 1.0.27
Peer Priority: 5
Peer KS Role: Secondary , Peer KS Status: Alive
Antireplay Sequence Number: 2
IKE status: Established
Counters:
Ann msgs sent: 7
Ann msgs sent with reply request: 1
Ann msgs recv: 2
Ann msgs recv with reply request: 0
Packet sent drops: 3
Packet Recv drops: 0
Total bytes sent: 9760
Total bytes recv: 2110KS-2#show crypto gdoi ks coop
Crypto Gdoi Group Name :WQNET-GODI-KS
Group handle: 1073741826, Local Key Server handle: 1073741826
Local Address: 192.0.0.9
Local Priority: 5
Local KS Role: Secondary , Local KS Status: Alive
Local KS version: 1.0.27
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 25, Retries: 0
Invalid ANN PST recvd: 0
New GM Temporary Blocking Enforced?: No
Per-user timer remaining time: 0
Antireplay Sequence Number: 3
Peer Sessions:
Session 1:
Server handle: 1073741827
Peer Address: 192.0.0.8
Peer Version: 1.0.27
Peer Priority: 10
Peer KS Role: Primary , Peer KS Status: Alive
Antireplay Sequence Number: 7
IKE status: Established
Counters:
Ann msgs sent: 2
Ann msgs sent with reply request: 0
Ann msgs recv: 3
Ann msgs recv with reply request: 1
Packet sent drops: 1
Packet Recv drops: 0
Total bytes sent: 2110
Total bytes recv: 4395Verify KS-1 och och KS-2 | show crypto gdoi detail
Take an extra look at:
- Group Type : GDOI (ISAKMP)
- KS-1
- Local Priority : 10
- Local Priority : 10
- KS-2
- Local Priority : 5
- Local Priority : 5
KS-1#show crypto gdoi detail
GROUP INFORMATION
Group Name : WQNET-GODI-KS (Unicast)
Re-auth on new CRL : Disabled
Group Identity : 777
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 0
IPSec SA Direction : Both
IP D3P Window : Disabled
PFS : Disabled
Split Resiliency Factor : 0
CKM status : Disabled
Redundancy : Configured
Local Address : 192.0.0.8
Local Priority : 10
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.27
Local COOP Version : 1.0.8
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85795 secs
Time to Rekey : 42595 secs
Acknowledgement Cfg : Cisco
Rekey Retransmit Period : 15 secs
Rekey Retransmit Attempts: 3
Group Retransmit
Remaining Lifetime : 11 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 120 secs
Profile Name : WQNET-GDOI-IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
Tagging method : Disabled
SA Rekey
Remaining Lifetime : 116 secs
Time to Rekey : 25 secs
ACL Configured : access-list WQNET-GDOI-ACL
Group Server list : LocalKS-2#show crypto gdoi detail
GROUP INFORMATION
Group Name : WQNET-GODI-KS (Unicast)
Re-auth on new CRL : Disabled
Group Identity : 777
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 0
IPSec SA Direction : Both
IP D3P Window : Disabled
PFS : Disabled
Split Resiliency Factor : 0
CKM status : Disabled
Redundancy : Configured
Local Address : 192.0.0.9
Local Priority : 5
Local KS Status : Alive
Local KS Role : Secondary
Local KS Version : 1.0.27
Local COOP Version : 1.0.8
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85787 secs
Time to Rekey : 42587 secs
Acknowledgement Cfg : Cisco
Rekey Retransmit Period : 15 secs
Rekey Retransmit Attempts: 3
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 120 secs
Profile Name : WQNET-GDOI-IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
Tagging method : Disabled
SA Rekey
Remaining Lifetime : 109 secs
Time to Rekey : 18 secs
ACL Configured : access-list WQNET-GDOI-ACL
Group Server list : LocalGroup Members
All the Group Members have the same config, excl Hostname,IP-addresses/Subnets.
