CCIE Security Lab: GET VPN, ISAKMP and when less is more.


GET VPN or Group Encrypted Transport is next in the list of VPNs to cover.

GETVPN

Much of the configuration will be the same as we have seen before (ISAKMP policies, transform sets, IPSec profiles), but some will be quite new (GDOI groups).

Before we start with the fun stuff, we'll need to set up the basic connectivity (and it will be very basic):
GDOI-Server(config)#router ospf 1
GDOI-Server(config-router)#router-id 7.7.7.7
GDOI-Server(config-router)#network 10.1.12.0 0.0.0.255 area 1
GDOI-Server(config-router)#
*Jul  5: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0
GDOI-Server(config-router)#int gi 0/0
GDOI-Server(config-if)#ip ospf auth mess
GDOI-Server(config-if)#ip ospf mess 1 md5 cisco
GDOI-Server(config-if)#

ISP-3(config)#router ospf 1
ISP-3(config-router)#router-id 10.1.12.1 
ISP-3(config-router)#area 1 auth mess
ISP-3(config-router)#network 10.1.12.0 0.0.0.255 area 1
ISP-3(config-router)#network 10.1.13.0 0.0.0.255 area 1
ISP-3(config-router)#network 10.1.14.0 0.0.0.255 area 1
ISP-3(config-router)#
ISP-3(config-router)#int rang
ISP-3(config-router)#int rang gi 0/0 - 2
ISP-3(config-if-range)#ip ospf auth messa  
ISP-3(config-if-range)#ip ospf mess 1 md5 cisco
ISP-3(config-if-range)#

GDOI-G1(config)#router ospf 1
GDOI-G1(config-router)#router-id 8.8.8.8
GDOI-G1(config-router)#network 10.1.13.0 0.0.0.255 area 1
GDOI-G1(config-router)#area 1 authe mess
GDOI-G1(config-router)#network 8.8.8.8 0.0.0.0 area 1
GDOI-G1(config-router)#
GDOI-G1(config-router)#int gi 0/0
GDOI-G1(config-if)#int gi 0/1
GDOI-G1(config-if)#ip ospf auth mess
GDOI-G1(config-if)#ip ospf mess 1 md5 cisco
GDOI-G1(config-if)#
*Jul  5: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
GDOI-G1(config-if)#

GDOI-G2(config)#router ospf 1
GDOI-G2(config-router)#router-id 9.9.9.9
GDOI-G2(config-router)#network 9.9.9.9 0.0.0.0 a 1
GDOI-G2(config-router)#network 10.1.14.0 0.0.0.255 area 1
GDOI-G2(config-router)#area 1 auth mess
GDOI-G2(config-router)#int gi 0/2
GDOI-G2(config-if)#ip ospf auth mess
GDOI-G2(config-if)#ip os mess 1 md cisco
GDOI-G2(config-if)#
*Jul  5: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/2 from LOADING to FULL, Loading Done
GDOI-G2(config-if)#

GDOI-Server#ping 8.8.8.8 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
GDOI-Server#ping 9.9.9.9 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/7 ms
GDOI-Server#
OK, let's begin in the same way as we did with dual-hub DMVPN, and chuck the basics into notepad and paste then into the routers:
crypto isakmp policy 10
encryption 3des
authentication pre-share
hash sha
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac
exit
crypto ipsec profile GET-Profile
set transform-set GET-TS
exit
This time, I put the commands on the GDOI-Server router first, then copied them to notepad and pasted into the clients, this way it means that any fat-fingering will be picked up on quicker, and not transferred to the clients:
GDOI-G1(config)#crypto isakmp policy 10
GDOI-G1(config-isakmp)#encryption 3des
GDOI-G1(config-isakmp)#authentication pre-share
GDOI-G1(config-isakmp)#hash sha
GDOI-G1(config-isakmp)#group 2
GDOI-G1(config-isakmp)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0
GDOI-G1(config)#crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac
GDOI-G1(cfg-crypto-trans)#exit
GDOI-G1(config)#crypto ipsec profile GET-Profile
GDOI-G1(ipsec-profile)#set transform-set GET-TS
GDOI-G1(ipsec-profile)#exit
GDOI-G1(config)#

