Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​GETVPN - Cooperative Key Server and Group Member Any Source Multicast Rekey Setup w/ PSK

Picture
This lab example is taking the coop GETVPN setup with unicast rekey and switching to multicast rekey. There is a fair amount of multicast configuration needed to make this work which is laid out below, we'll take a look at any source multicast first and then in the next post, we'll take a look at source specific multicast, which is more applicable but I wanted to test out both.

All devices that participate in GETVPN and the devices providing transport need to be enabled for multicast traffic. This means that IOS14, IOS15, SW1, CSR1, CR3, MPLS, CSR8, CSR9 and CSR10 all need to be enabled for multicast. I'll keep the multicast configuration short, but focus more heavily on the GETVPN specific attributes.

CSR1, CSR8, CSR9 and CSR10
ip multicast-routing distributed
!
interface GX
 ip pim sparse-mode

IOS14, IOS15, SW1, MPLS
ip multicast-routing
!
interface gX/X
 ip pim sparse-mode

IOS15
interface loopback 0
 ip pim sparse-mode

Remember that any interface facing the MPLS router needs to be enabled for multicast/PIM/IGMP. 

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /224.0.0.13, src_addr= 10.3.10.1, prot= 103

One common syslog message that was received was this one, which is a warning that PIM is being received. The issue is that PIM is a control plane protocol meant to build the per hop multicast tunnels used to transport multicast traffic. It is not supposed to be encrypted, but is. The first thing that needs to be done, re-write the GETVPN ACL to deny PIM and IGMP from being encrypted.

ip access-list extended GETVPN
 deny   udp any any eq 848
 deny   udp any eq 848 any
 deny   tcp any any eq bgp
 deny   tcp any eq bgp any
 deny   udp any any eq snmp
 deny   udp any eq snmp any
 deny   pim any any
 deny   igmp any any
 permit ip any any

After this, the syslog messages cease and we can move on.

Since all the multicast config is in place, we have 2 choices, dynamic RP or Static RP. I choose the former and use IOS15 as the RP since it's the main key server.

IOS15
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0

Every node enabled for multicast should have a PIM register tunnel created. This should be interface tunnel 0.

R3 for demonstrations sake.
interface Tunnel0
 description Pim Register Tunnel (Encap) for RP 15.15.15.15
 ip unnumbered GigabitEthernet0/1
 ip nat inside
 tunnel source GigabitEthernet0/1
 tunnel destination 15.15.15.15
 no routing dynamic

Now every node needs to join the multicast group of 239.1.1.100, the 239 range is the administratively scoped range, so it's basically usable if your running multicast internally like we are.

All the MPLS facing interfaces of the GMs.
interface Gx
 ip igmp join-group 239.1.1.100

IOSv15#ping 239.1.1.100
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 239.1.1.100, timeout is 2 seconds:

Reply to request 0 from 10.1.11.1, 75 ms
Reply to request 0 from 10.9.10.9, 356 ms
Reply to request 0 from 10.8.10.8, 327 ms
Reply to request 0 from 10.9.10.9, 278 ms
Reply to request 0 from 10.8.10.8, 278 ms
Reply to request 0 from 10.3.10.3, 262 ms
Reply to request 0 from 10.1.13.3, 262 ms
Reply to request 0 from 10.1.10.10, 173 ms
Reply to request 0 from 10.1.11.1, 167 ms
Reply to request 0 from 10.1.10.10, 75 ms



The next step is to setup the Key Servers to use multicast as the rekey transport and not unicast, if unicast is not disabled, it is the preferred method. It's more reliable that multicast since multicast relies on UDP transport. Unicast rekey gets an ACK from the GM when the rekey takes place. 

IOS15
ip access-list extended GETVPN_MCAST_REKEY
 permit ip any host 239.1.1.100
!
​crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server local
  rekey algorithm aes 128
  rekey address ipv4 GETVPN_MCAST_REKEY
  rekey authentication mypubkey rsa GETVPN
  no rekey transport unicast
  sa ipsec 10
   profile DMVPN
   match address ipv4 GETVPN
   replay counter window-size 64
   no tag
  address ipv4 10.1.15.15
  redundancy
   local priority 255
   peer address ipv4 10.1.14.14
!
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP



IOS14
ip access-list extended GETVPN_MCAST_REKEY
 permit ip any host 239.1.1.100
!
​crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server local
  rekey algorithm aes 128
  rekey address ipv4 GETVPN_MCAST_REKEY
  rekey authentication mypubkey rsa GETVPN
  no rekey transport unicast
  sa ipsec 10
   profile DMVPN
   match address ipv4 GETVPN
   replay counter window-size 64
   no tag
  address ipv4 10.1.14.14
  redundancy
   local priority 255
   peer address ipv4 10.1.15.15
!
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP



IOSv15#crypto gdoi ks rekey



%GDOI-5-SA_TEK_UPDATED: SA TEK was updated
%GDOI-5-GM_REKEY_TRANS_2_MULTI: Group GETVPNGROUP transitioned to multicast rekey.
%GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xFDEEE0B3D6199087E6DC966DB1181A55
%GDOI-5-GM_RECV_REKEY: Received Rekey for group GETVPNGROUP from 10.1.15.15 to 10.10.10.10 with seq # 2, spi 0xDCC7760D1C6A0544C49D567037AB8A7B
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.15.15 for group GETVPNGROUP & gm identity 10.10.10.10 fvrf default ivrf default
%GDOI-5-GM_RECV_REKEY: Received Rekey for group GETVPNGROUP from 10.1.15.15 to 10.10.10.10 with seq # 3, spi 0xDCC7760D1C6A0544C49D567037AB8A7B
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.15.15 for group GETVPNGROUP & gm identity 10.10.10.10 fvrf default ivrf default



CSR10#show crypto gdoi rekey sa detail 
KEK SA DB STATS:
    num_active = 2
    num_malloc = 405
    num_free = 402

  KEK POLICY (transport type : Multicast)
   Local addr/port : 239.1.1.100/0
   Remote addr/port : 10.1.15.15/848
    spi : 0xFDEEE0B3D6199087E6DC966DB1181A55
    management alg     : disabled    encrypt alg       : AES       
    crypto iv length   : 16          key size          : 16      
    orig life(sec)     : 0         
    sig hash algorithm : enabled     sig key length    : 294     
    sig size           : 256
    acknowledgement    : None
    conn_id (IKEv1)    : 1210
    seq num            : 0           prev seq num      : 0       
    handle             : 80000192  
    Interface          : GigabitEthernet
    Group Name         : GETVPNGROUP         
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto