This lab example is taking the coop GETVPN setup with unicast rekey and switching to multicast rekey. There is a fair amount of multicast configuration needed to make this work which is laid out below, we'll take a look at any source multicast first and then in the next post, we'll take a look at source specific multicast, which is more applicable but I wanted to test out both.
All devices that participate in GETVPN and the devices providing transport need to be enabled for multicast traffic. This means that IOS14, IOS15, SW1, CSR1, CR3, MPLS, CSR8, CSR9 and CSR10 all need to be enabled for multicast. I'll keep the multicast configuration short, but focus more heavily on the GETVPN specific attributes.
CSR1, CSR8, CSR9 and CSR10
ip multicast-routing distributed
!
interface GX
ip pim sparse-mode
IOS14, IOS15, SW1, MPLS
ip multicast-routing
!
interface gX/X
ip pim sparse-mode
IOS15
interface loopback 0
ip pim sparse-mode
Remember that any interface facing the MPLS router needs to be enabled for multicast/PIM/IGMP.
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /224.0.0.13, src_addr= 10.3.10.1, prot= 103
One common syslog message that was received was this one, which is a warning that PIM is being received. The issue is that PIM is a control plane protocol meant to build the per hop multicast tunnels used to transport multicast traffic. It is not supposed to be encrypted, but is. The first thing that needs to be done, re-write the GETVPN ACL to deny PIM and IGMP from being encrypted.
ip access-list extended GETVPN
deny udp any any eq 848
deny udp any eq 848 any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny udp any any eq snmp
deny udp any eq snmp any
deny pim any any
deny igmp any any
permit ip any any
After this, the syslog messages cease and we can move on.
Since all the multicast config is in place, we have 2 choices, dynamic RP or Static RP. I choose the former and use IOS15 as the RP since it's the main key server.
IOS15
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
Every node enabled for multicast should have a PIM register tunnel created. This should be interface tunnel 0.
R3 for demonstrations sake.
interface Tunnel0
description Pim Register Tunnel (Encap) for RP 15.15.15.15
ip unnumbered GigabitEthernet0/1
ip nat inside
tunnel source GigabitEthernet0/1
tunnel destination 15.15.15.15
no routing dynamic
Now every node needs to join the multicast group of 239.1.1.100, the 239 range is the administratively scoped range, so it's basically usable if your running multicast internally like we are.
All the MPLS facing interfaces of the GMs.
interface Gx
ip igmp join-group 239.1.1.100
IOSv15#ping 239.1.1.100
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 239.1.1.100, timeout is 2 seconds:
Reply to request 0 from 10.1.11.1, 75 ms
Reply to request 0 from 10.9.10.9, 356 ms
Reply to request 0 from 10.8.10.8, 327 ms
Reply to request 0 from 10.9.10.9, 278 ms
Reply to request 0 from 10.8.10.8, 278 ms
Reply to request 0 from 10.3.10.3, 262 ms
Reply to request 0 from 10.1.13.3, 262 ms
Reply to request 0 from 10.1.10.10, 173 ms
Reply to request 0 from 10.1.11.1, 167 ms
Reply to request 0 from 10.1.10.10, 75 ms
The next step is to setup the Key Servers to use multicast as the rekey transport and not unicast, if unicast is not disabled, it is the preferred method. It's more reliable that multicast since multicast relies on UDP transport. Unicast rekey gets an ACK from the GM when the rekey takes place.
IOS15
ip access-list extended GETVPN_MCAST_REKEY
permit ip any host 239.1.1.100
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
crypto gdoi group GETVPNGROUP
identity number 100
server local
rekey algorithm aes 128
rekey address ipv4 GETVPN_MCAST_REKEY
rekey authentication mypubkey rsa GETVPN
no rekey transport unicast
sa ipsec 10
profile DMVPN
match address ipv4 GETVPN
replay counter window-size 64
no tag
address ipv4 10.1.15.15
redundancy
local priority 255
peer address ipv4 10.1.14.14
!