GDOI-G2(config)#crypto isakmp policy 10
GDOI-G2(config-isakmp)#encryption 3des
GDOI-G2(config-isakmp)#authentication pre-share
GDOI-G2(config-isakmp)#hash sha
GDOI-G2(config-isakmp)#group 2
GDOI-G2(config-isakmp)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0
GDOI-G2(config)#crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac
GDOI-G2(cfg-crypto-trans)#exit
GDOI-G2(config)#crypto ipsec profile GET-Profile
GDOI-G2(ipsec-profile)#set transform-set GET-TS
GDOI-G2(ipsec-profile)#exit
Now, let's head back to the server and see what GET VPN has in store. I will be making heavy use of the context-sensitive help here, and putting notes in the output:
GDOI-Server(config)#crypto gdoi ?
  group  Configure a GKM (Group Key Management, GDOI or G-IKEv2) Group

GDOI-Server(config)#crypto gdoi group ?
  WORD  Group Name
  ipv6  IPv6 GKM (Group Key Management) Group

GDOI-Server(config)#crypto gdoi group GDOI-G1
GDOI-Server(config-gkm-group)#?
GKM (Group Key Management) Group configuration commands:
  client    Set the group dsclient parameters
  default   Set a command to its defaults
  exit      Exit the group mode
  identity  Set the identity of the group
  no        Negate a command or set its defaults
  passive   Set the group in passive mode
  server    Set the group server for of the group

GDOI-Server(config-gkm-group)#server ?
  address   Identify the group server by address
  hostname  Identify the group server by hostname
  local     Configure GKM group server defined locally

GDOI-Server(config-gkm-group)#server local ?
  

GDOI-Server(config-gkm-group)#server local 
GDOI-Server(gkm-local-server)#
*Jul  5: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
GDOI-Server(gkm-local-server)#address ?       
  ipv4  Set ipv4 address of local server

GDOI-Server(gkm-local-server)#address ipv4 ?
  A.B.C.D  IPv4 local address

GDOI-Server(gkm-local-server)#address ipv4 7.7.7.7
GDOI-Server(gkm-local-server)#sa ?
  d3p               Enable IP delivery delay detection protocol for all SAs
                    within the group
  ipsec             Configure an IPsec SA
  pair-wise-keying  Enable KGS pair-wise-keying
  receive-only      Configure SA to work only in inbound direction

GDOI-Server(gkm-local-server)#sa ipsec ?
    Sequence to insert into SA list

GDOI-Server(gkm-local-server)#sa ipsec 1
GDOI-Server(gkm-sa-ipsec)#?
GKM local server IPsec SA configuration commands:
  default  Set a command to its defaults
  exit     Exit the sa ipsec mode
  match    Match characteristics of packets to encrypt
  no       Negate a command or set its defaults
  profile  Configure an ipsec profile for the SA
  replay   Set replay method
  tag      Set inline tagging method

GDOI-Server(gkm-sa-ipsec)#profile GET-Profile 
GDOI-Server(gkm-sa-ipsec)#match ?    
  address  Match addresses of packets to encrypt

GDOI-Server(gkm-sa-ipsec)#match address ?
  ipv4  Match ipv4 packets
  ipv6  Match ipv6 packets

GDOI-Server(gkm-sa-ipsec)#match address ipv4 ?
      IP access-list number
    IP access-list number (expanded range)
  WORD         Access-list name

