Implementing a multi-homed and load-balanced VPN network with LISP and GET-VPN - GNS3 lab

This lab proposes a solution for building a scalable multi-homed VPN network built over the Internet. An application would be an organization that has multiple distant sites that need to be connected in a way that assures fail-over, load-balancing, encryption and, not least, low cost. To build up the network we'll be using LISP (Locator/Identifier Separation Protocol); for encrypting the traffic passing between the sites over the Internet - GET-VPN; for load-balancing and fail-over in the LANs - GLBP and IP SLA. One big advantage is that there's no need to use BGP to accomplish multi-homing in this scenario.



First off, let's take a look at the technologies that are least known.

LISP - Locator/Identifier Separation Protocol - is a relatively new technology consisting both of a mapping system and an encapsulation protocol. The concept behind LISP is separating the location and identity of the IPv4/IPv6 address space, using locators and identifiers, whereas the normal Internet architecture combines these concepts into one IP address. The concept of LISP is being considered to solve the aggravating problem of the global BGP routing table increase.

An analogy can be made with MPLS L3 VPNs. There are may advantages and applications to LISP, including active/active multihoming sites without the use of BGP, address family traversal (e.g. ipv6 over ipv4, ipv4 over ipv4), mobility, network virtualization and encrypted VPNs using GET-VPN - which we'll cover in this post.

LISP routers have different roles (a router can have multiple roles), including those used in this lab:
 - ITR (Ingress Tunnel Router) - CE device, receives packets from site-facing interfaces, encapsulates packets destined to remote LISP sites
 - ETR (Egress Tunnel Router) - CE device, receives packets from core-facing interfaces, decapsulates packets. Usually ITR and ETR are a single device and it's called xTR
 - MS/MS (Map Server, Map Resolver) - infrastructure devices. Roles - mapping the infrastructure, receiving register requests and map requests
 - PxTR (Proxy ETR/ITR) - infrastructure device used to provide connectivity between LISP sites and the "outer world", non-LISP sites. It advertises LISP address space to non-LISP routers and receives/sends packets and encapsulates/decapsulates them.

There are 2 kinds of addresses, located on the core-facing interfaces and on the CE side:
 - RLOC (Routing Locator) - IP address of an ETR, used for communication in the core between LISP routers
 - EID (Endpoint ID) - IP address located inside the LISP site, used in the source and destination address fields of the most inner LISP header

Cisco IOS (15.x) routers that support LISP are 1941, 29xx, 7200 and even newer routers in the 800 series. In this lab I used 7200 routers with IOS 15.2(4) because this is the only router that has LISP support and runs on GNS3.

GET-VPN - Group Encrypted Transport VPN - is a tunnel-less VPN technology that provides security for network traffic, keeping a fully-meshed topology. Is uses Group Domain of Interpretation (GDOI) for keying and IPSec for encryption.

Some of the major advantages of GET-VPN is that is highly scalable and eliminates the need to do a full mesh of peer-to-peer tunnels, it preserves the original source and destination IP addresses in the outer IP header rather than replacing them with tunnel endpoint addresses, it's multicast-"friendly", ensures low latency by enabling direct communication between sites.

Router roles:
 - KS (Key Server) - maintains security policies, authenticates Group Members, provides session key for encrypting traffic. Redundancy can be used with 2 Key Servers
 - GM (Group Member) - router that does the actual encryption of the traffic withing the group and registers with the KS

GET-VPN is supported on a large number of routers, including 1800, 1900 series and higher and also on some 800 series routers.

GET-VPN can be deployed across an MPLS domain or - in our case - LISP.

The lab consists of a HQ site with dual load-balanced xTR routers (HQa and HQb) with single connections to the RLOC core network and 2 branch sites with xTR routers (Site1 and Site2) that have dual RLOC connections. All the xTR routers are also GET-VPN Group Members (GM). In the HQ site, 2 routers (HQy and HQz) play the role of MS/MR (LISP) and KS (GET-VPN).
HQa and HQb run GLBP on the LAN side for load balancing the client's out-of-site traffic and for fail-over.

The core network is based on an Internet Service Provider network model, without benefiting from dynamic routing between sites. Routers SP1 and SP2 play these roles. Each site is provisioned with single subnets and they only have default static routes.

