Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS XE Release 3S
GET VPN Resiliency
Downloads: This chapterpdf (PDF - 1.36MB) The complete bookPDF (PDF - 3.78MB) | The complete bookePub (ePub - 678.0KB) | Feedback

GET VPN Resiliency

Contents

GET VPN Resiliency

The GET VPN Resiliency feature improves the resiliency of Cisco Group Encrypted Transport (GET) VPN so that data traffic disruption is prevented or minimized when errors occur.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for GET VPN Resiliency

All key servers (KSs) and group members (GMs) on which you want to enable this feature must be running GET VPN software version 1.0.4 or higher. You should use this feature only after all devices in the GET VPN network are upgraded to GET VPN software versions that support this feature. This feature provides a command that you use on the KS (or primary KS) to check whether all devices in the network are running versions that support this feature. For more information, see the “Ensuring That GMs Are Running Software Versions That Support Long SA Lifetime” section.

Restrictions for GET VPN Resiliency

  • All key servers (KSs) and group managers (GMs) must be upgraded for Long SA Lifetime.

Information About GET VPN Resiliency

Long SA Lifetime

The long security association (SA) lifetime functionality extends the maximum lifetime of the key encryption key (KEK) and traffic encryption key (TEK) from 24 hours to 30 days. This functionality also lets you configure key servers (KSs) to continue to send periodic reminder rekeys to group members (GMs) that do not respond with an acknowledgment in the last scheduled rekey.

By using a long SA lifetime in combination with periodic reminder rekeys, a KS can effectively synchronize GMs if they miss a scheduled rekey before the keys roll over.


Note


For a lifetime longer than 24 hours, the encryption algorithm must be Advanced Encryption Standard-cipher block chaining (AES-CBC) or Advanced Encryption Standard-Galois/Counter Mode (AES-GCM) with an AES key of 128 bits or stronger.

You can use the long SA lifetime functionality along with the GETVPN Suite-B feature to use AES-GSM and Galois Message Authentication Code-Advanced Encryption Standard (GMAC-AES) as traffic encryption key (TEK) policy transforms in a group for packets encapsulated with GCM-AES and GMAC-AES.

Migrating to Long SA Lifetime

When migrating to the long SA lifetime functionality (greater than one day), the following rules apply:

  • When a long SA lifetime is configured on a crypto IPsec profile, GETVPN displays a warning message to not use the IPsec profile for a non- Group Domain of Interpretation (GDOI) group.
  • If group members are registered to a key server with short SA lifetime and the key server changes the policy to long SA lifetime, GETVPN checks the software version of all the GMs when the crypto gdoi ks rekey command is configured to initiate the policy change. If the GMs registered with the KS do not support long SA lifetime, a message is displayed to discourage the policy change until all GMs are upgraded.
  • When the Long SA feature is enabled in KS, it will block registration from GMs running older Cisco IOS releases, which does not support this feature.

Clock Skew Mitigation

Sometimes with longer security association (SA) lifetimes, a group manager (GM) may not receive updates from a key server for a longer duration. This may result in group managers experiencing clock skew for key encryption key (KEK) lifetime, traffic encryption key (TEK) lifetime, and Time-Based Anti-Replay (TBAR) pseudotime. The refresh rekey and rollover to new outbound IPsec SA helps GMs in mitigating clock skew issues.

Refresh Rekey

If the traffic encryption key (TEK) lifetime is set for a duration greater than two days and Time-Based Anti-Replay (TBAR) is disabled, a key server sends a refresh rekey every 24 hours which updates the key encryption key (KEK) lifetime, TEK lifetime, and TBAR pseudotime on all group managers (GMs). In simple terms, a refresh rekey is a retransmission of the current KEK policy, TEK policy, and TBAR pseudotime (if enabled) to all GMs, regardless of the status of receiving a unicast acknowledgment (ACK) for the last rekey. If TBAR is enabled, the refresh rekey is sent every two hours to synchronize the pseudotime, so that an additional refresh rekey is not required.

Rollover to New Outbound IPsec SA

When a long SA lifetime (greater than one day) is configured, the rollover happens when the remaining lifetime of the traffic encryption key (TEK) reaches 1% of the old TEK configured lifetime that has a lower limit of 30 seconds and not 30 seconds of the old TEK’s remaining lifetime. This allows a greater clock skew between the group managers (GMs) before discarding traffic from one GM rolling over to the new TEK late (after the other GM has already deleted the old TEK). This mitigates the GM from being “offline” (disconnected from the KS) for a long duration and from being unable to receive the refresh rekeys to mitigate the clock skew.

Periodic Reminder Sync-Up Rekey

The periodic reminder sync-up rekey functionality in the key server (KS) lets you to send periodic reminder rekeys to group managers (GMs) who do not respond with an acknowledgment (ACK) in the last scheduled rekey. This functionality in combination with the long SA lifetime functionality is effective for a KS to synchronize with GMs when they miss a scheduled rekey before the keys rollover. In a KS group configuration, a new keyword periodic is added to the rekey retransmit command when configuring the rekey retransmission.