GDOI-Server(gkm-sa-ipsec)#match address ipv4 G1
GDOI-Server(gkm-sa-ipsec)#exit
GDOI-Server(gkm-local-server)#exit
GDOI-Server(config-gkm-group)#end
GDOI-Server#sh run 
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec profile GET-Profile
 set transform-set GET-TS 
crypto gdoi group GDOI-G1
 identity number 1
 server local
  sa ipsec 1
   ! Incomplete
   ! Match address is not configured
   profile GET-Profile
   match address ipv4 G1
   replay counter window-size 64
   no tag
  address ipv4 7.7.7.7
GDOI-Server#
One thing I do find very useful is that the IOS will tell me what I am missing. It doesn't do this for everything (it's not a mind-reader), but here it is very useful and shows me that the gdoi group is incomplete, and I am missing a match address statement. Let's fix that by permitting our overlay IP address (VPN range, like we have in DMVPN):
GDOI-Server(config)#ip access-list extended G1 
GDOI-Server(config-ext-nacl)#remark Probably our VPN IP range 
GDOI-Server(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
GDOI-Server(config-ext-nacl)#do sh run | s crypto gdoi                  
crypto gdoi group GDOI-G1
 identity number 1
 server local
  sa ipsec 1
   profile GET-Profile
   match address ipv4 G1
   replay counter window-size 64
   no tag
  address ipv4 7.7.7.7
GDOI-Server(config-ext-nacl)#! better!
GDOI-Server(config-ext-nacl)#
Makes sense really! Let's have a look at a few show commands:
GDOI-Server#sh crypto gdoi group GDOI-G1
    Group Name               : GDOI-G1 (Multicast)
    Re-auth on new CRL       : Disabled
    Group Identity           : 1
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 0
    IPSec SA Direction       : Both
    Group Rekey Lifetime     : 86400 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : GET-Profile
      Replay method          : Count Based
      Replay Window Size     : 64
      Tagging method         : Disabled
      ACL Configured         : access-list G1

     Group Server list       : Local
                               
GDOI-Server#sh crypto gdoi ks           
Total group members registered to this box: 0

Key Server Information For Group GDOI-G1:
    Group Name               : GDOI-G1
    Re-auth on new CRL       : Disabled
    Group Identity           : 1
    Group Type               : GDOI (ISAKMP)
    Group Members            : 0
    Rekey Acknowledgement Cfg: Cisco
    IPSec SA Direction       : Both
    CKM status               : Disable
    ACL Configured: 
        access-list G1


GDOI-Server#
GDOI-Server#sh crypto gdoi              
GROUP INFORMATION

    Group Name               : GDOI-G1 (Multicast)
    Re-auth on new CRL       : Disabled
    Group Identity           : 1
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 0
    IPSec SA Direction       : Both
    Group Rekey Lifetime     : 86400 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : GET-Profile
      Replay method          : Count Based
      Replay Window Size     : 64
      Tagging method         : Disabled
      ACL Configured         : access-list G1

     Group Server list       : Local
                               
GDOI-Server#
Nothing registered yet, but thats not surprising as we have not configured any client. Let's create the second group:
GDOI-Server(config)#crypto gdoi group GDOI-G2
GDOI-Server(config-gkm-group)#identity number 2
GDOI-Server(config-gkm-group)#server local
GDOI-Server(gkm-local-server)#sa ipsec 1
GDOI-Server(gkm-sa-ipsec)#profile GET-Profile
GDOI-Server(gkm-sa-ipsec)#match address ipv4 G2
GDOI-Server(gkm-sa-ipsec)#replay counter window-size 64
GDOI-Server(gkm-sa-ipsec)#no tag
GDOI-Server(gkm-sa-ipsec)#exit
GDOI-Server(gkm-local-server)#address ipv4 7.7.7.7                    
GDOI-Server(gkm-local-server)#exit
GDOI-Server(config-gkm-group)#exit
GDOI-Server(config)#ip access-list extended G2                           
GDOI-Server(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
GDOI-Server(config-ext-nacl)#exit
GDOI-Server(config)#do sh run | s crypto gdoi
crypto gdoi group GDOI-G1
 identity number 1
 server local
  sa ipsec 1
   profile GET-Profile
   match address ipv4 G1
   replay counter window-size 64
   no tag
  address ipv4 7.7.7.7
crypto gdoi group GDOI-G2
 identity number 2
 server local
  sa ipsec 1
   profile GET-Profile
   match address ipv4 G2
   replay counter window-size 64
   no tag
  address ipv4 7.7.7.7
GDOI-Server(config)#
OK, I have kind of bumbled my way through that, but let's see if we can get one of the clients to connect...
GDOI-G1(config)#crypto gdoi group GDOI-G1
GDOI-G1(config-gkm-group)#?
GKM (Group Key Management) Group configuration commands:
  client    Set the group client parameters
  default   Set a command to its defaults
  exit      Exit the group mode
  identity  Set the identity of the group
  no        Negate a command or set its defaults
  passive   Set the group in passive mode
  server    Set the group server for of the group

