Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BRKSEC-3051
2
Agenda
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Other Related Sessions
CiscoLive 2013
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
GETVPN Solution Overview
Cisco Group Encrypted Transport - GETVPN
What Is GETVPN?
Cisco GETVPN delivers a revolutionary solution for tunnel-less, any-
to-any and confidential branch communication
Large-scale any-to-any encrypted
communication
Any
Any --to
to --Any
Any Native routing without
Connectivity
Connectivity tunnel overlay
Optimal for QoS and Multicast
support - improves application
Cisco GET performance
VPN Transport agnostic - private
Scalable Real Time LAN/WAN, FR/ATM, IP, MPLS
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Tunnel-Less VPN - A New Security Model
Before: IPSec P2P Tunnels After: Tunnel-Less VPN
WAN
Multicast
Scalabilityan issue (N^2 problem) Scalable architecture for any-to-any
Overlay routing connectivity and encryption
Any-to-any instant connectivity cant No overlaysnative routing
be done to scale Any-to-any instant connectivity
Limited QoS Enhanced QoS
Inefficient Multicast replication Efficient Multicast replication
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
VPN Technology Positioning
Data Center Core
IPSec Agg.
GM
GM
Internet
Edge KS KS
EzVPN/FlexVP GM GM GM
N Spoke
DMVPN/FLexVPN DMVPN/FlexVP
N Spoke GETVPN GM GETVPN GM GETVPN GM
Spoke
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
VPN Technology Positioning (Cont.)
Peer-to-Peer Peer-to-Peer
Encryption Style Group Protection
Protection Protection
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Introduction to GETVPN
Group Encrypted Transport (GETVPN)
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Group Security Functions
Routing Member
Key Server Key Server
Forwarding
Validate Group Members Replication
Manage Security Policy Routing
Create Group Keys
Distribute Policy/Keys
GM
Routing
Members
GM
GM
Group Member
Encryption Devices GM
Route Between Secure/ Unsecure Regions
Multicast Participation
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Group Security Elements
Group Policy KS Cooperative
Key Servers Protocol
Key Encryption Key (KEK)
GM
RFC3547:
Group Domain of GM
Interpretation (GDOI)
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Basic GETVPN Architecture
Step 1: Group Members (GM) register via GDOI with the Key
Server (KS)
GM5
GM1
GM6
GM9
Key Server
GM8 GM7
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Basic GETVPN Architecture
GM2
GM5
GM1
GM6
GM9
Key Server
GM8 GM7
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Basic GETVPN Architecture
KS pushes out replacement IPSec keys before current IPSec keys expire; this
is called a Rekey
GM3
GM4
GM2
GM5
GM1
GM6
GM9
Key Server
GM8
GM7
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Header Preservation
IPSec Tunnel Mode vs. GETVPN
IP Packet IP Header IP Payload
IP Header IP Payload
IP Packet
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
GETVPN Data Path
Host1 GM 1 GM2 Host2
Encrypted
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Rekey Methodology: Multicast Rekey
Core replicates
the packets to
all GMs
GM3 GM4
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Rekey Methodology: Unicast Rekey
GM3 GM4
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Requirement for Time-Based Anti-Replay
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Time-Based Anti-Replay
T0 T10 T20
Packet1
Packet2
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cooperative Key Servers - HA
Single KS is a single point of failure
Two or more KSs known as COOP KSs manage a common set of keys and
security policies for GETVPN group members
Group members can register to any one of the available KSs
Subnet 1
Subnet 2
GM 1
GM 2
IP Network
Subnet 4 Subnet 3
GM 4 GM 3
GDOI Registration
Cooperative KS3
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cooperative Key Servers (Cont.)
One KS is elected as the Primary KS
Cooperative KSs periodically exchange and synchronize groups database,
policy and keys
Primary KS is responsible to generate and distribute group keys
IP Network
Subnet 4 Subnet 3
GM 4
GM 3
Announcement Messages
Rekey Messages Cooperative KS3 (Secondary)
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
GETVPN Deployment Configuration
COOP Server Exportable RSA Keys
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
KS Configuration
Pre-shared Key crypto keyring gdoi1
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
ISAKMP Policy crypto isakmp policy 10
encr 3des
IPSec Transform authentication pre-share
!