Each periodic rekey increments the sequence number, similar to rekey retransmissions. The GM is removed from the database on the KS after 3 scheduled rekeys (not retransmissions) for which the GM does not send an ACK.

Pre-Positioned Rekey

The pre-positioned rekey functionality allows the key server (KS) to send a rekey earlier than half the duration of the SA lifetime, when a longer SA lifetime (greater than one day) is configured. The normal behavior of sending the rekey is used for a short SA lifetime. When group managers (GMs) receive this early rekey, they continue to use the old TEK as outbound until rolled over to the new TEK as outbound. The pre-positioned rekey feature along with the Long SA Lifetime feature improves key rollover stability. This functionality allows the (KS) sufficient time to recover rekey errors, such as periodic reminder rekeys and synchronize rekeys.

How to Configure GET VPN Resiliency

Ensuring That GMs Are Running Software Versions That Support Long SA Lifetime

You should use the Long SA Lifetime feature only after all devices in the GET VPN network are upgraded to GET VPN software versions that support this feature.

Perform this task on the key server (or primary key server) to ensure that all devices in the network support long SA lifetime.

SUMMARY STEPS

    1.    enable

    2.    show crypto gdoi feature long-sa-lifetime

    3.    show crypto gdoi feature long-sa-lifetime | include No


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 show crypto gdoi feature long-sa-lifetime


    Example:
    Device# show crypto gdoi feature long-sa-lifetime
     
    Displays the version of the GET VPN software running on each KS and GM in the GET VPN network and displays whether that device supports long SA lifetime. 
    Step 3 show crypto gdoi feature long-sa-lifetime | include No


    Example:
    Device# show crypto gdoi feature long-sa-lifetime | include No
     
    (Optional) Displays only those devices that do not support long SA lifetime. 

    Configuring Long SA Lifetime for TEK

    To configure long SA lifetime for traffic encryption key (TEK), perform the following steps.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    crypto ipsec profile name

      4.    set security-association lifetime days days

      5.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       
      Enables privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       
      Enters global configuration mode. 
      Step 3 crypto ipsec profile name


      Example:
      Device(config)# crypto ipsec profile gdoi-p
       
      Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec devices and enters crypto IPsec profile configuration mode.  
      Step 4 set security-association lifetime days days


      Example:
      Device(ipsec-profile)# set security-association lifetime days 15
       
      Configures the security association (SA) lifetime to over one day.
      • The maximum number of days is 30.
       
      Step 5 end


      Example:
      Device(ipsec-profile)# end
       
      Exits crypto IPsec profile configuration mode and returns to privileged EXEC mode.  

      Configuring Long SA Lifetime for KEK

      To configure long SA lifetime for key encryption key (TEK), perform the following steps.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    crypto gdoi group group-name

        4.    identity number number

        5.    server local

        6.    rekey lifetime days days

        7.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         
        Enables privileged EXEC mode.
        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         
        Enters global configuration mode. 
        Step 3 crypto gdoi group group-name


        Example:
        Device(config)# crypto gdoi group GET
         
        Identifies a GDOI group and enters GDOI group configuration mode.  
        Step 4 identity number number


        Example:
        Device(config-gdoi-group)# identity number 3333
         
        Identifies a GDOI group number. 
        Step 5server local


        Example:
        Device(config-gdoi-group)# server local
         
        Designates a device as a GDOI key server and enters GDOI local server configuration mode. 
        Step 6 rekey lifetime days days


        Example:
        Device(gdoi-local-server)# rekey lifetime days 20
         
        Limits the number of days or seconds for a KEK.  
        Step 7 end


        Example:
        Device(gdoi-local-server)# end
         
        Exits GDOI local server configuration mode and returns to privileged EXEC mode.  

        Configuring the Periodic Reminder Sync-Up Rekey

        To configure the periodic reminder sync-up rekey, perform the following steps.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    crypto gdoi group group-name

          4.    identity number number

          5.    server local

          6.    rekey retransmit number-of-seconds periodic

          7.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           
          Enables privileged EXEC mode.
          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           
          Enters global configuration mode. 
          Step 3 crypto gdoi group group-name


          Example:
          Device(config)# crypto gdoi group group1
           
          Identifies a GDOI group and enters GDOI group configuration mode.  
          Step 4 identity number number


          Example:
          Device(config-gdoi-group)# identity number 3333
           
          Identifies a GDOI group number. 
          Step 5server local


          Example:
          Device(config-gdoi-group)# server local
           
          Designates a device as a GDOI key server and enters GDOI local server configuration mode. 
          Step 6 rekey retransmit number-of-seconds periodic


          Example:
          Device(gdoi-local-server)# rekey retransmit 10 periodic
           
          Specifies the number of times the rekey message is periodically retransmitted.
          • If this command is not configured, there will be no retransmits.
           