GDOI-G1(config-gkm-group)#server ?
  address   Identify the group server by address
  hostname  Identify the group server by hostname
  local     Configure GKM group server defined locally

GDOI-G1(config-gkm-group)#server address ?
  ipv4  Set the IPv4 address of the group server

GDOI-G1(config-gkm-group)#server address ipv4 ?
  A.B.C.D  Group server IPv4 address

GDOI-G1(config-gkm-group)#server address ipv4 7.7.7.7
GDOI-G1(config-gkm-group)#identity ?
  address  Set the identity of the group as an address
  number   Set the identity of the group as a number

GDOI-G1(config-gkm-group)#identity number 1
GDOI-G1(config-gkm-group)#exit
GDOI-G1(config)#crypto isakmp profile GET-Profile
GDOI-G1(conf-isa-prof)#match ?
  certificate  Peer certificate attributes
  identity     Peer identity

GDOI-G1(conf-isa-prof)#match identity ?
  address    IP Address(es)
  group      Group name
  host       match a hostname/domain
  user-fqdn  match a username/domain

GDOI-G1(conf-isa-prof)#match identity address ?
  A.B.C.D  IP address prefix
  ipv6     IPv6 Address(es)

GDOI-G1(conf-isa-prof)#match identity address 7.7.7.7  
GDOI-G1(conf-isa-prof)#exit
GDOI-G1(config)#crypto map GDOI-G1 isakmp-profile GET-Profile
GDOI-G1(config)#crypto map G1 10 gdoi 
% NOTE: This new crypto map will remain disabled until a valid
        group has been configured.
GDOI-G1(config-crypto-map)#set group GDOI-G1
GDOI-G1(config-crypto-map)#int gi0/1
GDOI-G1(config-if)#crypto ?
  ipsec  Set IPSec parameters
  map    Assign a Crypto Map

GDOI-G1(config-if)#crypto map ?
  WORD  Crypto Map tag

GDOI-G1(config-if)#crypto map G1
GDOI-G1(config-if)#
*Jul  5: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Jul  5: %CRYPTO-5-GM_REGSTER: Start registration to KS 7.7.7.7 for group GDOI-G1 using address 10.1.13.8 fvrf default ivrf default
*Jul  5: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 7.7.7.7
GDOI-G1(config-if)#
GDOI-G1(config-if)#
*Jul  5: %CRYPTO-4-IKMP_NO_SA: IKE message from 7.7.7.7 has no SA and is not an initialization offer
*Jul  5: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 7.7.7.7
OK... some issues here. Let's try setting the client interface:
GDOI-G1(config)#crypto gdoi group GDOI-G1                         
GDOI-G1(config-gkm-group)#client ?  
  bypass-policy          Allow group-key management traffic sent to this GM
                         only
  protocol               Group Member Registration & Rekey Protocol
  recovery-check         Specify GM recovery check parameters
  registration           Set the group client management/register interface
  rekey                  Set the group client acceptable rekey ciphers and
                         hashs
  status                 group-member status
  transform-sets         Specify list of group client acceptable transform sets
  transport-encrypt-key  Enforce group or pair-wise keying

GDOI-G1(config-gkm-group)#client registration interface gi0/1
Still no dice, but then I left out a whole load of possible commands for the rekey. This blog post is pretty useful, and kind of mirrors the same set-up that I have. So let's add the rekey information and see if that helps.
GDOI-Server(config)#crypto gdoi group GDOI-G1
GDOI-Server(config-gkm-group)#server local
GDOI-Server(gkm-local-server)# rekey retransmit 10 number 3
GDOI-Server(gkm-local-server)# rekay authentication mypubkey rsa GDOI-Server-Key
GDOI-Server(gkm-local-server)# rekey transport unicast
I am still seeing the same errors on GDOI-G1 though. I think, from reading the post linked above, that this may be due to the ACL being incorrect. Unlike the other VPN solutions, we are not overlaying, and by this, I mean that in "standard" tunnels, we have a separate IP addressing scheme, such as the 192.168.1.0/24 subnet we used with DMVPN. GETVPN doesn't work like this, so let's change the ACL and permit the subnets. The interesting thing about GET VPN (well, GDOI to be exact) is that the Key Server (GDOI-Server in our example), downloads the IPSec policy to the GMs (Group members, which are GDOI-G1 and GDOI-G2). In this ACL we define the traffic we need to encrypt, but also the traffic which needs to excluded (OSPF and the GETVPN traffic, UDP port 848). We can have different ACLs per group, so we now get something along the lines of:
ip access-list extended G1
no permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
deny udp any eq 848 any eq 848
deny tcp any host 224.0.0.5
deny tcp any host 224.0.0.6
permit ip 10.1.12.0 0.0.0.255 10.1.13.0 0.0.0.255
ip access-list extended G2
no permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
deny udp any eq 848 any eq 848
deny tcp any host 224.0.0.5
deny tcp any host 224.0.0.6
permit ip 10.1.12.0 0.0.0.255 10.1.14.0 0.255.255.255
Even with the change in ACL the same errors occurred. It was only when switching to the physical interface on the GDOI-Server, that there was some success:
GDOI-Server(config)#crypto gdoi group GDOI-G1
GDOI-Server(config-gkm-group)#server local
GDOI-Server(gkm-local-server)#address ipv4 10.1.12.7

GDOI-G1#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-G1
    Group Identity           : 1
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 2
    IPSec SA Direction       : Both

     Group Server list       : 10.1.12.7

Group Member Information For Group GDOI-G1:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_GDOI-G1_temp_acl

    Group member             : 10.1.13.8       vrf: None
       Local addr/port       : 10.1.13.8/848
       Remote addr/port      : 10.1.12.7/848
       fvrf/ivrf             : None/None
       Version               : 1.0.12
       Registration status   : Registered
       Registered with       : 10.1.12.7
       Re-registers in       : 3366 sec
       Succeeded registration: 1
       Attempted registration: 1
       Last rekey from       : 10.1.12.7
       Last rekey seq num    : 0
       Unicast rekey received: 2
       Rekey ACKs sent       : 2
       Rekey Rcvd(hh:mm:ss)  : 00:00:08
       DP Error Monitoring   : OFF
       IPSEC init reg executed    : 0
       IPSEC init reg postponed   : 0
       Active TEK Number     : 2
       SA Track (OID/status) : disabled

       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 2
       After latest register : 2
       Rekey Acks sents      : 2

 ACL Downloaded From KS 10.1.12.7:
   access-list   deny udp any port = 848 any port = 848
   access-list   deny tcp any host 224.0.0.5
   access-list   deny tcp any host 224.0.0.6
   access-list   permit ip 10.1.12.0 0.0.0.255 10.1.13.0 0.0.0.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 86370
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1296

TEK POLICY for the current KS-Policy ACEs Downloaded:
  GigabitEthernet0/1:
    IPsec SA:
        spi: 0x7CD79516(2094503190)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (3572)
        Anti-Replay(Counter Based) : 64
        tag method : disabled
        alg key size: 24 (bytes)
        sig key size: 20 (bytes)
        encaps: ENCAPS_TUNNEL

    IPsec SA:
        spi: 0x23E7E211(602399249)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (152)
        Anti-Replay(Counter Based) : 64
        tag method : disabled
        alg key size: 24 (bytes)
        sig key size: 20 (bytes)
        encaps: ENCAPS_TUNNEL