IPSec Profile crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile gdoi1
Access-List used for set security-association lifetime seconds 7200
defining set transform-set 3DES-SHA
rekey (useful in !
multicast rekeys only) access-list 150 permit ip any host 225.1.1.1
!
access-list 160 deny eigrp any any
Access-list defining the access-list 160 deny pim any any
encryption policy access-list 160 deny udp any any eq isakmp
access-list 160 deny udp any any eq 848
access-list 160 permit ip any any
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
KS Configuration (Cont.)
GDOI Group ID crypto gdoi group getvpn1
identity number 101
Rekey Address mapping server local
(only for multicast rekeys) !rekey address ipv4 150 !
rekey lifetime seconds 14400
rekey retransmit 10 number 2
Rekey Properties rekey authentication mypubkey rsa getvpn1
rekey transport unicast
sa ipsec 1
Encryption ACL
profile gdoi1
match address ipv4 160
Source address for rekeys address ipv4 130.23.1.1
redundancy
local priority 10
COOP KS Config
peer address ipv4 130.1.2.1
!
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
GM Configuration
Pre-shared Key crypto keyring gdoi
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
ISAKMP Policy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
GDOI Group !
crypto gdoi group getvpn1
KS Address identity number 101
server address ipv4 130.23.1.1
GDOI crypto map !
crypto map getvpn10 gdoi
set group getvpn1
Crypto map on the !
interface interface FastEthernet0/0
crypto map getvpn
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
GETVPN Platform Support
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Scalability and Performance
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Deployment Best Practices
IKE/IPSec
Use specific pre-shared keys for all the GMs and KSs instead of using default key
KS
Always use COOP KSs
Set the huge buffer to 65535 and add 10 buffers to permanent buffer list
Configure periodic DPDs between the COOP KSs
Enable GM authorization
Policy
Aggregate the permit access-list entries to reduce the entries
Enable Time-Based Anti-Replay
Avoid re-encrypting traffic which is already encrypted (SSH, HTTPS)
Registration
Distribute GM registration to multiple KSs by arranging the KS order in configuration
Rekey Timers
Set TEK lifetime to 7200 Seconds
Set KEK lifetime to 86400 Seconds
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
GETVPN Troubleshooting
A problem well stated is a problem half solved
Charles F. Kettering
Troubleshooting GETVPN
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Troubleshooting GETVPN High Level Flow
Time Based
COOP Anti-Replay
IKE Fragmentation
MTU Issues
Registration
Transport Issues
Policy Download
Crypto
Rekey
policy/engine
Troubleshooting Flow
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
GETVPN Control Plane
Understand the expected protocol flow and know how to check for them
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Control Plane Troubleshooting Tools
GETVPN provides enhanced set of show commands for
functionality verification
IOS also provided wide variety of syslog messages to verify
proper GETVPN operations, and early insight into potential
problems
IPSec and GDOI related debugs can then be enabled for further
troubleshooting
GDOI conditional debugs 15.1(3)T
GDOI event trace 15.1(3)T
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Show crypto gdoi (on KS)
Group Name : GET
Group Identity : 101
Registered GMs Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
COOP configuration Redundancy : Configured
Local Address : 130.23.1.1
Local Priority : 10
Local KS Status : Alive
Key Server Role Local KS Role : Primary
Group Rekey Lifetime : 1800 secs
Group Rekey
KEK lifetime remaining Remaining Lifetime : 88 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 3
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 900 secs
Profile Name : gdoi1
Replay method : Count Based
Replay Window Size : 64
SA Rekey
TEK lifetime remaining Remaining Lifetime : 446 secs
ACL Configured : access-list 160
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Show crypto gdoi ks member (on KS)
KS#show crypto gdoi ks members
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Show crypto gdoi (on GM)
GROUP INFORMATION KEKPOLICY:
Rekey Transport Type : Unicast
Group Name : GET Lifetime (secs) : 12295
Active KS
Group Identity : 101 Encrypt Algorithm : 3DES
Rekeys received : 270 Key Size : 192
IPSec SA Direction : Both Sig Hash Algorithm : HMAC_AUTH_SHA
Active Group Server : 134.50.0.1 Sig Key Length (bits) : 1024
Group Server list : 134.50.0.1
TEK POLICY:
FastEthernet0/0:
GM Reregisters in : 5187 secs
Rekey Received(hh:mm:ss) : 00:02:30 IPSec SA:
sadirection:outbound
Rekeys received spi: 0x7C45C74A(2084947786)
Cumulative : 270 transform: esp-aes esp-sha-hmac
After registration : 270 When was sa timing: remaining key lifetime
Rekey Acks sent : 270 last rekey (sec): (5246)
received Anti-Replay(Time Based) : 2 sec interval
ACL Downloaded From KS 134.50.0.1:
access-list deny eigrp any any Remaining
access-list deny tcp any any port = 179 IPSec SA
access-list deny udp any port = 848 Lifetime
any port = 848
access-list permit ip any any
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
GETVPN Control Plane Verification
Syslog Messages - KS
Rekey:
GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group G1
from address 101.1.1.1 with seq # 1
COOP:
GDOI-3-COOP_KS_UNREACH: Cooperative KS 10.0.9.1 Unreachable in group
G1
GDOI-5-COOP_KS_ELECTION: KS entering election mode in group G1
(Previous Primary = NONE)
GDOI-5-COOP_KS_TRANS_TO_PRI: KS 10.0.8.1 in group G1 transitioned to
Primary (Previous Primary = NONE)
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
GETVPN Control Plane Verification
Syslog Messages - GM
Registration:
CRYPTO-5-GM_REGSTER: Start registration to KS 10.1.11.2 for group G1
using address 10.1.13.2
GDOI-5-GM_REKEY_TRANS_2_UNI: Group G1 transitioned to Unicast Rekey
GDOI-5-GM_REGS_COMPL: Registration to KS 10.1.11.2 complete for group
G1 using address 10.1.13.2
Rekey:
GDOI-5-GM_RECV_REKEY: Received Rekey for group G1 from 10.1.11.2 to
10.1.13.2 with seq # 3
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Control Plane Debugging Challenges
Challenge
Networks are getting bigger and faster, traditional debugs may not scale
Solution
Use IPSec and GDOI conditional debugs to minimize the debugging
impact
Use the minimal level of debugs required
Challenge
Problems can be unpredictable with no identifiable trigger
Solution
Syslogs
GDOI Event Trace
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
GDOI Debug Level Granularity
KS1#
KS1# show crypto gdoi debug-condition
GDOI Conditional Filters:
Peer Address 10.1.20.2
Unmatched NOT set
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Best practices when using the debug commands
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
GDOI Event Trace
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
GDOI Event Trace - Example
GM1#show monitor event-trace gdoi?
all Show all the traces in current buffer
back Show trace from this far back in the past
clock Show trace from a specific clock time/date
coop GDOI COOP Event Traces
from-boot Show trace from this many seconds after booting
infra GDOI INFRA Event Traces
latest Show latest trace events since last display
merged Show entries in all event traces sorted by time
registration GDOI Registration event Traces
rekey GDOI Rekey event Traces
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Troubleshooting Methodology
crypto gdoi group G1 crypto gdoi group G1
identity number 3333 identity number 3333
server local server local
rekey lifetime seconds 86400 rekey lifetime seconds 86400
rekey authenmypubkeyrsa get rekey authenmypubkeyrsa get
rekey transport unicast rekey transport unicast
sa ipsec 1 KS2 saipsec 1
KS1
profile gdoi-p profile gdoi-p
match address ipv4ENCPOL match address ipv4ENCPOL
replay counter window-size 64 replay time window-size 5
address ipv4 10.1.11.2 address ipv4 10.1.12.2
Ser 1/0: 10.1.11.2 Ser 1/0: 10.1.12.2
redundancy redundancy
local priority 10 local priority 2
peer address ipv4 10.1.12.2 MPLS/Private IP peer address ipv4 10.1.11.2
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
GETVPN Control Plane Setup Steps
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
GETVPN Common Issues Control Plane
IKE Setup
Encryption Policy
Key RenewalRekey
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
IKE Setup Between KS and GM
First step in GM registration is IKE setup
On successful negotiation of the IKE process, GM proceeds with the
GDOI group registration
IKE SA is established at the time of registration eventually times out
as its no longer needed after registration
KS1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
Dst src state conn-id slot status
10.1.11.2 10.1.20.2 GDOI_IDLE 1013 0 ACTIVE
10.1.12.2 10.1.11.2 GDOI_IDLE 1004 0 ACTIVE
10.1.21.2 10.1.11.2 GDOI_REKEY 0 0 ACTIVE
Expires
after IKE
lifetime
GM1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
Dst src state conn-id slot status
10.1.11.2 10.1.20.2 GDOI_IDLE 1073 0 ACTIVE
10.1.20.2 10.1.11.2 GDOI_REKEY 1074 0 ACTIVE
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
IKE Setup IKE Failure
Symptoms
KS1 KS2
Possible causes:
Network issues between the GM and KS MPLS/Private IP
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Pre-Shared Key Mismatch
Troubleshooting
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Pre-Shared Key Mismatch
Solution
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
GETVPN Common Issues Control Plane
IKE Setup
Encryption Policy
Key RenewalRekey
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
GM Policy Download
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 2954
<snip>
TEK POLICY:
Serial1/0:
IPSec SA:
sa direction:inbound
spi: 0x2113F73B(554956603)
transform: esp-3desesp-sha-hmac
sa timing:remaining key lifetime (sec): (99)
Anti-Replay(Time Based) : 5 sec interval
<snip>
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
KS Policy Issues
Routing Control Plane Traffic Failure
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
KS Policy Issues
Control Plane Traffic - Solution
If most of the CEs are running BGP with the PE routers, KS1 KS2
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
GETVPN Common Issues Control Plane
IKE Setup
Encryption Policy
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
GETVPN Rekeys
PRIMARY KS:
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Following the Rekey Flow
Rekey received by
IP?
KS Network GM
Transport Rekey Processed
by GDOI?
Rekey
Acknowledged?
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Missing RSA Key
Symptoms
%GDOI-1-KS_NO_RSA_KEYS: RSA Key - get : Not found, Required for group G1 GM1 GM2
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Missing RSA Key on the KS
Troubleshooting Steps
KS needs RSA keys to sign the rekey messages; check logs for
clues and/or verify the RSA keys
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Missing RSA Key on the KS
Troubleshooting Steps (Cont.)
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Missing RSA Key on the KS
Solution
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Multicast Rekey Issues
Multicast Rekeys Failing - Symptom
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Multicast Rekey Failing
Troubleshooting
Check KS to verify multicast rekey messages are being sent KS1 KS2
Multicast
Network
%GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey for group G1
10.1.20.2 10.1.21.2
from address 10.1.11.2 to 226.1.1.1 with seq # 6
GM1 GM2
KS1#ping 226.1.1.1
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Multicast Rekey Failing
Troubleshooting
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Multicast Rekey Failing
Solution
WAN(config)#int s2/0
WAN(config-if)#ip pim sparse-dense-mode
WAN(config-if)#end
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Unicast Rekey Failing
Transient Network Issues
Due to transient changes in the network, unicast rekey packets might not
make it to the GM(s)
If the GMs does not receive the rekey, it will have to re-register
Symptoms:
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Unicast Rekey Failing
Troubleshooting and Solution
Verify whether the rekeys are not being sent, not being received
or not being processed
KS: GM:
show crypto gdoi ks members show crypto gdoi gm rekey
Syslog is not conclusive, lets see what we can get with some debugs
Signature validation failed!
GM1# debug crypto isakmp
Crypto ISAKMP debugging is on
GM1#
GM1# debug crypto gdoi
GDOI Generic Debug level: (Error, Terse)
*Apr 27 18:18:19.251: ISAKMP (0:1014): received packet from 10.1.12.2 dport 848
sport 848 Global (R) GDOI_REKEY
*Apr 27 18:18:19.251: GDOI:INFRA:(G1:0:1014:HW:0):Received Rekey Message!
*Apr 27 18:18:19.259: GDOI:INFRA:(G1:0:1014:HW:0):Signature Invalid! status = 13
*Apr 27 18:18:19.259: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of GDOI mode failed
with peer at 10.1.12.2
*Apr 27 18:18:19.259: ISAKMP: Receive GDOI rekey: Processing Failed. IKMP error = 6
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Rekey Fails Signature Validation
Solution
Problem:
Secondary KS has its own RSA key pair instead of the
exported key pair from the primary KS1 KS2
Solution:
Generate exportable RSA key pair on the primary KS
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
GETVPN Common Issues Control Plane
IKE Setup
Encryption Policy
Key RenewalRekey
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Control Plane Replay Check Detection
Control Plane messages can carry time sensitive information and therefore
require replay protection
Rekey messages from KS to GM
COOP Announcement messages between KSs
Sequence number check to protect against replayed messages
Pseudotime check to protect against delayed messages with TBAR
enabled
Control Plane Replay check added in IOS version 12.4(15)T10, 12.4(22)T3,
12.4(24)T2, 15.0(1)M, and later
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Control Plane Replay Check
Code interoperability issue
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Control Plane Replay Check
Code interoperability issue - solution
KS does not support control plane replay detection, and resets the rekey
sequence # for KEK rekey
GM interprets that as a replayed rekey message
Solution is to upgrade the KS to an IOS version that also supports the
control plane replay detection
New behavior KEK Rekey
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Control Plane Replay Check IOS Upgrade procedure
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
GETVPN Common Issues Control Plane
IKE Setup
Encryption Policy
Key RenewalRekey
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Control Plane Fragmentation Issues
COOP Announcement Packets
%SYS-2-GETBUF: Bad getbuffer, bytes= 18872 -Process= "Crypto IKMP", ipl= 0, pid= 183
Tune buffers to increase huge buffers and add buffers to permanent list:
buffers huge permanent 10
buffers huge size 65535
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Control Plane Fragmentation Issues (cont.)
COOP Announcement Packets
Frag2
One dropped fragment -> entire ANN dropped Frag3
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Troubleshooting GETVPN Data Plane
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Generic IPSec Data Plane Troubleshooting
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
GETVPN Data Plane
IPSec tunnel mode just like IPSec classic so most IPSec troubleshooting
techniques still apply, however
Symmetrical encryption policy requirement
Unique challenges with Header Preservation
PMTUD
Time Based Anti-Replay
Extra encapsulation overhead Fragmentation boundary condition calculation
Timer Based Anti-Replay failure
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Data Plane Troubleshooting Tools
Interface counters
Encryption/decryption counters
Netflow
IP Accounting
ACL
DSCP packet coloring
Embedded Packet Capture (EPC)
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
IPSec Data Plane Packet Flow Checkpoints
3 4
Traffic Direction 1 6
GM1
Private WAN
GM2
Client Server
2 5
Encrypting GM Decrypting GM
1. Ingress LAN interface 4. Ingress WAN interface
Input ACL Input ACL
Ingress Netflow Ingress Netflow
Embedded Packet Capture
Embedded Packet Capture
2. Crypto engine Input IP precedence accounting
show crypto ipsec sa
5. Crypto engine
show crypto session detail show crypto ipsec sa
3. Egress WAN interface show crypto session detail
Egress Netflow 6. Egress WAN interface
Embedded Packet Capture Egress Netflow
Output IP precedence accounting
Embedded Packet Capture
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Importance of a Controlled Test
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Encrypting GM Data Plane Flow
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Encrypting GM Data Plane Flow Cont.
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Decrypting GM Data Plane Flow
Verify encrypted traffic arriving on GM with Netflow
Protocol 50 = ESP
GM2#show ip cache flow
<snip>
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Se1/0 192.168.13.2 Et0/0 192.168.14.2 32 EE5B 2BEF 170
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
GETVPN Common Issues Data Plane
Fragmentation/Path MTU
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
KS Policy Issues
Data Plane Traffic Failure
MPLS/Private IP
GM1 GM2
Ethernet 0/0: Ethernet 0/0:
192.168.20.0/24 192.168.21.0/24
KS Access-list
ip access-list extended ENCPOL
permit ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
GETVPN Common Issues Data Plane
Fragmentation/Path MTU
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Fragmentation Issues
PMTU Discovery
Large packets with the DF bit set may get black-holed in the GETVPN network
GM1
MTU 1000 GM2
1400B 1460B
ICMP 3/4
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
PMTUD and GETVPN
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
PMTUD and GETVPN
Solution
Implement ip tcp adjust-mss to reduce the TCP packet segment size
Clear the DF bit in the encapsulating header
User Traffic
Encrypting GM
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
GETVPN Common Issues Data Plane
Fragmentation/Path MTU
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
IPSec drop due to packet corruption
IPSec integrity check makes IPSec packets a lot more sensitive to packet
corruption in the network
Packet corruption symptoms
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=695
local=192.168.14.2 remote=192.168.13.2 spi=7C4E759F seqno=00000001
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Complete Your Online Session Evaluation
Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Daily Challenge
points for each session evaluation
you complete.
Complete your session evaluation
online now through either the mobile
app or internet kiosk stations.
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Appendix
* GM registration was distributed over two KSs to reduce the registration time
** GM registration was distributed over four KSs to reduce the registration time
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
GM Performance Attributes
(No Features)
PPS Mbps Max IMIX Latency(ms) Avg 100 pps Latency (ms)
871 Anti-Replay 3150 28 <10
1.18
No Anti-Replay 3232 28 <5
1841-onboard Anti-Replay 3506 33 <20
1.07
No Anti-Replay 3766 35 <35
1841-aim/ssl Anti-Replay 8420 84 <10
0.68
No Anti-Replay 8472 84 <20
2821-onboard Anti-Replay 17152 50 <5
0.47
No Anti-Replay 17046 50 <1
2821-aim/ssl Anti-Replay 26010 190 <5
0.34
No Anti-Replay 25918 190 <5
2851-onboard Anti-Replay 17868 64 <5
0.33
No Anti-Replay 19175 65 <10
2851-aim/ssl Anti-Replay 27594 190 <1
0.25
No Anti-Replay 27668 190 <1
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
GM Performance Attributes
(No Features)
PPS Mbps Max IMIX Latency(ms) Avg 100 pps Latency (ms)
3825-onboard Anti-Replay 35,505 283 <1
0.64
No Anti-Replay 35,500 283 <5
3825-aim/ssl Anti-Replay 44,170 199 <1
0.66
No Anti-Replay 44,452 199 <5
3845-onboard Anti-Replay 46,028 284 <5
0.76
No Anti-Replay 46,028 283 <5
3845-aim/ssl Anti-Replay 54,020 200 <1
0.81
No Anti-Replay 53,996 200 <1
7200-g1vam2+ Anti-Replay 60,592 266 <5
0.69
No Anti-Replay 66,952 266 <5
7200-g2vam2+ Anti-Replay 121,952 283 <5
0.17
No Anti-Replay 120,890 283 <1
7200-g2/vsa Anti-Replay
TBD
No Anti-Replay 160,000 980 TBD
ASR1000/FP5G Anti-Replay 440,000
TBD
No Anti-Replay 470,000 1,890 TBD
ASR1000/FP10G Anti-Replay 976,000 4,200
0.19
No Anti-Replay 1,011,000 4,220 <0.270
ASR1000/FP20G Anti-Replay 2,655,000 TBD
0.001
No Anti-Replay 2,685,000 8,530 <0.015
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
GM Performance Attributes
(No Features)
Frame Size ASR 1004 (10Gig) 7200 VSA 3845 AIM- ISRG2 ISRG2 ISRG2
VPN/SSL-3 3945 Onboard 2951 Onboard 1941
Crypto Crypto Onboard
Crypto
1400 Byte 4759 Mbps 925 Mbps 200 Mbps 820 Mbps 268 Mbps 154
Mbps
IMIX (90 Bytes 61%, 2289 Mbps 780 Mbps 177 Mbps 261Mbps 160 Mbps 64Mbp
594 bytes 24%, 1418 15%) s
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
GETVPN Verification
Common KS Syslog Messages
Syslog Messages Explanation
COOP_CONFIG_MISMATCH The configuration between the primary key server and secondary key server are
mismatched.
COOP_KS_ELECTION The local key server has entered the election process in a group.
COOP_KS_REACH The reachability between the configured cooperative key servers is restored.
COOP_KS_TRANS_TO_PRI The local key server transitioned to a primary role from being a secondary server
in a group.
COOP_KS_UNAUTH An authorized remote server tried to contact the local key server in a group.
Could be considered a hostile event.
COOP_KS_UNREACH The reachability between the configured cooperative key servers is lost. Could
be considered a hostile event.
KS_GM_REVOKED During rekey protocol, an unauthorized member tried to join a group. Could be
considered a hostile event.
KS_SEND_MCAST_REKEY Sending multicast rekey.
KS_SEND_UNICAST_REKEY Sending unicast rekey.
KS_UNAUTHORIZED During GDOI registration protocol, an unauthorized member tried to join a group.
Could be considered a hostile event.
UNAUTHORIZED_IPADDR The registration request was dropped because the requesting device was not
authorized to join the group.
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
GETVPN Verification
Common GM Syslog Messages
Syslog Messages Explanation
GM_CLEAR_REGISTER The clear crypto gdoi command has been executed by the local
group member.
GM_CM_ATTACH A crypto map has been attached for the local group member.
GM_CM_DETACH A crypto map has been detached for the local group member.
GM_RE_REGISTER IPSec SA created for one group may have been expired or
cleared. Need to reregister to the key server
GM_RECV_REKEY Rekey received
GM_REGS_COMPL Registration complete
GM_REKEY_TRANS_2_MULTI Group member has transitioned from using a unicast rekey
mechanism to using a multicast mechanism.
GM_REKEY_TRANS_2_UNI Group member has transitioned from using a multicast rekey
mechanism to using a unicast mechanism.
PSEUDO_TIME_LARGE A group member has received a pseudotime with a value that is largely
different from its own pseudotime.
REPLAY_FAILED A group member or key server has failed an anti-replay check.
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Packet marking Techniques
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
ToS/Precedence/DSCP Reference Chart
Least
7 6 5 4 3 2 1 0 Significant
Bit
IP Precedence Priority
DSCP ToS Byte
ToS
Hex - Decimal IP Precedence DSCP Binary
E0 224 7 Network Control 56 CS7 11100000
C0 192 6 Internetwork Control 48 CS6 11000000
B8 184 5 Critical 46 EF 10111000
A0 160 40 CS5 10100000
88 136 4 Flash Override 34 AF41 10001000
80 128 32 CS4 10000000
68 104 3 Flash 26 AF31 01101000
60 96 24 CS3 01100000
48 72 2 Immediate 18 AF21 01001000
40 64 16 CS2 01000000
20 32 1 Priority 8 CS1 00100000
00 0 0 Routine 0 Dflt 00000000
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Packet marking - Examples
PBR
interface Ethernet1/0
ip policy route-map mark
!
access-list 150 permit ip host 172.16.1.2 host 172.16.254.2
!
route-map mark permit 10
match ip address 150
set ip precedence flash-override
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Packet marking - Examples
Router Ping
Router#ping ip
Target IP address: 172.16.254.2
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 128
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMPEchos to 172.16.254.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Packet marking - Monitoring
IP Precedence Accounting
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
ip accounting precedence input
Interface ACL
middle_router#sh access-list 144
Extended IP access list 144
10 permit ip any any precedence routine
20 permit ip any any precedence priority
30 permit ip any any precedence immediate
40 permit ip any any precedence flash
50 permit ip any any precedence flash-override (100 matches)
60 permit ip any any precedence critical
70 permit ip any any precedence internet (1 match)
80 permit ip any any precedence network
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Using Packet Captures for Data Plane Issues
Packet captures can provide detailed packet information at the bits/bytes level
The new packet capture infrastructure introduced in 12.4(20)T makes this easy
to do
Ability to capture IPv4 and IPv6 packets in the CEF path
Configurable capture buffer and capture point parameters
Extensible output filtering and export capabilities
Support for various WAN encapsulation types
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Using IOS Embedded Packet Captures
Key Configuration Steps
Create the capture buffer and capture point
Associate the capture point to the buffer
Start/stop the capture
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Using IOS Embedded Packet Captures
Now we have the packets captured, whats next?
Dump the packet on the router itself
Router# show monitor capture buffer test-buffer dump
15:34:07.228 EST Mar 26 2009 : IPv4 LES CEF : Se2/0 None
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use EEM and EPC to catch Packet Corruption
Peer1
event manager applet detect_bad_packet
event syslog pattern "RECVD_PKT_MAC_ERR"
action 1.0 cli command "enable"
action 2.0 cli command "monitor capture point stop test"
action 3.0 syslog msg "Packet corruption detected and capture stopped!"
action 4.0 snmp-trap intdata1 123456 strdata ""
Peer2
BRKSEC-3051 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public