crypto map GDOI 10 gdoi
set group GETVPNGROUP
IOS14
ip access-list extended GETVPN_MCAST_REKEY
permit ip any host 239.1.1.100
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
crypto gdoi group GETVPNGROUP
identity number 100
server local
rekey algorithm aes 128
rekey address ipv4 GETVPN_MCAST_REKEY
rekey authentication mypubkey rsa GETVPN
no rekey transport unicast
sa ipsec 10
profile DMVPN
match address ipv4 GETVPN
replay counter window-size 64
no tag
address ipv4 10.1.14.14
redundancy
local priority 255
peer address ipv4 10.1.15.15
!
crypto map GDOI 10 gdoi
set group GETVPNGROUP
IOSv15#crypto gdoi ks rekey
%GDOI-5-SA_TEK_UPDATED: SA TEK was updated
%GDOI-5-GM_REKEY_TRANS_2_MULTI: Group GETVPNGROUP transitioned to multicast rekey.
%GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xFDEEE0B3D6199087E6DC966DB1181A55
%GDOI-5-GM_RECV_REKEY: Received Rekey for group GETVPNGROUP from 10.1.15.15 to 10.10.10.10 with seq # 2, spi 0xDCC7760D1C6A0544C49D567037AB8A7B
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.15.15 for group GETVPNGROUP & gm identity 10.10.10.10 fvrf default ivrf default
%GDOI-5-GM_RECV_REKEY: Received Rekey for group GETVPNGROUP from 10.1.15.15 to 10.10.10.10 with seq # 3, spi 0xDCC7760D1C6A0544C49D567037AB8A7B
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.15.15 for group GETVPNGROUP & gm identity 10.10.10.10 fvrf default ivrf default
CSR10#show crypto gdoi rekey sa detail
KEK SA DB STATS:
num_active = 2
num_malloc = 405
num_free = 402
KEK POLICY (transport type : Multicast)
Local addr/port : 239.1.1.100/0
Remote addr/port : 10.1.15.15/848
spi : 0xFDEEE0B3D6199087E6DC966DB1181A55
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 16
orig life(sec) : 0
sig hash algorithm : enabled sig key length : 294
sig size : 256
acknowledgement : None
conn_id (IKEv1) : 1210
seq num : 0 prev seq num : 0
handle : 80000192
Interface : GigabitEthernet
Group Name : GETVPNGROUP
All devices that participate in GETVPN and the devices providing transport need to be enabled for multicast traffic. This means that IOS14, IOS15, SW1, CSR1, CR3, MPLS, CSR8, CSR9 and CSR10 all need to be enabled for multicast. I'll keep the multicast configuration short, but focus more heavily on the GETVPN specific attributes.
CSR1, CSR8, CSR9 and CSR10
ip multicast-routing distributed
!
interface GX
ip pim sparse-mode
IOS14, IOS15, SW1, MPLS
ip multicast-routing
!
interface gX/X
ip pim sparse-mode
IOS15
interface loopback 0
ip pim sparse-mode
Remember that any interface facing the MPLS router needs to be enabled for multicast/PIM/IGMP.
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /224.0.0.13, src_addr= 10.3.10.1, prot= 103
One common syslog message that was received was this one, which is a warning that PIM is being received. The issue is that PIM is a control plane protocol meant to build the per hop multicast tunnels used to transport multicast traffic. It is not supposed to be encrypted, but is. The first thing that needs to be done, re-write the GETVPN ACL to deny PIM and IGMP from being encrypted.
ip access-list extended GETVPN
deny udp any any eq 848
deny udp any eq 848 any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny udp any any eq snmp
deny udp any eq snmp any
deny pim any any
deny igmp any any
permit ip any any
After this, the syslog messages cease and we can move on.
Since all the multicast config is in place, we have 2 choices, dynamic RP or Static RP. I choose the former and use IOS15 as the RP since it's the main key server.
IOS15
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
Every node enabled for multicast should have a PIM register tunnel created. This should be interface tunnel 0.
R3 for demonstrations sake.
interface Tunnel0
description Pim Register Tunnel (Encap) for RP 15.15.15.15
ip unnumbered GigabitEthernet0/1
ip nat inside
tunnel source GigabitEthernet0/1
tunnel destination 15.15.15.15
no routing dynamic
Now every node needs to join the multicast group of 239.1.1.100, the 239 range is the administratively scoped range, so it's basically usable if your running multicast internally like we are.
All the MPLS facing interfaces of the GMs.
interface Gx
ip igmp join-group 239.1.1.100
IOSv15#ping 239.1.1.100
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 239.1.1.100, timeout is 2 seconds:
Reply to request 0 from 10.1.11.1, 75 ms
Reply to request 0 from 10.9.10.9, 356 ms
Reply to request 0 from 10.8.10.8, 327 ms
Reply to request 0 from 10.9.10.9, 278 ms
Reply to request 0 from 10.8.10.8, 278 ms
Reply to request 0 from 10.3.10.3, 262 ms
Reply to request 0 from 10.1.13.3, 262 ms
Reply to request 0 from 10.1.10.10, 173 ms
Reply to request 0 from 10.1.11.1, 167 ms
Reply to request 0 from 10.1.10.10, 75 ms
The next step is to setup the Key Servers to use multicast as the rekey transport and not unicast, if unicast is not disabled, it is the preferred method. It's more reliable that multicast since multicast relies on UDP transport. Unicast rekey gets an ACK from the GM when the rekey takes place.
IOS15
ip access-list extended GETVPN_MCAST_REKEY
permit ip any host 239.1.1.100
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
crypto gdoi group GETVPNGROUP
identity number 100
server local
rekey algorithm aes 128
rekey address ipv4 GETVPN_MCAST_REKEY
rekey authentication mypubkey rsa GETVPN
no rekey transport unicast
sa ipsec 10
profile DMVPN
match address ipv4 GETVPN
replay counter window-size 64
no tag
address ipv4 10.1.15.15
redundancy
local priority 255
peer address ipv4 10.1.14.14
!
crypto map GDOI 10 gdoi
set group GETVPNGROUP
IOS14
ip access-list extended GETVPN_MCAST_REKEY
permit ip any host 239.1.1.100
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
crypto gdoi group GETVPNGROUP
identity number 100
server local
rekey algorithm aes 128
rekey address ipv4 GETVPN_MCAST_REKEY
rekey authentication mypubkey rsa GETVPN
no rekey transport unicast
sa ipsec 10
profile DMVPN
match address ipv4 GETVPN
replay counter window-size 64
no tag
address ipv4 10.1.14.14
redundancy
local priority 255
peer address ipv4 10.1.15.15
!
crypto map GDOI 10 gdoi
set group GETVPNGROUP
IOSv15#crypto gdoi ks rekey
%GDOI-5-SA_TEK_UPDATED: SA TEK was updated
%GDOI-5-GM_REKEY_TRANS_2_MULTI: Group GETVPNGROUP transitioned to multicast rekey.
%GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xFDEEE0B3D6199087E6DC966DB1181A55
%GDOI-5-GM_RECV_REKEY: Received Rekey for group GETVPNGROUP from 10.1.15.15 to 10.10.10.10 with seq # 2, spi 0xDCC7760D1C6A0544C49D567037AB8A7B
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.15.15 for group GETVPNGROUP & gm identity 10.10.10.10 fvrf default ivrf default
%GDOI-5-GM_RECV_REKEY: Received Rekey for group GETVPNGROUP from 10.1.15.15 to 10.10.10.10 with seq # 3, spi 0xDCC7760D1C6A0544C49D567037AB8A7B
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.15.15 for group GETVPNGROUP & gm identity 10.10.10.10 fvrf default ivrf default
CSR10#show crypto gdoi rekey sa detail
KEK SA DB STATS:
num_active = 2
num_malloc = 405
num_free = 402
KEK POLICY (transport type : Multicast)
Local addr/port : 239.1.1.100/0
Remote addr/port : 10.1.15.15/848
spi : 0xFDEEE0B3D6199087E6DC966DB1181A55
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 16
orig life(sec) : 0
sig hash algorithm : enabled sig key length : 294
sig size : 256
acknowledgement : None
conn_id (IKEv1) : 1210
seq num : 0 prev seq num : 0
handle : 80000192
Interface : GigabitEthernet
Group Name : GETVPNGROUP
