The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
During the Group Encrypted Transport VPN (GET VPN) process, certificates are received from a certificate authority (CA) and used as a proof of identity. Certificates may be revoked for a number of reasons, such as key compromise or certificate loss. Revoked certificates are placed on a certificate revocation list (CRL) that is published periodically to a repository. This list is stored on the repository for the length of time specified by a configured CRL lifetime, and can be anything from a few hours to several days.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
In Internet Key Exchange (IKE), certificates are validated when a session is established between two peers. Current sessions are not affected by certificate revocation. However, new sessions will fail to establish and certificates are not validated again unless group members reregister to the key server (KS).
The GETVPN CRL Checking feature enables public key infrastructure (PKI) to notify Group Domain of Interpretation (GDOI) KSs when a new CRL is available for a configured trustpoint. The KS then creates a new Key Encryption Key (KEK) and sends a reauthentication message to the group member devices, which print a syslog message, delete the current KEKs, and reregister to the KS.
Cooperative Key Server Protocol (COOP) is a feature of GET VPN that allows you to configure multiple key servers (KSs) in a VPN network. It is used for KS redundancy.
GETVPN CRL checking integrates with COOP by enabling group member (GM) reauthentication on all KSs. However there is always a possibility that a COOP split may occur, where connectivity is temporarily lost among cooperative KSs.
If no COOP split occurs the primary GM device deletes the Key Encryption Key (KEK) to secondary KSs and sends a reauthentication message to GMs. The secondary KSs then have the current policies synchronized with the primary policies before the GMs start to reregister. All GMs reregister and reauthenticate to an available KS and receive the new KEK.
If a COOP split occurs before reauthentication is triggered and there are only two primary KSs, they both send out the reauthentication message. Each primary KS creates a new and different KEK. The GM only understands the first reauthentication message it receives as it deletes all the existing KEKs immediately after receiving the message. The GM then reregisters to an available KS and a CRL check takes place. When reregistering, the GM receives either the KEK of the first primary or the KEK of the second primary, depending on which KS the GM reregistered. The GM then installs that KEK and receives further rekeys only from that primary KS. When the COOP merge occurs, the KSs sync up the policies and send rekeys so that all GMs have the current KEK and traffic encryption keys (TEKs).
Reauthentication and CRL checking still occurs if reauthentication is triggered during a COOP split. However, triggering the creation of different KEKs in the KSs is avoided by delaying reauthentication. A primary KS only starts the reauthentication if all COOP KSs are reachable (not split). If one COOP KS is not reachable, the primary KS delays sending the reauthentication message until all COOP KSs are reachable.
A defined public key infrastructure (PKI) certificate authority (CA) so that group members and key servers are PKI clients and, therefore must enroll to get certificates.
Key servers (KSs) configured to have certificate revocation list (CRL) checking enabled in PKI.
KSs configured to download the CRL when it is available on the CA and on a first-needed basis. This means that the KSs download the CRL following the first group member (GM) registration after the new CRL is available. See the “Configuring Key Servers for GETVPN CRL Checking” section.
CRL checking disabled on the group member devices for PKI. See the “Disabling CRL Checking on Group Members” section.
Internet Key Exchange (IKE) authentication set to certificates. See the “Setting IKE Authentication to Certificates” section
To configure key servers (KSs) to download the certificate revocation list (CRL) when the first group member (GM) registration occurs after a new CRL is available on the certificate authority (CA), perform the following steps:
1.
ip
domain
name
name
2.
ip
http server
3.
crypto
pki
trustpoint name
4.
enrollment
url
url
5.
revocation-check
method
6.
exit
7.
crypto
identity method
8.
fqdn
domain
9.
fqdn
domain
10.
exit
11.
crypto
gdoi
group group-name
12.
server
local
13.
authorization
identity name
14.
end
To disable certificate revocation list (CRL) checking on group members (GMs) for public key infrastructure (PKI), perform the following steps:
1.
ip
domain
name
name
2.
ip
http server
3.
crypto
pki
trustpoint name
4.
enrollment
url
url
5.
revocation-check
method
6.
