GETVPN este o modalitate de configurare a routerelor CPE prin care se centralizeaza managementul politicilor IPSec necesare in protejarea mesajelor care circula intre LAN-urile care se conecteaza aceste routere CPE. Astfel, nu mai este nevoie sa configuram tunele IPSec, politici ISAKMP, liste de acces pentru fiecare pereche de LAN-uri. Un castig si mai mare consta in faptul ca pe un router CPE nu se mai formeaza tunele IPSec, nici dinamice nici statice, pentru fiecare pereche de LAN-uri, ci doar un tunel IPSec de intrare si altul de iesire. Nu mai este nevoie ca un router CPE sa se autentifice catre celalalt sau invers; cele doua se inregistreaza la un "server de management al politicilor PSec" denumit Key Server si devin Group Member. Doua routere CPE vor comunica intre ele daca sunt inregistrate si fac parte din acelasi grup GDOI; dupa ce s-au inregistrat cu succes, primesc de la KS politicile IPSec si lista de acces care defineste traficul interesant. Pachetele IP isi conserva headerul IP initial, routerele CPE nu adauga decat headerul ESP (este cel mai folosit) si/sau AH (mai putin folosit datorita interactiunii cu eventuale politici NAT). Pe toate routerele CPE aceste tunele IPSec sunt identificate la fel (acelasi SPI).
In continuare vom lucra pe topologia de mai jos, cu trei routere CPE pe care le configuram ca GM in acelasi grup si doua routere KS, pentru redundanta.
Configuratia Key Server Main
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 600
crypto isakmp key 0 untest address 10.0.0.0 255.0.0.0crypto isakmp keepalive 15 periodic
encr 3des
authentication pre-share
group 2
lifetime 600
crypto isakmp key 0 untest address 10.0.0.0 255.0.0.0crypto isakmp keepalive 15 periodic
crypto ipsec transform-set GETVPN_ts_1 esp-3des esp-sha-hmac
crypto ipsec profile GETVPN_p_1
set transform-set GETVPN_ts_1
access-list 100 permit ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
crypto gdoi group GETVPN_g_1
identity address ipv4 1.1.1.1
server local
rekey lifetime seconds 1800
rekey retransmit 30 number 4
rekey authentication mypubkey rsa GETVPN_1
rekey transport unicast
registration interface FastEthernet0/0
sa ipsec 1
profile GETVPN_p_1
match address ipv4 100
replay time window-size 10
address ipv4 10.0.0.0
redundancy
local priority 255
peer address ipv4 10.255.255.255
peer address ipv4 10.255.255.255
Configuratia Key Server Bkp
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 600
encr 3des
authentication pre-share
group 2
lifetime 600
crypto isakmp key untest address 10.0.0.0 255.0.0.0
crypto isakmp keepalive 15 periodic
crypto ipsec transform-set GETVPN_ts_1 esp-3des esp-sha-hmac
crypto ipsec profile GETVPN_p_1
set transform-set GETVPN_ts_1
crypto gdoi group GETVPN_g_1
identity address ipv4 1.1.1.1
server local
rekey lifetime seconds 1800
rekey retransmit 30 number 4
rekey authentication mypubkey rsa GETVPN_1
rekey transport unicast
registration interface FastEthernet0/0
sa ipsec 1
profile GETVPN_p_1
match address ipv4 100
replay time window-size 10
address ipv4 10.255.255.255
redundancy
local priority 1
peer address ipv4 10.0.0.0
crypto isakmp keepalive 15 periodic
crypto ipsec transform-set GETVPN_ts_1 esp-3des esp-sha-hmac
crypto ipsec profile GETVPN_p_1
set transform-set GETVPN_ts_1
crypto gdoi group GETVPN_g_1
identity address ipv4 1.1.1.1
server local
rekey lifetime seconds 1800
rekey retransmit 30 number 4
rekey authentication mypubkey rsa GETVPN_1
rekey transport unicast
registration interface FastEthernet0/0
sa ipsec 1
profile GETVPN_p_1
match address ipv4 100
replay time window-size 10
address ipv4 10.255.255.255
redundancy
local priority 1
peer address ipv4 10.0.0.0
Configuratia unui Group Member
encr 3des
authentication pre-share
group 2
lifetime 600
crypto isakmp key untest address 10.0.0.0 255.0.0.0
crypto gdoi group GETVPN_G_1
identity address ipv4 1.1.1.1
server address ipv4 10.0.0.0
server address ipv4 10.255.255.255
crypto map MAP local-address Loopback0
crypto map MAP 1 gdoi
set group GETVPN_G_1
interface Fa0/0
descrption ### link 2 MPLS Netw ###
crypto map MAP
Normal, pe acest router se configureaza interfetele, protocoale de rutare etc.
