GetVPN

-

1. Topology



2. Overview

    GetVPN is on private IP Transport, tunnel-less, has header preservation.

3. Basic architecture

Step 1: Group Members (GM) register via GDOI with the Key Server (KS)

•KS authenticates and authorizes the GMs
•KS pushes down a set of IPSec SAs for the GM to use

Step 2: Data Plane Encryption

•GM exchange encrypted traffic using the group keys
•Traffic is forwarded using IPSec Tunnel Mode with Header Preservation


Step 3: Periodic Rekey of Keys

•KS pushes out replacement IPSec keys before current IPSec keys expire; this is called a Rekey


4. GetVPN Deployment

4.1 On KS generate RSA keys which is required for rekey authentication

•RSA public key distribution from KS to GM:
–Public key sent to GM at GDOI registration
–The rekeys are signed by the private key of the KS and GM verifies the signature in the rekey with the public key of the KS
•Exporting RSA Key between KSs:
–One of the KSs in the redundancy group should generate the exportable RSA keys and import those keys to other KSs

R1(config)#crypto key generate rsa general-keys label GETVPN-KS modulus 1024 exportable
The name for the keys will be: GETVPN-KS

 % The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 9 seconds)

 R1(config)#

Export the keys to terminal with a password.
R1(config)#crypto key export rsa GETVPN-KS pem terminal 3des cisco123
% Key name: GETVPN-KS
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDqYDR/vv2XVh/IlmUKMIymxv
9lArZ6fJNJwmcxyhnNBTvz9zWfFrg8VMuYx/NTF+tz8pymSzpbX0ksN3p0yhbltN
l3wtACqkLAemB7x60x198HIKwPVa6c027JV5cC+VuvyNQEYW4y1/J59lw22Ah+ZI
Lp+d5gQ6wFKjJxOMRQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B8738FF00508725F

 GGR8ml+L74nctPcOZD4IngYMhtbFi01AcW1kviF/e+cmFFowTMBASB1RUjURWInC
JE4zJXB/Lg5oJHtouMrSuG5UEYlQ9szNMtBdXZ8F1zxgQ13dy/J5s+JJ7yAXoXHn
UY473Eyf2Fv0CPpRTWoFUBGQ1ZWMGAC+OhRIrd4RvxP5ypBUkUw+HO6B1cK5lA9Q
DHuSDgv/U+hxCa0qBRBYm3nJjBThijIO8ZI639SJBn3gbvXIc66q7bKVGGwzTxAV
W8COaEHRKmJiiPnCOxdHNnHrCRFVStH7tK4Nz/PQ5H/ZyHMhMmyza9NrDk1Zwwjn
hPgZ+f9OT5u9alnG2h3VIw7eqLwv8ttIhFt7iCh3/knAZ67X+eZiHL0ZHd95sm26
TLYTN9Cx1cNraJcSFJab7d0Xz/6uwv5NdF4VoRwDeR8rLW+zdiHiEJIUsaQJmng/
GAw60LgSMa2OxiKuN+uyoJqBN99oa2lqUv2+h7tHykIVXydCR/RkrMdI28c835iy
3HX3/qwV17/6YVXBPwVRyudB2qqxdoFwHdwucwMMxOOH5/t+il8COZbjobOEZZqm
KuFhqdWzON+vgElduErJXAMrxZI5VRYoZiW6Xk+yaVgyN+7RYKugAzBQutlTyP3b
oqBorFcbswWHGAEGOKC8lLEOfDEQHEe7oTxK7PwLeS8UlWBJ9UmnWNgVysswY/7k
hfKX7YbRLd/enGOLuNLi1Lst+QKLyw7BDkExotZNUmSygAs55v4XXNA9eZdtGx+E
VlMDHD+ythPp7IIMC+bSsmpoziGdyqqRxpaQQuMcxEIqmbZYT+Mp9A==
-----END RSA PRIVATE KEY-----

 R1(config)#

Import the keys to 2nd KS R2
R2(config)#crypto key import rsa GETVPN-KS pem terminal cisco123
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDqYDR/vv2XVh/IlmUKMIymxv
9lArZ6fJNJwmcxyhnNBTvz9zWfFrg8VMuYx/NTF+tz8pymSzpbX0ksN3p0yhbltN
l3wtACqkLAemB7x60x198HIKwPVa6c027JV5cC+VuvyNQEYW4y1/J59lw22Ah+ZI
Lp+d5gQ6wFKjJxOMRQIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B8738FF00508725F