PC 1, 2, 3, and 4 are actually 3640 routers with a PC icon with only interface IP address and a default route. Of course you can use something else, for example VPCS machines.

Site 1 uses router Site1 as gateway. LISP is configured to act as xTR, maping the 10.0.1.0/24 EID subnet to 2 RLOC IP addresses, 11.0.0.2 and 22.0.0.2. Load balancing is achieved using the weight parameter which distributed 50% of the traffic trough each RLOC. The Map Server and Map Resolver configured are 1.0.0.3 and 2.0.0.3.

LISP caches the locator to EID mapping. In the event of a locator going down, that mapping is unusable and traffic will be dropped. To solve this problem an keep consistent reachability information, the loc-reach-algorithm rloc-probing command is used. This feature sends periodic map request/reply messages and replaces failed locators from the map-cache table.

router lisp
 loc-reach-algorithm rloc-probing
 database-mapping 10.0.1.0/24 11.0.0.2 priority 1 weight 50
 database-mapping 10.0.1.0/24 22.0.0.2 priority 1 weight 50
 ipv4 itr map-resolver 1.0.0.3
 ipv4 itr map-resolver 2.0.0.3
 ipv4 itr
 ipv4 etr map-server 1.0.0.3 key cisco
 ipv4 etr map-server 2.0.0.3 key cisco
 ipv4 etr

GET-VPN is configured to use Key Servers 1.0.0.3 and 2.0.0.3. The crypto map is applied on interface LISP0, to encrypt all LISP traffic.

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 1.0.0.3      
crypto isakmp key FOO address 2.0.0.3      
!
crypto gdoi group V4GROUP
 identity number 10001
 server address ipv4 1.0.0.3
 server address ipv4 2.0.0.3
 client registration interface Loopback0
!
crypto map MAP-V4 10 gdoi
 set group V4GROUP
!
interface LISP0
 ip mtu 1456
 crypto map MAP-V4

GET-VPN needs an interface to source traffic destined for the KS. As Site1 and Site 2 routers have dual WAN connections and only one interface can be specified, a loopback interface is used for this purpose. But because we have no routing between the sites and HQ, only Internet connections, the solution to build GRE tunnels from the Key Servers to the site routers was chosen. At the KS, floating static routes point to the loopback interfaces, through the tunnels. Keepalive is configured on the tunnels in order for the tunnel interfaces to go up/down, depending on tunnel availability; this is required for the floating static routes to work. Maybe there's a more "elegant" solution to solving this problem, if you have something, drop a comment ;-)

Here's the correspondence between the tunnels and the config from Site1:

Site1 - lo0 192.168.1.9/32 HQy
tun0 192.168.1.1/30 f0/0 - 11.0.0.2 tun0 192.168.1.2/30 f0/0 - 1.0.0.3
tun1 192.168.1.5/30 f0/1 - 22.0.0.2 tun1 192.168.1.6/30 f0/0 - 1.0.0.3
Site2 - lo0 192.168.2.9/32 HQy
tun0 192.168.2.1/30 f0/0 - 12.0.0.2 tun2 192.168.2.2/30 f0/0 - 1.0.0.3
tun1 192.168.2.5/30 f0/1 - 21.0.0.2 tun3 192.168.2.6/30 f0/0 - 1.0.0.3
Site1 - lo0 192.168.1.9/32 HQz
tun2 192.168.11.1/30 f0/0 - 11.0.0.2 tun0 192.168.11.2/30 f0/0 - 2.0.0.3
tun3 192.168.11.5/30 f0/1 - 22.0.0.2 tun1 192.168.11.6/30 f0/0 - 2.0.0.3
Site2 - lo0 192.168.2.9/32 HQz
tun2 192.168.12.1/30 f0/0 - 12.0.0.2 tun2 192.168.12.2/30 f0/0 - 2.0.0.3
tun3 192.168.12.5/30 f0/1 - 21.0.0.2 tun3 192.168.12.6/30 f0/0 - 2.0.0.3

interface Loopback0
 ip address 192.168.1.9 255.255.255.255
!
interface Tunnel0
 ip address 192.168.1.1 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 1.0.0.3
!
interface Tunnel1
 ip address 192.168.1.5 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/1
 tunnel destination 1.0.0.3
!
interface Tunnel2
 ip address 192.168.11.1 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 2.0.0.3
!
interface Tunnel3
 ip address 192.168.11.5 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/1
 tunnel destination 2.0.0.3

Site2 has a similar configuration as Site1, I won't go into it, you can find the full configs at the bottom of the post.