Verificari pe routerul Key Server Main (vezi Local KS Role)
sh crypto gdoi ks
Total group members registered to this box: 3
Key Server Information For Group GETVPN_g_1:
Group Name : GETVPN_g_1
Group Identity : 1.1.1.1
Group Members : 3
IPSec SA Direction : Both
ACL Configured:
access-list 100
Redundancy : Configured
Local Address : 10.0.0.0
Local Priority : 255
Local KS Status : Alive
Local KS Role : Primary
Verificari pe routerul Key Server Bkp (vezi Local KS Role)
sh crypto gdoi ks
Total group members registered to this box: 3
Key Server Information For Group GETVPN_g_1:
Group Name : GETVPN_g_1
Group Identity : 1.1.1.1
Group Members : 3
IPSec SA Direction : Both
ACL Configured:
access-list 100
Redundancy : Configured
Local Address : 10.255.255.255
Local Priority : 1
Local KS Status : Alive
Local KS Role : Secondary
Verificari pe routerul Group Member
sh crypto gdoi
Group Information
Group Name : GETVPN_G_1
Group Identity : 1.1.1.1
Rekeys received : 0
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_GETVPN_G_1_temp_acl
Active Group Server : 10.0.0.0
Group Server list : 10.0.0.0
10.255.255.255
In logurile de pe routerul Group Member apare mesajul:
%GDOI-5-GM_REGS_COMPL: Registration to KS 10.0.0.0 complete for group GETVPN_G_1 using address 10.0.0.10
Traficul ICMP intre doua hosturi din LAN-uri diferite 172.16.10.2 si 172.16.10.2 se vede in reteaua MPLS (vezi adresa IP sursa si destinatie)
si in routerul GM (vezi contorul pentru pachete incapsulate/decapsulate, verificate etc)
show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAP, local addr 10.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 310, #pkts encrypt: 310, #pkts digest: 310
#pkts decaps: 310, #pkts decrypt: 310, #pkts verify: 310
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.10, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x3FDDBB86(1071496070)
inbound esp sas:
spi: 0x3FDDBB86(1071496070)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 55, flow_id: SW:55, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4564260/1449)
IV size: 8 bytes
replay detection support: Y replay window size: 10
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3FDDBB86(1071496070)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 56, flow_id: SW:56, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4564260/1427)
IV size: 8 bytes
replay detection support: Y replay window size: 10
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: FastEthernet0/0
Crypto map tag: MAP, local addr 10.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 310, #pkts encrypt: 310, #pkts digest: 310
#pkts decaps: 310, #pkts decrypt: 310, #pkts verify: 310
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.10, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x3FDDBB86(1071496070)
inbound esp sas:
spi: 0x3FDDBB86(1071496070)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 55, flow_id: SW:55, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4564260/1449)
IV size: 8 bytes
replay detection support: Y replay window size: 10
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3FDDBB86(1071496070)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 56, flow_id: SW:56, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4564260/1427)
IV size: 8 bytes
replay detection support: Y replay window size: 10
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Daca devine indisponibil routerul Key Server Main, apare logul in Key Server Bkp
%GDOI-3-COOP_KS_UNREACH: Cooperative KS 10.0.0.0 Unreachable in group GETVPN_g_1
%GDOI-5-COOP_KS_TRANS_TO_PRI: KS 10.255.255.255 in group GETVPN_g_1 transitioned to Primary (Previous Primary = 10.0.0.0)
si verificand (vezi Local KS Role)
sh crypto gdoi ks
Total group members registered to this box: 3
Key Server Information For Group GETVPN_g_1:
Group Name : GETVPN_g_1
Group Identity : 1.1.1.1
Group Members : 3
IPSec SA Direction : Both
ACL Configured:
access-list 100
Redundancy : Configured
Local Address : 10.255.255.255
Local Priority : 1
Local KS Status : Alive
Local KS Role : Primary
Cand revine in functionare routerul Key Server Main, apare logul in Key server BkpTotal group members registered to this box: 3
Key Server Information For Group GETVPN_g_1:
Group Name : GETVPN_g_1
Group Identity : 1.1.1.1
Group Members : 3
IPSec SA Direction : Both
ACL Configured:
access-list 100
Redundancy : Configured
Local Address : 10.255.255.255
Local Priority : 1
Local KS Status : Alive
Local KS Role : Primary
%GDOI-5-COOP_KS_REACH: Reachability restored with Cooperative KS 10.0.0.0 in group GETVPN_g_1
si verificand (vezi Local KS Role)
sh crypto gdoi ks
Total group members registered to this box: 3
Key Server Information For Group GETVPN_g_1:
Group Name : GETVPN_g_1
Group Identity : 1.1.1.1
Group Members : 3
IPSec SA Direction : Both
ACL Configured:
access-list 100
Redundancy : Configured
Local Address : 10.255.255.255
Local Priority : 1
Local KS Status : Alive
Local KS Role : Secondary
In tot acest timp, traficul IPSec intre routerele Group Member nu este perturbat.
Spor la invatat.
Niciun comentariu:
Trimiteți un comentariu