          Step 7 end


          Example:
          Device(gdoi-local-server)# end
           
          Exits GDOI local server configuration mode and returns to privileged EXEC mode.  

          Verifying and Troubleshooting GET VPN Resiliency

          Verifying and Troubleshooting GET VPN Resiliency on a Key Server

          To view the configuration that is running on a key server (KS), use the show running-config command and the following commands.

          SUMMARY STEPS

            1.    enable

            2.    show crypto gdoi

            3.    show crypto gdoi ks rekey


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Device# enable
             
            Enables privileged EXEC mode.
            • Enter your password if prompted.
             
            Step 2 show crypto gdoi


            Example:
            Device# show crypto gdoi
             
            Displays the current GDOI configuration and the policy that is downloaded from the KS.  
            Step 3 show crypto gdoi ks rekey


            Example:
            Device#  show crypto gdoi ks rekey
             
            Displays information about the rekeys that are sent from the KS.  

            Verifying and Troubleshooting GET VPN Resiliency on a Group Member

            To view the configuration that is running on a group manager (GM), use the show running-config command and the following commands.

            SUMMARY STEPS

              1.    enable

              2.    show crypto gdoi ks rekey

              3.    show crypto gdoi ks policy


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Device# enable
               
              Enables privileged EXEC mode.
              • Enter your password if prompted.
               
              Step 2 show crypto gdoi ks rekey


              Example:
              Device#  show crypto gdoi ks rekey
               
              Displays information about the rekeys that are sent from the KS. 
              Step 3 show crypto gdoi ks policy


              Example:
              Device# show crypto gdoi ks policy
               
              Displays the time until the next rekey.  

              Configuration Examples for GET VPN Resiliency

              Example: Ensuring That GMs Are Running Software Versions That Support Long SA Lifetime

              The following example shows how to use the GET VPN software versioning command on the KS (or primary KS) to check whether all the devices in each group support long SA lifetimes:

              Device# show crypto gdoi feature long-sa-lifetime
              
              Group Name: GETVPN
                  Key Server ID       Version   Feature Supported
                      10.0.5.2         1.0.4          Yes
                      10.0.6.2         1.0.4          Yes
                      10.0.7.2         1.0.3          No
                      10.0.8.2         1.0.2          No
              
                  Group Member ID     Version   Feature Supported
                      10.0.1.2         1.0.2          No
                      10.0.2.5         1.0.3          No
                      10.0.3.1         1.0.4          Yes
                      10.0.3.2         1.0.4          Yes
              
              

              You can also enter the above command on a GM (which will display the information for the GM but not for the KS or other GMs).

              The following example shows how to enter the command on the KS (or primary KS) find only those devices in the GET VPN network that do not support long SA lifetimes:

              Device# show crypto gdoi feature long-sa-lifetime | include No
              
                      10.0.7.2         1.0.3          No
                      10.0.8.2         1.0.2          No
                      10.0.1.2         1.0.2          No
                      10.0.2.5         1.0.3          No
              
              

              Example: Configuring Long SA Lifetime

              Example: Configuring Long SA Lifetime for TEK

              The following example shows how to configure the long SA lifetime for traffic encryption key (TEK):

              Device> enable
              Device# configure terminal
              Device(config)# crypto ipsec profile gdoi-p
              Device(ipsec-profile)# set security-association lifetime days 15
              Device(ipsec-profile)# end

              Example: Configuring Long SA Lifetime for KEK

              The following example shows how to configure the long SA lifetime for key encryption key (KEK):

              Device> enable
              Device# configure terminal
              Device(config)# crypto gdoi group GET
              Device(config-gdoi-group)# identity number 3333
              Device(config-gdoi-group)# server local
              Device(gdoi-local-server)# rekey lifetime days 20
              Device(gdoi-local-server)# end

              Example: Configuring the Periodic Reminder Sync-Up Rekey

              The following example shows how to configure the periodic reminder sync-up rekey:

              Device> enable
              Device# configure terminal
              Device(config)# crypto gdoi group group1
              Device(config-gdoi-group)# identity number 3333
              Device(config-gdoi-group)# server local
              Device(gdoi-local-server)# rekey retransmit 10 periodic
              Device(gdoi-local-server)# end

              Additional References for GET VPN Resiliency

              Standards and RFCs

              Standard/RFC

              Title

              RFC 2401

              Security Architecture for the Internet Protocol

              RFC 6407

              The Group Domain of Interpretation

              Technical Assistance

              Description

              Link

              The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

              Feature Information for GET VPN Resiliency

              The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

              Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

              Table 1 Feature Information for GET VPN Resiliency

              Feature Name

              Releases

              Feature Information

              GET VPN Resiliency

              Cisco IOS XE Release 3.9S

              The GET VPN Resiliency feature improves the resiliency of Cisco Group Encrypted Transport (GET) VPN so that data traffic disruption is prevented or minimized when errors occur.

              The following commands were introduced or modified: rekey lifetime, rekey retransmit, set security-association lifetime, show crypto gdoi.