Headquarters site has connections to SP1 through HQa and to SP2 through SP2. Redundant Key Servers and MR/MS are also provided.

HQa is xTR and GM. LISP configuration is similar to that of Site1, it also has 2 database-mapping entries, but the secondary locator is HQb.

router lisp
 loc-reach-algorithm rloc-probing
 database-mapping 10.0.10.0/24 1.0.0.2 priority 1 weight 50
 database-mapping 10.0.10.0/24 2.0.0.2 priority 1 weight 50
 ipv4 itr map-resolver 1.0.0.3
 ipv4 itr map-resolver 2.0.0.3
 ipv4 itr
 ipv4 etr map-server 1.0.0.3 key cisco
 ipv4 etr map-server 2.0.0.3 key cisco
 ipv4 etr

GET-VPN is also configured similarly with the difference that FE0/0 is now the source registration interface, as the router has a single WAN connection.

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 1.0.0.3      
crypto isakmp key FOO address 2.0.0.3      
!
crypto gdoi group V4GROUP
 identity number 10001
 server address ipv4 1.0.0.3
 server address ipv4 2.0.0.3
 client registration interface FastEthernet0/0
!
crypto map MAP-V4 10 gdoi
 set group V4GROUP
!
interface LISP0
 ip mtu 1456
 crypto map MAP-V4
!

On the LAN side, GLBP is configured for load-balancing and fail-over. The timers are tweaked to get a more quick response. To track the availability of the WAN connection, IP SLA is used with ICMP probes. In case the IP SLA probe fails, the active forwarder is passed to the other router.

interface FastEthernet1/0
 ip address 10.0.10.1 255.255.255.0
 duplex full
 glbp 1 ip 10.0.10.254
 glbp 1 timers 1 3
 glbp 1 preempt
 glbp 1 weighting 254 lower 10 upper 250
 glbp 1 load-balancing weighted
 glbp 1 weighting track 10 decrement 250
 glbp 1 forwarder preempt delay minimum 3
!
ip sla 10
 icmp-echo 1.0.0.1
 threshold 800
 timeout 1000
 frequency 2
ip sla schedule 10 life forever start-time now
!
track 10 ip sla 10

HQy is Key Server and MR/MS. HQz has a similar configuration. For the LISP configuration, the sites need to be declared, with their EID LANs.:

router lisp
 site hq
  authentication-key cisco
  eid-prefix 10.0.10.0/24
  exit
 !
 site site1
  authentication-key cisco
  eid-prefix 10.0.1.0/24
  exit
 !
 site site2
  authentication-key cisco
  eid-prefix 10.0.2.0/24
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 exit

GET-VPN configuration is a little bit more complex, as this is the Key Server. The local server is configured and the redundant KS is declared. You need to generate the rekey authentication keypair with the command: crypto key generate rsa modulus 2048 label GETKEY.

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 0.0.0.0
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile GDOI-PROFILE
 set transform-set GDOI-TRANS
!
crypto gdoi group V4GROUP
 identity number 10001
 server local
  rekey retransmit 60 number 2
  rekey authentication mypubkey rsa GETKEY
  rekey transport unicast
  sa ipsec 1
   profile GDOI-PROFILE
   match address ipv4 GETVPN
   replay time window-size 5
  address ipv4 1.0.0.3
  redundancy
   local priority 100
   peer address ipv4 2.0.0.3
!
ip access-list extended GETVPN
 permit ip any any

Remember the tunnels we configured on Site1 and Site2? Here are the other ends and also the routes to the loopback interfaces:

interface Tunnel0
 ip address 192.168.1.2 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 11.0.0.2
!
interface Tunnel1
 ip address 192.168.1.6 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 22.0.0.2
!
interface Tunnel2
 ip address 192.168.2.2 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 12.0.0.2
!
interface Tunnel3
 ip address 192.168.2.6 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 21.0.0.2
!
ip route 192.168.1.9 255.255.255.255 192.168.1.1
ip route 192.168.1.9 255.255.255.255 192.168.1.5
ip route 192.168.2.9 255.255.255.255 192.168.2.1
ip route 192.168.2.9 255.255.255.255 192.168.2.5