Group Member 1 | Config
!
hostname GM1
ip domain name WQNET.LAB
no ip domain look
!
crypto isakmp policy 10
encryption aes 256
hash sha512
authentication pre-share
group 21
crypto isakmp key this15THEWAY address 0.0.0.0
!
crypto gdoi group WQNET-GODI-SPOKE
identity number 777
server address ipv4 192.0.0.8
server address ipv4 192.0.0.9
!
ip access-list extended WQNET-GETVPN-FAIL-CLOSE
10 deny ospf any any
20 deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
!
crypto map WQNET-CMAP-SPOKE gdoi fail-close
activate
match address WQNET-GETVPN-FAIL-CLOSE
!
crypto map WQNET-CMAP-SPOKE 10 gdoi
set group WQNET-GODI-SPOKE
!
interface Ethernet0/0
no shutdown
ip address 192.0.0.10 255.255.255.0
ip ospf 1 area 0
crypto map WQNET-CMAP-SPOKE
!
interface loopback14
ip address 14.14.1.1 255.255.255.0
ip ospf 1 area 0
!
interface loopback15
ip address 15.15.1.1 255.255.255.0
ip ospf 1 area 0
!
exit
exit
wr
!Group Member 2 | Config
hostname GM2
ip domain name WQNET.LAB
no ip domain look
!
crypto isakmp policy 10
encryption aes 256
hash sha512
authentication pre-share
group 21
crypto isakmp key this15THEWAY address 0.0.0.0
!
crypto gdoi group WQNET-GODI-SPOKE
identity number 777
server address ipv4 192.0.0.8
server address ipv4 192.0.0.9
!
ip access-list extended WQNET-GETVPN-FAIL-CLOSE
10 deny ospf any any
20 deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
!
crypto map WQNET-CMAP-SPOKE gdoi fail-close
activate
match address WQNET-GETVPN-FAIL-CLOSE
!
crypto map WQNET-CMAP-SPOKE 10 gdoi
set group WQNET-GODI-SPOKE
!
interface Ethernet0/0
no shutdown
ip address 192.0.0.11 255.255.255.0
ip ospf 1 area 0
crypto map WQNET-CMAP-SPOKE
!
interface loopback14
ip address 14.14.2.1 255.255.255.0
ip ospf 1 area 0
!
interface loopback15
ip address 15.15.2.1 255.255.255.0
ip ospf 1 area 0
!
exit
exit
wr
!Group Member 1 & 2 | gdoi fail-close
Take an extra look at:
ip access-list extended WQNET-GETVPN-FAIL-CLOSE
10 deny ospf any any
20 deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
!
crypto map WQNET-CMAP-SPOKE gdoi fail-close
activate
match address WQNET-GETVPN-FAIL-CLOSEIf Group Member dosen't have a connection to a Key Server, only this traffic in ACL-is allowed.
- Deny in this ACL = traffic pass without protection.
Use the feature fail-close caution, it may lock you out!
