GM authorization in GET VPN

There is this cool Cisco’s feature called GETVPN (Group Encrypted Transport VPN). To make a long story short, it’s the way in which routers (called GMs or Group Members) encrypt selected traffic among them using single shared key. There is no classic IPSec tunnels between the peers. They just receive this shared key and do their best to encrypt/decrypt traffic that flows between them. This shared secret key is received from another type of router in GETVPN deployment called Key Server or KS.
If you want to go more into details, please visit this.

In this short example I will talk a little bit of GM authorization using digital certificates…
Like I said prevoiusly, GMs receive their encryption key from KS. Before GM can do that it needs to register with KS and receive this key. During this registration, GM authenticates with KS using IKE protocol. There are two options for authentication: pre-shared keys and digital certificates.

This settles authentication. But what if we wanted to additionally authorize these GMs before KS hands out the key. We also have two choices: authorization using access list or digital certificate. I will deal with digital certificate in this example with the short note on doing that using former method.

This is the topology I’m going to use:

We are going to use KS1 and KS2 as key servers, and R3 and R4 as group members. KS2 also acts as a CA server. C1 is my PC which I’m using for storing configs, certificates and keys. Other routers are non important at this point.

All four routers have CA and identity certificates which they are using for IKE authentication. Beside this, these certs are used by KSs to authorize GMs.

The configurations:

KS1

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip domain name popravak.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint CACLI
enrollment url http://20.20.20.2:80
subject-name CN=KS1.popravak.com,O=Popravak Inc,OU=IT,L=Bijeljina,ST=RS,C=BA
revocation-check crl
rsakeypair CACLI
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes 256
group 2
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_PROF_1
set security-association lifetime seconds 7200
set transform-set TS1
!
crypto gdoi group GET
identity number 2011
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GET
rekey transport unicast
authorization identity GET
sa ipsec 1
profile IPSEC_PROF_1
match address ipv4 GET
replay counter window-size 64
address ipv4 10.10.10.1
redundancy
local priority 50
peer address ipv4 20.20.20.2
!
!
crypto identity GET
dn o=Popravak Inc

!
!
!
ip ftp username spop
ip ftp password spop123
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.100.13.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.10.10.1 0.0.0.0
network 10.100.13.0 0.0.0.255
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended GET
permit icmp any any
deny ip any any
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp clock-period 17179919
ntp server 20.20.20.2
!
end

KS2
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip domain lookup
ip domain name popravak.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
crypto pki server CASRV
database level complete
issuer-name CN=Popravak Inc Root CA,O=Popravak Inc,OU=IT,L=Bijeljina,ST=RS,C=BA
grant auto
database url ftp://1.1.1.2/IOSCA
!
crypto pki trustpoint CASRV
revocation-check crl
rsakeypair CASRV
!
crypto pki trustpoint CACLI
enrollment url http://20.20.20.2:80
subject-name CN=KS2.popravak.com,O=Popravak Inc,OU=IT,L=Bijeljina,ST=RS,C=BA
revocation-check crl
rsakeypair CACLI
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes 256
group 2
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_PROF_1
set security-association lifetime seconds 7200
set transform-set TS1
!
crypto gdoi group GET
identity number 2011
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GET
rekey transport unicast
authorization identity GET
sa ipsec 1
profile IPSEC_PROF_1
match address ipv4 GET
replay counter window-size 64
address ipv4 20.20.20.2
redundancy
local priority 100
peer address ipv4 10.10.10.1
!
!
crypto identity GET
dn o=Popravak Inc

!
!
ip ftp username spop
ip ftp password spop123
!
!
interface Loopback0
ip address 20.20.20.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.100.13.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
!
router eigrp 1
network 1.1.1.0 0.0.0.3
network 10.100.13.0 0.0.0.255
network 20.20.20.2 0.0.0.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended GET
permit icmp any any
deny ip any any
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp master 2
!
end

R3 (GM)
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip domain name popravak.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint CACLI
enrollment url http://20.20.20.2:80
subject-name CN=R3.popravak.com,O=Popravak Inc,OU=IT,L=Bijeljina,ST=RS,C=BA
revocation-check crl
rsakeypair CACLI
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes 256
group 2
lifetime 1200
!
crypto isakmp identity dn
!
!
crypto gdoi group GET
identity number 2011
server address ipv4 20.20.20.2
server address ipv4 10.10.10.1
!
!
crypto map F0-0 local-address Loopback0
crypto map F0-0 100 gdoi
set group GET
qos pre-classify
!
!
ip ftp username spop
ip ftp password spop123
!
!
interface Loopback0
ip address 30.30.30.3 255.255.255.255
!
interface FastEthernet0/0
ip address 10.100.13.3 255.255.255.0
duplex auto
speed auto
crypto map F0-0
!
interface FastEthernet0/1
ip address 10.1.35.3 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.1.35.0 0.0.0.255
network 10.100.13.0 0.0.0.255
network 30.30.30.3 0.0.0.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp clock-period 17179844
ntp server 20.20.20.2
!
end