GDOI-G1#

GDOI-Server#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-G1 (Unicast)
    Re-auth on new CRL       : Disabled
    Group Identity           : 1
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 1
    IPSec SA Direction       : Both
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 86232 secs
        Time to Rekey        : 85997 secs
        Acknowledgement Cfg  : Cisco
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 3
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : GET-Profile
      Replay method          : Count Based
      Replay Window Size     : 64
      Tagging method         : Disabled
      SA Rekey
         Remaining Lifetime  : 3433 secs
        Time to Rekey        : 3037 secs
      ACL Configured         : access-list G1

     Group Server list       : Local

GDOI-Server#
Let's finish off and add the other group in. This time we will set the isakmp profile to match the physical address of the server. This makes more sense, but the G1 router is still using 7.7.7.7, so what will happen?:
GDOI-G2(config)#crypto isakmp policy 10
GDOI-G2(config-isakmp)# encr 3des
GDOI-G2(config-isakmp)# authentication pre-share
GDOI-G2(config-isakmp)# hash sha
GDOI-G2(config-isakmp)# group 2
GDOI-G2(config-isakmp)# lifetime 3600
GDOI-G2(config-isakmp)#crypto isakmp key cisco address 10.1.12.7
GDOI-G2(config)#crypto isakmp invalid-spi-recovery
GDOI-G2(config)#crypto isakmp keepalive 10
GDOI-G2(config)#crypto isakmp profile GET-Profile
% A profile is deemed incomplete until it has match identity statements
GDOI-G2(conf-isa-prof)#   match identity address 10.1.12.7 255.255.255.255
GDOI-G2(conf-isa-prof)#!
GDOI-G2(conf-isa-prof)#!
GDOI-G2(conf-isa-prof)#$c transform-set GET-TS esp-3des esp-sha-hmac
GDOI-G2(cfg-crypto-trans)# mode tunnel
GDOI-G2(cfg-crypto-trans)#!
GDOI-G2(cfg-crypto-trans)#crypto ipsec profile GET-Profile
GDOI-G2(ipsec-profile)# set transform-set GET-TS
GDOI-G2(ipsec-profile)#!
GDOI-G2(ipsec-profile)#!
GDOI-G2(ipsec-profile)#crypto gdoi group GDOI-G2
GDOI-G2(config-gkm-group)# identity number 2
GDOI-G2(config-gkm-group)# server address ipv4 10.1.12.7
GDOI-G2(config-gkm-group)# client registration interface GigabitEthernet0/2
GDOI-G2(config-gkm-group)#!
GDOI-G2(config-gkm-group)#!
GDOI-G2(config-gkm-group)#crypto map G2 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
        group has been configured.
GDOI-G2(config-crypto-map)# set group GDOI-G2
GDOI-G2(config-crypto-map)#!
GDOI-G2(config-crypto-map)#crypto map GDOI-G2 isakmp-profile GET-Profile
GDOI-G2(config)#!
GDOI-G2(config)#interface GigabitEthernet0/2
GDOI-G2(config-if)# crypto map G2
GDOI-G2(config-if)#
*Jul  6: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Jul  6: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.1.12.7 for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default
*Jul  6: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.12.7 has no SA and is not an initialization offer
GDOI-G2(config-if)#
*Jul  6: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 10.1.12.7
GDOI-G2(config-if)#
We see the same issues with the SA until we change the match statement in the ipsec profile:
GDOI-G2(config)#crypto isakmp profile GET-Profile
GDOI-G2(conf-isa-prof)#   match identity address 7.7.7.7 255.255.255.255
GDOI-G2(conf-isa-prof)#no   match identity address 10.1.12.7 255.255.255.0
GDOI-G2(conf-isa-prof)#int gi 0/2
GDOI-G2(config-if)#shut
GDOI-G2(config-if)#
*Jul  6: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/2 from FULL to DOWN, Neighbor Down: Interface down or detached
GDOI-G2(config-if)#
*Jul  6: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
*Jul  6: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
GDOI-G2(config-if)#
GDOI-G2(config-if)#no shut
GDOI-G2(config-if)#
*Jul  6: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
*Jul  6: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.1.12.7 for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default
*Jul  6: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up
*Jul  6: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/2 from LOADING to FULL, Loading Done
*Jul  6: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.12.7 has no SA and is not an initialization offer
*Jul  6: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Jul  6: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x24FF75BFCD871C9755FE4868CC8A1369
*Jul  6: %GDOI-5-GM_REGS_COMPL: Registration to KS 10.1.12.7 complete for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default
*Jul  6: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.12.7 for group GDOI-G2 & gm identity 10.1.14.9 fvrf default ivrf default
GDOI-G2(config-if)#do sh crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-G2
    Group Identity           : 2
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 0
    IPSec SA Direction       : Both