Group Member 1 & 2 | show crypto gdoi
Take an extra look at:
- ACL Received From KS :
- gdoi_group_WQNET-GODI-SPOKE_temp_acl
- gdoi_group_WQNET-GODI-SPOKE_temp_acl
- ACL Downloaded From KS 192.0.0.8:
- access-list permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
- access-list permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
GM1#show crypto gdoi
GROUP INFORMATION
Group Name : WQNET-GODI-SPOKE
Group Identity : 777
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 24
IPSec SA Direction : Both
Group Server list : 192.0.0.8
192.0.0.9
Group Member Information For Group WQNET-GODI-SPOKE:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_WQNET-GODI-SPOKE_temp_acl
Group member : 192.0.0.10 vrf: None
Local addr/port : 192.0.0.10/848
Remote addr/port : 192.0.0.8/848
fvrf/ivrf : None/None
Version : 1.0.26
Registration status : Registered
Registered with : 192.0.0.8
Re-registers in : 49 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 192.0.0.8
Last rekey seq num : 63
Unicast rekey received: 24
Rekey ACKs sent : 24
Rekey Rcvd(hh:mm:ss) : 00:00:06
PFS Rekey received : 0
DP Error Monitoring : OFF
IPSEC init reg executed : 0
IPSEC init reg postponed : 0
Active TEK Number : 4
SA Track (OID/status) : disabled
Fail-Close Revert : Disabled
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 24
After latest register : 24
Rekey Acks sents : 24
ACL Downloaded From KS 192.0.0.8:
access-list permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 84501
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 4400
TEK POLICY for the current KS-Policy ACEs Downloaded:
Ethernet0/0:
IPsec SA:
spi: 0x95D39DF0(2513673712)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (113)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0x1C91C8DD(479316189)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (83)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0x2B3804D1(725091537)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (53)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0xDF83046B(3749905515)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (23)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
KGS POLICY:
REG_GM: local_addr 192.0.0.10
P2P POLICY:
REG_GM: local_addr 192.0.0.10
GM1#GM2#show crypto gdoi
GROUP INFORMATION
Group Name : WQNET-GODI-SPOKE
Group Identity : 777
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 29
IPSec SA Direction : Both
Group Server list : 192.0.0.8
192.0.0.9
Group Member Information For Group WQNET-GODI-SPOKE:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_WQNET-GODI-SPOKE_temp_acl
Group member : 192.0.0.11 vrf: None
Local addr/port : 192.0.0.11/848
Remote addr/port : 192.0.0.8/848
fvrf/ivrf : None/None
Version : 1.0.26
Registration status : Registered
Registered with : 192.0.0.8
Re-registers in : 31 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 192.0.0.8
Last rekey seq num : 71
Unicast rekey received: 29
Rekey ACKs sent : 29
Rekey Rcvd(hh:mm:ss) : 00:00:24
PFS Rekey received : 0
DP Error Monitoring : OFF
IPSEC init reg executed : 0
IPSEC init reg postponed : 0
Active TEK Number : 4
SA Track (OID/status) : disabled
Fail-Close Revert : Disabled
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 29
After latest register : 29
Rekey Acks sents : 29
ACL Downloaded From KS 192.0.0.8:
access-list permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 84243
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 4400
TEK POLICY for the current KS-Policy ACEs Downloaded:
Ethernet0/0:
IPsec SA:
spi: 0x8D72CC8E(2373110926)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (95)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0xAC4020E3(2889883875)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (65)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0x9C5D69C3(2623367619)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (35)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0xFADCF78E(4208785294)
transform: esp-256-aes esp-sha512-hmac
sa timing:remaining key lifetime (sec): (5)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 64 (bytes)
encaps: ENCAPS_TUNNEL
KGS POLICY:
REG_GM: local_addr 192.0.0.11
P2P POLICY:
REG_GM: local_addr 192.0.0.11 TEST and TSHOOT-commands
TEST | Ping-test
Data from 14.14.1.0/24 to 14.14.2.0/24 is protected in a ESP-datagram with orignal IP-header.
Data from 15.15.1.0/24 to 15.15.2.0/24 is not protected in a ESP-datagram and send in plain-text with orignal IP-header.
GM1#ping 14.14.2.1 source loopback 14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.2.1, timeout is 2 seconds:
Packet sent with a source address of 14.14.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GM1#ping 15.15.2.1 source loopback 15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.2.1, timeout is 2 seconds:
Packet sent with a source address of 15.15.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TSHOOT | Commands
KS
show crypto gdoi
show crypto gdoi ks coop
show crypto gdoi ks members
show crypto gdoi ks members summary
show crypto gdoi ks rekey
show crypto gdoi ks policy
GM
show crypto eli
show crypto gdoi rekey sa
show crypto gdoi
show crypto gdoi gm
show crypto gdoi gm rekey