R4(GM)
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip domain name popravak.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint CACLI
enrollment url http://20.20.20.2:80
subject-name CN=R4.popravak.com,O=Popravak Inc,OU=IT,L=Bijeljina,ST=RS,C=BA
revocation-check crl
rsakeypair CACLI
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes 256
group 2
lifetime 1200
!
crypto isakmp identity dn
!
!
crypto gdoi group GET
identity number 2011
server address ipv4 10.10.10.1
server address ipv4 20.20.20.2
!
!
crypto map F0-0 local-address Loopback0
crypto map F0-0 100 gdoi
set group GET
qos pre-classify
!
!
ip ftp username spop
ip ftp password spop123
!
!
interface Loopback0
ip address 40.40.40.4 255.255.255.255
!
interface FastEthernet0/0
ip address 10.100.13.4 255.255.255.0
duplex auto
speed auto
crypto map F0-0
!
interface FastEthernet0/1
ip address 10.1.47.4 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.1.47.0 0.0.0.255
network 10.100.13.0 0.0.0.255
network 40.40.40.4 0.0.0.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp clock-period 17179872
ntp server 20.20.20.2
!
end

Now let’s take a look at R3’s certificate:

R3#
R3#show cry pki cert
Certificate
Status: Available
Certificate Serial Number: 0x4
Certificate Usage: General Purpose
Issuer:
cn=Popravak Inc Root CA
o=Popravak Inc
ou=IT
l=Bijeljina
st=RS
c=BA
Subject:
Name: R3.popravak.com
hostname=R3.popravak.com
cn=R3.popravak.com
o=Popravak Inc
ou=IT
l=Bijeljina
st=RS
c=BA
Validity Date:
start date: 00:40:55 UTC Jan 1 2011
end date: 00:40:55 UTC Jan 1 2012
Associated Trustpoints: CACLI

Please note the bolded line “o=Popravak Inc”. This field from the certificate we are going to use on KSs to authorize GMs.

So how we do that? On both KSs we need to define how we are going to authorize. This is how it’s done. First we create the condition:


crypto identity GET
dn o=Popravak Inc

Here we say that if GM sends the certificate with the distinguished name (DN) that contains organizational name (O) field of “Popravak Inc” – KS will accept this GM’s registration. If GM’s certificate contained “Popravak Ltd” or something else in this field, the registration would fail. Here what woul be logged on GM:

R3#
R3#clear cry gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.

Are you sure you want to proceed ? [yes/no]: yes
R3#
R3#
Jan 1 01:05:52.265: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GET may have expired/been cleared, or didn't go through. Re-register to KS.
R3#
Jan 1 01:05:52.277: %CRYPTO-5-GM_REGSTER: Start registration to KS 20.20.20.2 for group GET using address 30.30.30.3
R3#

At the same time, KS would record:

KS2#
Jan 1 01:05:53.099: %GDOI-1-UNAUTHORIZED_IDENTITY: Group GET received registration from unauthorized identity: Dist. name: hostname=R3.popravak.com,cn=R3.popravak.com,o=Popravak Inc,ou=IT,l=Bijeljina,st=RS,c=BA
KS2#

Now because GM has two KSs, R3 will try the next one:

R3#
Jan 1 01:06:33.045: %CRYPTO-5-GM_CONN_NEXT_SER: GM is connecting to next key server from the list
Jan 1 01:06:33.049: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.10.10.1 for group GET using address 30.30.30.3
R3#

And would fail as well, which van be seen on KS1:

KS1#
Jan 1 01:06:33.792: %GDOI-1-UNAUTHORIZED_IDENTITY: Group GET received registration from unauthorized identity: Dist. name: hostname=R3.popravak.com,cn=R3.popravak.com,o=Popravak Inc,ou=IT,l=Bijeljina,st=RS,c=BA
KS1#

This is why we need to do the same authorization on all KSs. Otherwise, if a GM failed with one KS it would go and succeeded with another one if that one is missing the correct authorization.

Please note the line “crypto isakmp identity dn” in the GMs config. This is very important, because without that GM would identify itself to KSs with the hostname in the IKE process (which is the default) or perhaps with the IP address. We want them to identify themselves with DN for this process to work.

And at the end of this article, let’s briefly talk about ACL based authorization. This is done by two steps. First we create an ACL on all KSs that allows GMs to authorize:

access-list 66 permit 30.30.30.3

And we change GETVPN config section on all KSs to be like:

crypto gdoi group GET
identity number 2011
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GET
rekey transport unicast
authorization address ipv4 66
sa ipsec 1
profile IPSEC_PROF_1
match address ipv4 GET
replay counter window-size 64
address ipv4 20.20.20.2
redundancy
local priority 100
peer address ipv4 10.10.10.1

Please observe that we are now using ACL 66 to authorize only R3 GM by its IP address.

I hope you found something useful in this article and until the next time …

Advertisements
This entry was posted in Cisco, IOS, VPN and tagged , , , , . Bookmark the permalink.

2 Responses to GM authorization in GET VPN

  1. Widgit says:

    Hi, Thankyou for the great guide.

    Just wondering how you would stop a GM from being authenticated.

    If a password was used, you would just remove the line with the password on it.

    But with rsa-sig, how do you do it?

    • Sasa says:

      Well, this article is about authorization GMs to KSs. To prevent some GM to authorize to a KS you have two options: using access list to list GMs that are authorized to use GETVPN or issue a certificates to GMs with specific fields in them that you would later verify on a KSs.

      If you would like to permit only router R3 from our topology to be able to register to KSs, on KSs you would under GETVPN group setup do:

      crypto gdoi group GET
      ...
      authorization address ipv4 66
      ...

      access-l 66 permit 30.30.30.3 ! loopback address of R3

      If you are using certificates (RSA-SIG) and would like to prevent R3 to authorize, you would reissue a certificate to R3 with the organization field other then “Popravak Inc”, because KSs accepts only certs with this value in organization field. You could also change on KSs what field you would like GM’s certificates to have.

      There is no need to change or remove keys, like you suggested.

      Hope this helps 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s