Saturday, May 8, 2010

GETVPN With Multicast Rekeying

Hi All,
A post by fellow CCIE-Sec Candidate TacAck made me do some research/revision on GETVPN Rekey. I would highlight my findings in this post.
1. There are 2 modes: Unicast and Multicast.
2. The Rekey address command references an access-list that is downloaded to the group members which makes them automatically join the group (for multicast Rekeying)
3. With Rekey Authentication, The crypto keys must be generated
4. Rekey is triggered by changing the SA access-list. Rekeys are retransmitted for a number of times n after a period p. This can be adjusted with the "rekey retransmit p n" command

Here is a sample config for the KS:

crypto isakmp policy 10
encr 3des

hash md5

authentication pre-share

crypto isakmp key CISCO address 192.168.123.1

crypto isakmp key CISCO address 192.168.123.2

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto ipsec profile GET

set transform-set TRANS

crypto gdoi group GET

identity number 123

server local

rekey address ipv4 REKEY

rekey retransmit 10 number 2

rekey authentication mypubkey rsa GET

sa ipsec 1

profile GET

match address ipv4 GET

replay counter window-size 64

address ipv4 192.168.32.3

ip access-list ext REKEY
permit udp host 192.168.32.3 ho 239.0.0.1

5. If an ASA is placed in between the KS and the GMs; two things must be considered.
1. Allowing GETVPN traffic especially if GMs are outside since the GM initiate the registration process. A hole should be punched to allow udp destination 848
2. Multicast traffic should be forwarded by the ASA. If the GMs are directly connected as in a STUB, then the "igmp forward" should be enough to forward the traffic.



Nuff said, time to take a break :)
Cheers, Amplebrain

1 comment:

  1. Has it ever occurred to you that you made a mistake that confuses a lot of people ???!!!

    Why are you referencing GET access-list in the line "match address ipv4 GET" if it doesn't exist ?

    ReplyDelete