exit
Command or Action | Purpose | |
---|---|---|
Step 1 |
ip
domain
name
name
Example: Device(config)# ip domain name cisco.com |
Defines a default domain name that the Cisco IOS software uses to complete unqualified hostnames (names without a dotted-decimal domain name). |
Step 2 |
ip
http server
Example: Device(config)# ip http server |
Enables the HTTP server on an IP or IPv6 system. |
Step 3 |
crypto
pki
trustpoint name
Example: Device(config)# crypto pki trustpoint mycert |
Defines the trustpoint that your device should use and enters CA trustpoint configuration mode. |
Step 4 |
enrollment
url
url
Example: Device(config-ca-trustpoint)# enrollment url http://10.1.3.1:80 |
Specifies the enrollment URL of the certificate authority (CA). |
Step 5 |
revocation-check
method
Example: Device(config-ca-trustpoint)# revocation-check none |
Disables certificate checking on the GMs. |
Step 6 |
exit
Example: Device(config-ca-trustpoint)# exit |
Exits CA trustpoint mode and returns to global configuration mode. |
1.
crypto
isakmp
policy
priority
2.
no
authentication
pre-share
3.
end
Command or Action | Purpose | |
---|---|---|
Step 1 |
crypto
isakmp
policy
priority
Example: Router(config)# crypto isakmp policy 1 |
Defines an internet key exchange (IKE) policy and enters ISAKMP policy configuration mode. |
Step 2 |
no
authentication
pre-share
Example: Router(config-isakmp)# no authentication pre-share |
Resets the authentication method within the IKE policy to the default value. |
Step 3 |
end
Example: Router(config)# end |
Returns to privileged EXEC mode. |
1.
crypto
gdoi
group group-name
2.
server
local
3.
registration
periodic crl trustpoint trustpoint-name
4.
end
Command or Action | Purpose | |
---|---|---|
Step 1 |
crypto
gdoi
group group-name
Example: Device(config)# crypto gdoi group gdoi_group1 |
Creates a GDOI group and enters GDOI group configuration mode. |
Step 2 |
server
local
Example: Device(config-gdoi-group)# server local |
Designates a device as a GDOI key server and enters GDOI local server configuration mode. |
Step 3 |
registration
periodic crl trustpoint trustpoint-name
Example: Device(config-gdoi-local-server)# registration periodic crl trustpoint mycert |
Enables periodic registrations for the GDOI KSs when new CRLs become available for the configured PKI trustpoint certificate authority. |
Step 4 |
end
Example: Device(config-gdoi-local-server)# end |
Exits GDOI local server mode and returns to privileged EXEC mode. |
Configuration Examples for GETVPN CRL Checking
The following examples show how the GETVPN CRL checking feature is enabled, including all required preconfigurations.
In the following example, thekey servers (KSs )are configured to download the certificate revocation list (CRL) when the first group member registration occurs after a new CRL is available on the trustpoint certificate authority (CA) named mycert:
ip domain name cisco.com ip http server crypto pki trustpoint mycert enrollment url http://10.1.3.1:80 revocation-check crl crypto identity abcd fqdn ut01-unix5.cisco.com fqdn ut01-unix6.cisco.com crypto gdoi group gdoi-group1 server local authorization identity abcd
In the following example, CRL checking on Group Members (GM) for public key infrastructure (PKI) is disabled:
ip domain name cisco.com ip http server crypto pki trustpoint mycert enrollment url http://10.1.3.1:80 revocation-check none
crypto isakmp policy 1 no authentication pre-share
In the following example, PKI is configured to notify the GDOI KS named group1 when a new CRL is available for the trustpoint CA named mycert:
Crypto gdoi group gdoi_group1 Server local registration periodic crl trustpoint mycert
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Cisco IOS security commands |
Cisco IOS Security Command References |
Basic deployment guidelines for enabling GET VPN in an enterprise network |
Cisco IOS GETVPN Solution Deployment Guide |
Designing and implementing a GET VPN network |
Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide |
Standard/RFC |
Title |
---|---|
RFC 2401 |
Security Architecture for the Internet Protocol |
RFC 6407 |
The Group Domain of Interpretation |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
GETVPN CRL Checking |
Cisco IOS XE Release 3.10S |
Enables public key infrastructure (PKI) to notify Group Domain of Interpretation (GDOI) key servers (KSs) when a new certificate revocation list (CRL) is available for a configured trustpoint. The following command was introduced: registration periodic crl trustpoint. |