     Group Server list       : 10.1.12.7

Group Member Information For Group GDOI-G2:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_GDOI-G2_temp_acl

    Group member             : 10.1.14.9       vrf: None
       Local addr/port       : 10.1.14.9/848
       Remote addr/port      : 10.1.12.7/848
       fvrf/ivrf             : None/None
       Version               : 1.0.12
       Registration status   : Registered
       Registered with       : 10.1.12.7
       Re-registers in       : 1097 sec
       Succeeded registration: 1
       Attempted registration: 8
       Last rekey from       : 0.0.0.0
       Last rekey seq num    : 0
       Unicast rekey received: 0
       Rekey ACKs sent       : 0
       Rekey Received        : never
       DP Error Monitoring   : OFF
       IPSEC init reg executed    : 0
       IPSEC init reg postponed   : 0
       Active TEK Number     : 1
       SA Track (OID/status) : disabled

       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 0
       After latest register : 0
       Rekey Acks sents      : 0

 ACL Downloaded From KS 10.1.12.7:
   access-list   deny udp any port = 848 any port = 848
   access-list   deny tcp any host 224.0.0.5
   access-list   deny tcp any host 224.0.0.6
   access-list   permit ip 10.1.12.0 0.0.0.255 10.1.14.0 0.0.0.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 83974
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1296

TEK POLICY for the current KS-Policy ACEs Downloaded:
  GigabitEthernet0/2:
    IPsec SA:
        spi: 0xA6F83D47(2801286471)
        transform: esp-3des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1176)
        Anti-Replay(Counter Based) : 64
        tag method : disabled
        alg key size: 24 (bytes)
        sig key size: 20 (bytes)
        encaps: ENCAPS_TUNNEL

GDOI-G2(config-if)#
This seems pretty counter-intuitive. The ISAKMP profile is matching the loopback address, instead of the physical interface IP address on the GDOI-Server. surely, it would make more sense to match the interface that is sourcing the packets, right? Well, if you look at the linked blog post, there is no ISAKMP profile set, so do we need one? Let's remove it and find out:
GDOI-G1(config)#no crypto map GDOI-G1 isakmp-profile GET-Profile
GDOI-G1(config)#no crypto isakmp profile GET-Profile
GDOI-G1(config)#end

GDOI-G2(config)#no crypto map GDOI-G2 isakmp-profile GET-Profile
GDOI-G2(config)#no crypto isakmp profile GET-Profile
GDOI-G2(config)#end

GDOI-Server#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.12.7       10.1.13.8       GDOI_IDLE         1025 ACTIVE
10.1.12.7       10.1.14.9       GDOI_IDLE         1027 ACTIVE

IPv6 Crypto ISAKMP SA

GDOI-Server#
GDOI-Server#sh crypto gdoi | i Name|Members
    Group Name               : GDOI-G1 (Unicast)
    Group Members            : 1
      Profile Name           : GET-Profile
    Group Name               : GDOI-G2 (Multicast)
    Group Members            : 1
      Profile Name           : GET-Profile
GDOI-Server#
So, less is more! Whilst we need an ISAKMP profile for Easy VPN, we don't need for GET VPN, and we didn't use it for DMVPN either. This is confirmed by reading this post from INE. this then begs the question, when do we use ISAKMP profiles?