 GGR8ml+L74nctPcOZD4IngYMhtbFi01AcW1kviF/e+cmFFowTMBASB1RUjURWInC
JE4zJXB/Lg5oJHtouMrSuG5UEYlQ9szNMtBdXZ8F1zxgQ13dy/J5s+JJ7yAXoXHn
UY473Eyf2Fv0CPpRTWoFUBGQ1ZWMGAC+OhRIrd4RvxP5ypBUkUw+HO6B1cK5lA9Q
DHuSDgv/U+hxCa0qBRBYm3nJjBThijIO8ZI639SJBn3gbvXIc66q7bKVGGwzTxAV
W8COaEHRKmJiiPnCOxdHNnHrCRFVStH7tK4Nz/PQ5H/ZyHMhMmyza9NrDk1Zwwjn
hPgZ+f9OT5u9alnG2h3VIw7eqLwv8ttIhFt7iCh3/knAZ67X+eZiHL0ZHd95sm26
TLYTN9Cx1cNraJcSFJab7d0Xz/6uwv5NdF4VoRwDeR8rLW+zdiHiEJIUsaQJmng/
GAw60LgSMa2OxiKuN+uyoJqBN99oa2lqUv2+h7tHykIVXydCR/RkrMdI28c835iy
3HX3/qwV17/6YVXBPwVRyudB2qqxdoFwHdwucwMMxOOH5/t+il8COZbjobOEZZqm
KuFhqdWzON+vgElduErJXAMrxZI5VRYoZiW6Xk+yaVgyN+7RYKugAzBQutlTyP3b
oqBorFcbswWHGAEGOKC8lLEOfDEQHEe7oTxK7PwLeS8UlWBJ9UmnWNgVysswY/7k
hfKX7YbRLd/enGOLuNLi1Lst+QKLyw7BDkExotZNUmSygAs55v4XXNA9eZdtGx+E
VlMDHD+ythPp7IIMC+bSsmpoziGdyqqRxpaQQuMcxEIqmbZYT+Mp9A==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.

 R2(config)#
*May 16 20:35:25.271: %SSH-5-ENABLED: SSH 1.99 has been enabled
R2(config)#

4.2 KS basic configuration
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400

R1(config)#crypto isakmp key cisco123 address 192.168.25.2
R1(config)#crypto isakmp key cisco123 address 192.168.35.3
R1(config)#crypto isakmp key cisco123 address 192.168.45.4

R1(config)#crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

R1(config)#crypto ipsec profile profile1
R1(ipsec-profile)#set security-association lifetime seconds 7200
R1(ipsec-profile)#set transform-set 3des-sha


R1(config)#crypto gdoi group GDOI-GROUP1
R1(config-gdoi-group)#identity number 12345
R1(config-gdoi-group)#server local
R1(gdoi-local-server)#
*May 16 20:49:53.463: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON

R1(gdoi-local-server)#rekey algorithm aes 128

R1(gdoi-local-server)#rekey authentication mypubkey rsa GETVPN-KS

R1(gdoi-local-server)#rekey transport unicast
R1(gdoi-local-server)#
*May 16 20:52:24.219: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GDOI-GROUP1 transitioned to Unicast Rekey.


R1(gdoi-sa-ipsec)#sa ipsec 1
R1(gdoi-sa-ipsec)#profile profile1
R1(gdoi-sa-ipsec)#match address ipv4 getvpn-acl
R1(gdoi-sa-ipsec)#replay time window-size 5

R1(gdoi-sa-ipsec)#exit
R1(gdoi-local-server)#address ipv4 192.168.15.1
R1(config)#

R1(config)#ip access-list extended getvpn-acl
R1(config-ext-nacl)# deny udp any eq 848 any eq 848
R1(config-ext-nacl)# deny tcp any any eq 22
R1(config-ext-nacl)# deny tcp any any eq tacacs
R1(config-ext-nacl)# deny tcp any eq tacacs any
R1(config-ext-nacl)# deny tcp any any eq bgp
R1(config-ext-nacl)# deny tcp any eq bgp any
R1(config-ext-nacl)# deny ospf any any
R1(config-ext-nacl)# deny eigrp any any
R1(config-ext-nacl)# deny udp any any eq ntp
R1(config-ext-nacl)# deny udp any eq ntp any
R1(config-ext-nacl)# deny udp any any eq snmp
R1(config-ext-nacl)# deny udp any eq snmp any
R1(config-ext-nacl)# deny udp any any eq 162
R1(config-ext-nacl)# deny udp any any eq syslog
R1(config-ext-nacl)# deny udp any eq syslog any
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)#






Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more