Introduction
Virtual Private Networks (VPNs) provide a highly secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a VPN routing/forwarding (VRF) table. VRFs are generally associated with MPLS based VPNs.
With the VRF-lite feature, multiple VPN routing/forwarding instances can be supported in customer edge devices. VRF-lite extends limited PE functionality to a CE device, giving it the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office. This also helps the customer to share the same CE for various internal departments while maintaining separate VRF table for each department.
Now, the intention of this document is to enable Cisco IOS GET VPN on the CE's VRF-lite interfaces. Cisco IOS GET VPN is well documented at http://www.cisco.com/go/getvpn.
Document Scope
This document provides deployment guidelines to enable Cisco IOS GET VPN on the VRF-lite interfaces for an enterprise network. This document does not cover in-depth technical details about various features comprising Cisco IOS GET VPN. Please refer to the References section for more details.
Recommended Platforms and Images
Images based on Cisco IOS Software Release 12.4(11)T2 are recommended for both key server and group member routers. The recommended image subset is `adventerprisek9' for both the key server and the group member routers.
Key server: Cisco 2800/3800 Series Integrated Service Routers, Cisco 7200 Series Routers, Cisco 7301 Routers
Group member: Cisco 1800/2800/3800 Series Integrated Service Routers, Cisco 7200 Series Routers, Cisco 7301 Routers
Topology
Figure 1. VRF-lite Based GETVPN Topology
Note: The topology and the deployment components shown in this document are based on the deployment guide posted at http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd805cc40d.shtml. Refer this link for more details.
Deployment
Key server is not VRF aware. So, based on a single or multiple MPLS VPNs (PE VRFs) used in PE for each GETVPN group, there can be two cases.
Case (1): [Refer Figure 1]. PE uses a single MPLS VPN (PE VRF) for all the group member VRFs (CE VRFs). For this, group members can use the same certificate for authentication for all the crypto maps applied on VRF interfaces. No overlapping addresses can be supported in the group member VRFs because the PE has all the group member addresses in a single VRF. However, traffic excluded from any of the encryption policies are subject to be routed across group member VRFs.
Case (2): To use overlapping addresses between group member VRFs, PE should also use a unique MPLS VPN (PE VRFs) for each of the group member VRFs. In addition, a separate key server must be dedicated for each VRF, mainly because the key server is not VRF-aware. For this, group members should also use a separate certificate for authentication for each crypto map. The group member configuration is almost the same as in case 1 except that the additional certificate trustpoints and different key server addresses should be required.
Note: For both cases above, each VRF interface requires a unique crypto map and each crypto map MUST use different GET VPN group. Hence key server must be configured with multiple GET VPN groups to support multiple VRFs in group members.
This deployment focuses on the Case (1), i.e, all the group member VRFs are connected to a single MPLS VPN in PE, hence no overlapping addresses can be used among group member VRFs. For the key server, the additional configuration involves multiple GET VPN groups based on group member VRFs, no other configuration is needed. VRFs are defined only in the group members. Each VRF defined in CE are associated with sub-interfaces between CE-PE links.
VRF "corp" is configured on selective group members only to showcase this deployment, however, resources in this VRF is accessible from other group members which do not use VRF. VRF "engg" is defined only in two group members for this deployment. A separate routing instance is configured for vrf "engg" in these two group members. Management tunnel is setup using a global routing table using loopback interface.
Note: Since no routing protocol is defined for management loopback interface, an exclusive static route is configured in PE and redistributed in MPLS VPN.
The following key server and group member configurations show only the necessary configurations required for GET VPN and VRF Lite. Refer the Full Configuration section for more details.
Key Server Configuration
!!!! The following configuration enables the key server in a router. Each group defined in the key server has an identity that is shared among the members within the group. Here the identity is set to 1234 for group `VRF-CORP' and 5678 for group `VRF-ENGG'. Also VRF-CORP group uses multicast rekeying while VRF-ENGG uses unicast rekeying. !!!
!
crypto isakmp policy 1 // PKI authentication //
encr aes
group 2
!
crypto ipsec transform-set aes esp-aes esp-sha-hmac
!
crypto ipsec profile vpnprof
set transform-set aes
crypto ipsec profile vrf
set security-association lifetime seconds 28800
set transform-set aes
!
crypto gdoi group VRF-CORP // GETVPN group defined for VRF corp //
identity number 1234
server local
rekey algorithm aes 128 // Key encryption key is AES 128 //
rekey address ipv4 rekey-multicast-group // multicast rekeying method //
rekey lifetime seconds 10800
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rekeyrsa
sa ipsec 1
profile vpnprof
match address ipv4 sa-acl
replay time window-size 5
address ipv4 10.10.10.23
redundancy // Cooperative key servers enabled //
local priority 100
peer address ipv4 10.10.10.56
!
ip access-list extended rekey-multicast-group
permit udp host 10.10.10.23 eq 848 host 239.192.1.190 eq 848
permit udp host 10.10.10.56 eq 848 host 239.192.1.190 eq 848
!
ip access-list extended sa-acl
permit ip 10.1.0.0 0.0.3.255 10.0.0.0 0.255.255.255
permit ip 10.1.0.0 0.0.3.255 192.168.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.3.255 172.16.0.0 0.15.255.255
permit ip 10.0.0.0 0.255.255.255 10.1.0.0 0.0.3.255
permit ip 172.16.0.0 0.15.255.255 10.1.0.0 0.0.3.255
permit ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.3.255
permit ip any 239.192.0.0 0.0.255.255
!
crypto gdoi group VRF-ENGG // GETVPN group defined for VRF engg //
identity number 5678
server local
rekey algorithm aes 128 // Key encryption key is AES 128 //
rekey retransmit 10 number 2
rekey authentication mypubkey rsa vrfrsa
rekey transport unicast // unicast rekeying method //
sa ipsec 1
profile vrf // TEK "AES" defined in profile //
match address ipv4 vrf-acl
replay time window-size 5
address ipv4 10.10.10.23
redundancy // Cooperative key server enabled //
local priority 75
peer address ipv4 10.10.10.56
!
ip access-list extended vrf-acl
permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
Note: AES keys are difficult to hack, hence it is highly recommended to use "AES" for Traffic Encryption key (TEK) and Key encryption key (KEK). Also, AES keys can be used for longer duration as shown above using 8 hour TEK lifetime. In addition, AES is used for IKE phase 1 negotiations. However, 3DES is also supported but is not recommended for longer lifetimes.
Group Member Configuration
!!!! Only the necessary commands required to enable VRF lite and GETVPN are shown here. For setting up management interface and more VRF details, refer the Full Configuration section !!!!
!
ip vrf corp // VRF enabled globally //
rd 65002:1
route-target export 65002:1
route-target import 65002:1
!
interface FastEthernet0 // Interface for vrf corp //
description outside interface
ip vrf forwarding corp
ip address 10.10.10.30 255.255.255.248
!
router bgp 65002
!
address-family ipv4 vrf corp // Separate routing instance for vrf corp //
neighbor 10.10.10.29 remote-as 65001
!
crypto isakmp policy 1 //Using PKI authentication. //
encr aes
group 2
!
crypto isakmp keepalive 10
!
crypto gdoi group vrf-corp !! for vrf corp !!
identity number 1234
server address ipv4 10.10.10.56 // Register to Secondary key server //
server address ipv4 10.10.10.23
!
crypto gdoi group vrf-engg !! for vrf engg !!
identity number 5678
server address ipv4 10.10.10.23 // Register to Primary key server //
server address ipv4 10.10.10.56
!
crypto map corp local-address FastEthernet0 // Uses correct interface for session end points //
crypto map corp 1 gdoi
set group vrf-corp
match address no-encryption-acl
!
crypto map engg local-address FastEthernet0.1
crypto map engg 1 gdoi
set group vrf-engg
!
interface FastEthernet0
description outside interface
no ip dhcp client request tftp-server-address
ip vrf forwarding corp // FastEthernet0 is enabled for vrf corp //
ip address 10.10.10.86 255.255.255.252
duplex auto
speed auto
crypto map corp // crypto map corp for vrf corp //
!
interface FastEthernet0.1
description Outside Interface
encapsulation dot1Q 14
ip vrf forwarding engg
ip address 10.10.10.98 255.255.255.252
crypto map engg // crypto map engg for vrf engg //
!
ip access-list extended no-encryption-acl
deny ip 10.1.1.0 0.0.0.255 host 10.10.10.23
deny ip 10.1.1.0 0.0.0.255 host 10.10.10.56
deny ip any host 239.192.1.190
Note: This deployment use different multicast RPs for multicast rekeying and multicast data purpose. The RP used for multicast data is protected by encryption policy and is present behind the group member at corporate network. The RP used for multicast rekeying is configured in MPLS/VPN address space and is not protected by the encryption policy. Refer Verification section on group member for the output.
Verification
Key Server 1:
keyserver1#sh crypto gdoi ks coop
Crypto Gdoi Group Name :VRF-CORP
Group handle: 2147483650, Local Key Server handle: 2147483650
Local Address: 10.10.10.23
Local Priority: 100
Local KS Role: Primary , Local KS Status: Alive
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 9
Antireplay Sequence Number: 883
Peer Sessions:
Session 1:
Server handle: 2147483651
Peer Address: 10.10.10.56
Peer Priority: 75
Peer KS Role: Secondary , Peer KS Status: Alive
Antireplay Sequence Number: 2
IKE status: Established
<Output Omitted >
Crypto Gdoi Group Name :VRF-ENGG
Group handle: 2147483651, Local Key Server handle: 2147483652
Local Address: 10.10.10.23
Local Priority: 75
Local KS Role: Primary , Local KS Status: Alive
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 11
Antireplay Sequence Number: 878
Peer Sessions:
Session 1:
Server handle: 2147483653
Peer Address: 10.10.10.56
Peer Priority: 100
Peer KS Role: Secondary , Peer KS Status: Alive
Antireplay Sequence Number: 0
IKE status: Established
< Output Omitted >
keyserver1#sh crypto gdoi ks policy
Key Server Policy:
For group VRF-CORP (handle: 2147483650) server 10.10.10.23 (handle: 2147483650):
# of teks : 2 Seq num : 11
KEK POLICY (transport type : Multicast)
spi : 0x2BA6BE18E540FACC1BF58F1BD658D57E
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 16
Remaining life(sec): 4087 orig lifetime(sec): 10800
sig hash algorithm : enabled sig key length : 162
sig size : 128
sig key name : rekeyrsa
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0x8D65C328 access-list : sa-acl
# of transforms : 0 transform : ESP_AES
hmac alg : HMAC_AUTH_SHA
alg key size : 16 sig key size : 20
orig life(sec) : 3600 remaining life(sec) : 3490
override life (sec): 0 antireplay window size: 5
Replay Value 17230.09 secs
For group VRF-CORP (handle: 2147483650) server 10.10.10.56 (handle: 2147483651):
Key Server Policy:
For group VRF-ENGG (handle: 2147483651) server 10.10.10.23 (handle: 2147483652):
# of teks : 1 Seq num : 4
KEK POLICY (transport type : Unicast)
spi : 0xCE5F6963A49D2DF4C0FA4D1BDA67F8F
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 16
Remaining life(sec): 68901 orig lifetime(sec): 86400
sig hash algorithm : enabled sig key length : 162
sig size : 128
sig key name : vrfrsa
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0xFE85A522 access-list : vrf-acl
# of transforms : 0 transform : ESP_AES
hmac alg : HMAC_AUTH_SHA
alg key size : 16 sig key size : 20
orig life(sec) : 28800 remaining life(sec) : 11300
override life (sec): 0 antireplay window size: 5
Replay Value 17226.62 secs
For group VRF-ENGG (handle: 2147483651) server 10.10.10.56 (handle: 2147483653):
keyserver1#sh crypto gdoi ks members
Group Member Information :
Number of rekeys sent for group VRF-CORP : 11
Group Member ID : 10.10.10.86
Group ID : 1234
Group Name : VRF-CORP
Key Server ID : 10.10.10.23
Group Member ID : 10.10.10.30
Group ID : 1234
Group Name : VRF-CORP
Key Server ID : 10.10.10.56
< Output Omitted >
Number of rekeys sent for group VRF-ENGG : 2
Group Member ID : 10.10.10.70
Group ID : 5678
Group Name : VRF-ENGG
Key Server ID : 10.10.10.23
Rekeys sent : 3
Rekey Acks Rcvd : 0
Rekey Acks missed : 0
Sent seq num : 2 3 4 0
Rcvd seq num : 0 0 0 0
Group Member ID : 10.10.10.98
Group ID : 5678
Group Name : VRF-ENGG
Key Server ID : 10.10.10.23
Rekeys sent : 3
Rekey Acks Rcvd : 0
Rekey Acks missed : 0
Sent seq num : 2 3 4 0
Rcvd seq num : 0 0 0 0
keyserver1# sh crypto gdoi ks rekey
Group VRF-CORP (Multicast)
Number of Rekeys sent : 11
Number of Rekeys retransmitted : 0
KEK rekey lifetime (sec) : 10800
Remaining lifetime (sec) : 4014
Retransmit period : 10
Number of retransmissions : 2
IPSec SA 1 lifetime (sec) : 3600
Remaining lifetime (sec) : 3465
Number of registrations after rekey : 0
Group VRF-ENGG (Unicast)
Number of Rekeys sent : 2
Number of Rekeys retransmitted : 6
KEK rekey lifetime (sec) : 86400
Remaining lifetime (sec) : 68829
Retransmit period : 10
Number of retransmissions : 2
IPSec SA 1 lifetime (sec) : 28800
Remaining lifetime (sec) : 11230
keyserver1#
Key server 2:
keyserver2#sh crypto gdoi ks coop
Crypto Gdoi Group Name :VRF-CORP
Group handle: 2147483650, Local Key Server handle: 2147483650
Local Address: 10.10.10.56
Local Priority: 75
Local KS Role: Secondary , Local KS Status: Alive
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 13, Retries: 0
Antireplay Sequence Number: 3
Peer Sessions:
Session 1:
Server handle: 2147483651
Peer Address: 10.10.10.23
Peer Priority: 100
Peer KS Role: Primary , Peer KS Status: Alive
Antireplay Sequence Number: 893
IKE status: Established
<Output Omitted >
Crypto Gdoi Group Name :VRF-ENGG
Group handle: 2147483651, Local Key Server handle: 2147483652
Local Address: 10.10.10.56
Local Priority: 100
Local KS Role: Secondary , Local KS Status: Alive
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 15, Retries: 0
Antireplay Sequence Number: 1
Peer Sessions:
Session 1:
Server handle: 2147483653
Peer Address: 10.10.10.23
Peer Priority: 75
Peer KS Role: Primary , Peer KS Status: Alive
Antireplay Sequence Number: 888
IKE status: Established
< Output Omitted >
keyserver2#sh crypto gdoi ks policy
Key Server Policy:
For group VRF-CORP (handle: 2147483650) server 10.10.10.56 (handle: 2147483650):
For group VRF-CORP (handle: 2147483650) server 10.10.10.23 (handle: 2147483651):
# of teks : 1 Seq num : 0
KEK POLICY (transport type : Multicast)
spi : 0x2BA6BE18E540FACC1BF58F1BD658D57E
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 16
Remaining life(sec): 3956 orig lifetime(sec): 10800
sig hash algorithm : enabled sig key length : 1024
sig size : 128
sig key name : rekeyrsa
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0x8D65C328 access-list : sa-acl
# of transforms : 0 transform : ESP_AES
hmac alg : HMAC_AUTH_SHA
alg key size : 16 sig key size : 20
orig life(sec) : 3600 remaining