ISAKMP Profiles

ISAKMP profiles are used under these conditions:

  • When a router has two or more IPSec connections that have different Phase 1 parameters
  • When using Easy VPN
  • If different IKE v1 policies are used between different peers
  • When using VRFs with different IKE Phase 1 parameters, but the same IP address.
ISAKMP profiles match peers on one or more attributes, such as address, hostname, username and so on. We can then use these to set different parameters, such as QoS groupings.

Here is the link (again) to the Cisco doc, with some useful scenario configurations for ISAKMP profiles.

Now that this is fixed, can we go back to hosting our GETVPN frm the loopback address?
GDOI-Server(config)#crypto gdoi group GDOI-G1
GDOI-Server(config-gkm-group)#server local
GDOI-Server(gkm-local-server)#sa ipsec 1
GDOI-Server(gkm-sa-ipsec)#address ipv4 7.7.7.7
GDOI-Server(gkm-sa-ipsec)
GDOI-Server(gkm-sa-ipsec)#crypto gdoi group GDOI-G2
GDOI-Server(config-gkm-group)#server local
GDOI-Server(gkm-local-server)#sa ipsec 1
GDOI-Server(gkm-sa-ipsec)#address ipv4 7.7.7.7
GDOI-Server(gkm-local-server)#

GDOI-G1(config)#crypto gdoi group GDOI-G1
GDOI-G1(config-gkm-group)#no server address ipv4 10.1.12.7
GDOI-G1(config-gkm-group)#server address ipv4 7.7.7.7
GDOI-G1(config-gkm-group)#
*Jul  6: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-G1 may have expired/been cleared, or didn't go through. Re-register to KS.
*Jul  6: %CRYPTO-5-GM_REGSTER: Start registration to KS 7.7.7.7 for group GDOI-G1 using address 10.1.13.8 fvrf default ivrf default
*Jul  6: %CRYPTO-4-IKMP_NO_SA: IKE message from 7.7.7.7 has no SA and is not an initialization offer
*Jul  6: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Jul  6: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x6F792E443640770041679976AEFA1022
*Jul  6: %GDOI-5-GM_REGS_COMPL: Registration to KS 7.7.7.7 complete for group GDOI-G1 using address 10.1.13.8 fvrf default ivrf default
*Jul  6: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 7.7.7.7 for group GDOI-G1 & gm identity 10.1.13.8 fvrf default ivrf default
GDOI-G1(config-gkm-group)#

GDOI-G2(config)#crypto gdoi grou GDOI-G2
GDOI-G2(config-gkm-group)#no server address ipv4 10.1.12.7
GDOI-G2(config-gkm-group)#server address ipv4 7.7.7.7
GDOI-G2(config-gkm-group)#
*Jul  6: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-G2 may have expired/been cleared, or didn't go through. Re-register to KS.
*Jul  6: %CRYPTO-5-GM_REGSTER: Start registration to KS 7.7.7.7 for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default
*Jul  6: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Jul  6: %GDOI-5-GM_REGS_COMPL: Registration to KS 7.7.7.7 complete for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default
*Jul  6: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 7.7.7.7 for group GDOI-G2 & gm identity 10.1.14.9 fvrf default ivrf default
GDOI-G2(config-gkm-group)#


GDOI-Server#sh crypto isakmp sa            
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
7.7.7.7         10.1.13.8       GDOI_IDLE         1028 ACTIVE
7.7.7.7         10.1.14.9       GDOI_IDLE         1029 ACTIVE

IPv6 Crypto ISAKMP SA

GDOI-Server#sh crypto gdoi | i Name|Members
    Group Name               : GDOI-G1 (Unicast)
    Group Members            : 1
      Profile Name           : GET-Profile
    Group Name               : GDOI-G2 (Unicast)
    Group Members            : 1
      Profile Name           : GET-Profile
GDOI-Server#
Yes we can. It looks like the ISAKMP profile was stopping the ability to have the loopback address on the GDOI-Server as the pinpoint for the client VPNs, once this was fixed, everything works as it should.

For our needs so far, we have not needed to use ISAKMP profiles, though, but that will change when we come to look at Easy VPN, which is up next.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »