Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS XE Release 3S
GETVPN CRL Checking
Downloads: This chapterpdf (PDF - 1.28MB) The complete bookPDF (PDF - 3.87MB) | The complete bookePub (ePub - 720.0KB) | Feedback

GETVPN CRL Checking

GETVPN CRL Checking

During the Group Encrypted Transport VPN (GET VPN) process, certificates are received from a certificate authority (CA) and used as a proof of identity. Certificates may be revoked for a number of reasons, such as key compromise or certificate loss. Revoked certificates are placed on a certificate revocation list (CRL) that is published periodically to a repository. This list is stored on the repository for the length of time specified by a configured CRL lifetime, and can be anything from a few hours to several days.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About GETVPN CRL Checking

In Internet Key Exchange (IKE), certificates are validated when a session is established between two peers. Current sessions are not affected by certificate revocation. However, new sessions will fail to establish and certificates are not validated again unless group members reregister to the key server (KS).

The GETVPN CRL Checking feature enables public key infrastructure (PKI) to notify Group Domain of Interpretation (GDOI) KSs when a new CRL is available for a configured trustpoint. The KS then creates a new Key Encryption Key (KEK) and sends a reauthentication message to the group member devices, which print a syslog message, delete the current KEKs, and reregister to the KS.

Cooperative Key Server Protocol Integration

Cooperative Key Server Protocol (COOP) is a feature of GET VPN that allows you to configure multiple key servers (KSs) in a VPN network. It is used for KS redundancy.

GETVPN CRL checking integrates with COOP by enabling group member (GM) reauthentication on all KSs. However there is always a possibility that a COOP split may occur, where connectivity is temporarily lost among cooperative KSs.

No COOP Split when Reauthentication is Triggered

If no COOP split occurs the primary GM device deletes the Key Encryption Key (KEK) to secondary KSs and sends a reauthentication message to GMs. The secondary KSs then have the current policies synchronized with the primary policies before the GMs start to reregister. All GMs reregister and reauthenticate to an available KS and receive the new KEK.

COOP Split when Reauthentication is Triggered

If a COOP split occurs before reauthentication is triggered and there are only two primary KSs, they both send out the reauthentication message. Each primary KS creates a new and different KEK. The GM only understands the first reauthentication message it receives as it deletes all the existing KEKs immediately after receiving the message. The GM then reregisters to an available KS and a CRL check takes place. When reregistering, the GM receives either the KEK of the first primary or the KEK of the second primary, depending on which KS the GM reregistered. The GM then installs that KEK and receives further rekeys only from that primary KS. When the COOP merge occurs, the KSs sync up the policies and send rekeys so that all GMs have the current KEK and traffic encryption keys (TEKs).

Avoiding the Creation of Different KEKs

Reauthentication and CRL checking still occurs if reauthentication is triggered during a COOP split. However, triggering the creation of different KEKs in the KSs is avoided by delaying reauthentication. A primary KS only starts the reauthentication if all COOP KSs are reachable (not split). If one COOP KS is not reachable, the primary KS delays sending the reauthentication message until all COOP KSs are reachable.

How to Configure GETVPN CRL Checking

You need to configure several components prior to enabling the GETVPN CRL Checking feature. These include:
  • A defined public key infrastructure (PKI) certificate authority (CA) so that group members and key servers are PKI clients and, therefore must enroll to get certificates.
  • Key servers (KSs) configured to have certificate revocation list (CRL) checking enabled in PKI.
  • KSs configured to download the CRL when it is available on the CA and on a first-needed basis. This means that the KSs download the CRL following the first group member (GM) registration after the new CRL is available. See the “Configuring Key Servers for GETVPN CRL Checking” section.
  • CRL checking disabled on the group member devices for PKI. See the “Disabling CRL Checking on Group Members” section.
  • Internet Key Exchange (IKE) authentication set to certificates. See the “Setting IKE Authentication to Certificates” section

Configuring Key Servers for GETVPN CRL Checking

To configure key servers (KSs) to download the certificate revocation list (CRL) when the first group member (GM) registration occurs after a new CRL is available on the certificate authority (CA), perform the following steps:

SUMMARY STEPS

    1.    ip domain name name

    2.    ip http server

    3.    crypto pki trustpoint name

    4.    enrollment url url

    5.    revocation-check method

    6.    exit

    7.    crypto identity method

    8.    fqdn domain

    9.    fqdn domain

    10.    exit

    11.    crypto gdoi group group-name

    12.    server local

    13.    authorization identity name

    14.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 ip domain name name


    Example:
    Device(config)# ip domain name cisco.com
     

    Defines a default domain name that the Cisco IOS software uses to complete unqualified hostnames (names without a dotted-decimal domain name).

     
    Step 2 ip http server


    Example:
    Device(config)# ip http server
     

    Enables the HTTP server on an IP or IPv6 system.

     
    Step 3 crypto pki trustpoint name


    Example:
    Device(config)# crypto pki trustpoint mycert
     

    Defines the trustpoint that your device should use and enters CA trustpoint configuration mode.

     
    Step 4 enrollment url url


    Example:
    Device(config-ca-trustpoint)# enrollment url http://10.1.3.1:80
     

    Specifies the enrollment URL of the CA.

     
    Step 5 revocation-check method


    Example:
    Device(config-ca-trustpoint)# revocation-check crl
     

    Ensures certificate checking is performed by a CRL.

     
    Step 6 exit


    Example:
    Device(config-ca-trustpoint)# exit
     

    Exits CA trustpoint configuration mode and returns to global configuration mode.

     
    Step 7 crypto identity method


    Example:
    Device(config)# crypto identity abcd
     

    Configures the identity of the device with a given list of distinguished names (DNs) in the certificate of the device and enters crypto identity configuration mode.

    Note   

    You can set restrictions in the device configuration that prevent peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.

     
    Step 8 fqdn domain


    Example:
    Device(config-crypto-identity)# fqdn ut01-unix5.cisco.com
     

    Derives the name mangler from the remote identity of the fully qualified domain name (FQDN) for a GM.

     
    Step 9 fqdn domain


    Example:
    Device(config-crypto-identity)# fqdn ut01-unix6.cisco.com
     

    Derives the name mangler from the remote identity of the FQDN for the next GM.

     
    Step 10 exit


    Example:
    Device(config-crypto-identity)# exit
     

    Exits crypto identity configuration mode and returns to global configuration mode.

     
    Step 11 crypto gdoi group group-name


    Example:
    Device(config)# crypto gdoi group gdoi-group1
     

    Creates a Group Domain of Interpretation (GDOI) group and enters GDOI group configuration mode.

     
    Step 12 server local


    Example:
    Device(config-gdoi-group)# server local
     

    Designates a device as a GDOI key server and enters GDOI local server configuration mode.

     
    Step 13 authorization identity name


    Example:
    Device(config-gdoi-local-server)# authorization identity abcd
     

    Specifies an authorization identity for a GDOI group based on a distinguished name (DN) or FQDN,

     
    Step 14 end


    Example:
    Device(config-gdoi-local-server)# end
     

    Exits GDOI local server configuration mode and returns to privileged EXEC mode.

     

    Disabling CRL Checking on Group Members

    To disable certificate revocation list (CRL) checking on group members (GMs) for public key infrastructure (PKI), perform the following steps:

    SUMMARY STEPS

      1.    ip domain name name

      2.    ip http server

      3.    crypto pki trustpoint name

      4.    enrollment url url

      5.    revocation-check method

      6.    exit


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 ip domain name name


      Example:
      Device(config)# ip domain name cisco.com
       

      Defines a default domain name that the Cisco IOS software uses to complete unqualified hostnames (names without a dotted-decimal domain name).

       
      Step 2 ip http server


      Example:
      Device(config)# ip http server
       

      Enables the HTTP server on an IP or IPv6 system.

       
      Step 3 crypto pki trustpoint name


      Example:
      Device(config)# crypto pki trustpoint mycert
       

      Defines the trustpoint that your device should use and enters CA trustpoint configuration mode.

       
      Step 4 enrollment url url


      Example:
      Device(config-ca-trustpoint)# enrollment url http://10.1.3.1:80
       

      Specifies the enrollment URL of the certificate authority (CA).

       
      Step 5 revocation-check method


      Example:
      Device(config-ca-trustpoint)# revocation-check none
       

      Disables certificate checking on the GMs.

       
      Step 6 exit


      Example:
      Device(config-ca-trustpoint)# exit
       

      Exits CA trustpoint mode and returns to global configuration mode.

       

      Setting IKE Authentication to Certificates

      SUMMARY STEPS

        1.    crypto isakmp policy priority

        2.    no authentication pre-share

        3.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 crypto isakmp policy priority


        Example:
        Router(config)# crypto isakmp policy 1
         

        Defines an internet key exchange (IKE) policy and enters ISAKMP policy configuration mode.

         
        Step 2 no authentication pre-share


        Example:
        Router(config-isakmp)# no authentication pre-share
         

        Resets the authentication method within the IKE policy to the default value.

         
        Step 3 end


        Example:
        Router(config)# end
         

        Returns to privileged EXEC mode.

         

        Enabling GETVPN CRL Checking on Key Servers

        To configure public key infrastructure (PKI) to notify the Group Domain of Interpretation (GDOI) key server (KS) when a new certificate revocation list (CRL) is available for the configured trustpoint certificate authority (CA), perform the following steps:
        SUMMARY STEPS

          1.    crypto gdoi group group-name

          2.    server local

          3.    registration periodic crl trustpoint trustpoint-name

          4.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 crypto gdoi group group-name


          Example:
          Device(config)# crypto gdoi group gdoi_group1
           

          Creates a GDOI group and enters GDOI group configuration mode.

           
          Step 2 server local


          Example:
          Device(config-gdoi-group)# server local
           

          Designates a device as a GDOI key server and enters GDOI local server configuration mode.

           
          Step 3 registration periodic crl trustpoint trustpoint-name


          Example:
          Device(config-gdoi-local-server)# registration periodic crl trustpoint mycert
           

          Enables periodic registrations for the GDOI KSs when new CRLs become available for the configured PKI trustpoint certificate authority.

           
          Step 4 end


          Example:
          Device(config-gdoi-local-server)# end
           

          Exits GDOI local server mode and returns to privileged EXEC mode.

           

          Configuration Examples for GETVPN CRL Checking

          Example: Enabling GETVPN CRL Checking

          Example: Configuring Key Servers for GETVPN CRL Checking

          The following examples show how the GETVPN CRL checking feature is enabled, including all required preconfigurations.

          In the following example, thekey servers (KSs )are configured to download the certificate revocation list (CRL) when the first group member registration occurs after a new CRL is available on the trustpoint certificate authority (CA) named mycert:

          ip domain name cisco.com
          ip http server
          crypto pki trustpoint mycert
           enrollment url http://10.1.3.1:80
           revocation-check crl
          
          crypto identity abcd
           fqdn ut01-unix5.cisco.com
           fqdn ut01-unix6.cisco.com
          
          crypto gdoi group gdoi-group1
           server local
           authorization identity abcd
          

          Example: Disabling CRL Checking on Group Members

          In the following example, CRL checking on Group Members (GM) for public key infrastructure (PKI) is disabled:

          ip domain name cisco.com
          ip http server
          crypto pki trustpoint mycert
           enrollment url http://10.1.3.1:80
           revocation-check none
          

          Example: Setting IKE Authentication to Certificates

          crypto isakmp policy 1
           no authentication pre-share
          

          Example: Enabling GETVPN CRL Checking on Key Servers

          In the following example, PKI is configured to notify the GDOI KS named group1 when a new CRL is available for the trustpoint CA named mycert:

          Crypto gdoi group gdoi_group1
           Server local
            registration periodic crl trustpoint mycert
          

          Additional References for GETVPN CRL Checking

          Related Documents

          Related Topic

          Document Title

          Cisco IOS commands

          Cisco IOS Master Command List, All Releases

          Cisco IOS security commands

          Cisco IOS Security Command References

          Basic deployment guidelines for enabling GET VPN in an enterprise network

          Cisco IOS GETVPN Solution Deployment Guide

          Designing and implementing a GET VPN network

          Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide

          Standards and RFCs

          Standard/RFC

          Title

          RFC 2401

          Security Architecture for the Internet Protocol

          RFC 6407

          The Group Domain of Interpretation

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for GETVPN CRL Checking

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 1 Feature Information for GETVPN CRL Checking

          Feature Name

          Releases

          Feature Information

          GETVPN CRL Checking

          Cisco IOS XE Release 3.10S

          Enables public key infrastructure (PKI) to notify Group Domain of Interpretation (GDOI) key servers (KSs) when a new certificate revocation list (CRL) is available for a configured trustpoint.

          The following command was introduced: registration periodic crl trustpoint.