Useful troubleshooting commands:
  • show ip lisp map-cache - show the current mapping between EID and RLOC's
  • clear ip lisp map-cache - clears the mapping
  • show crypto gdoi - show GDOI information, GM list and registration status
  • clear crypto gdoi - clears GET-VPN registration and triggers a new one
Here are the full configs of the routers used in this lab, except the "PC" routers:

Site1:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 1.0.0.3      
crypto isakmp key FOO address 2.0.0.3      
!
crypto gdoi group V4GROUP
 identity number 10001
 server address ipv4 1.0.0.3
 server address ipv4 2.0.0.3
 client registration interface Loopback0
!
crypto map MAP-V4 10 gdoi
 set group V4GROUP
!
interface Loopback0
 ip address 192.168.1.9 255.255.255.255
!
interface Tunnel0
 ip address 192.168.1.1 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 1.0.0.3
!
interface Tunnel1
 ip address 192.168.1.5 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/1
 tunnel destination 1.0.0.3
!
interface Tunnel2
 ip address 192.168.11.1 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 2.0.0.3
!
interface Tunnel3
 ip address 192.168.11.5 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/1
 tunnel destination 2.0.0.3
!
interface LISP0
 ip mtu 1456
 crypto map MAP-V4
!
interface FastEthernet0/0
 ip address 11.0.0.2 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet0/1
 ip address 22.0.0.2 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet1/0
 ip address 10.0.1.1 255.255.255.0
 duplex full
!
router lisp
 loc-reach-algorithm rloc-probing
 database-mapping 10.0.1.0/24 11.0.0.2 priority 1 weight 50
 database-mapping 10.0.1.0/24 22.0.0.2 priority 1 weight 50
 ipv4 itr map-resolver 1.0.0.3
 ipv4 itr map-resolver 2.0.0.3
 ipv4 itr
 ipv4 etr map-server 1.0.0.3 key cisco
 ipv4 etr map-server 2.0.0.3 key cisco
 ipv4 etr
 exit
!
ip route 0.0.0.0 0.0.0.0 11.0.0.1
ip route 0.0.0.0 0.0.0.0 22.0.0.1
ip route 1.0.0.0 255.255.255.0 11.0.0.1
ip route 2.0.0.0 255.255.255.0 22.0.0.1

Site2:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 1.0.0.3      
crypto isakmp key FOO address 2.0.0.3      
!
crypto gdoi group V4GROUP
 identity number 10001
 server address ipv4 1.0.0.3
 server address ipv4 2.0.0.3
 client registration interface Loopback0
!
crypto map MAP-V4 10 gdoi
 set group V4GROUP
!
interface Loopback0
 ip address 192.168.2.9 255.255.255.255
!
interface Tunnel0
 ip address 192.168.2.1 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 1.0.0.3
!
interface Tunnel1
 ip address 192.168.2.5 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/1
 tunnel destination 1.0.0.3
!
interface Tunnel2
 ip address 192.168.12.1 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 2.0.0.3
!
interface Tunnel3
 ip address 192.168.12.5 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/1
 tunnel destination 2.0.0.3
!
interface LISP0
 ip mtu 1456
 crypto map MAP-V4
!
interface FastEthernet0/0
 ip address 12.0.0.2 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet0/1
 ip address 21.0.0.2 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet1/0
 ip address 10.0.2.1 255.255.255.0
 duplex full
!
router lisp
 loc-reach-algorithm rloc-probing
 database-mapping 10.0.2.0/24 12.0.0.2 priority 1 weight 50
 database-mapping 10.0.2.0/24 21.0.0.2 priority 1 weight 50
 ipv4 itr map-resolver 1.0.0.3
 ipv4 itr map-resolver 2.0.0.3
 ipv4 itr
 ipv4 etr map-server 1.0.0.3 key cisco
 ipv4 etr map-server 2.0.0.3 key cisco
 ipv4 etr
 exit
!
ip route 0.0.0.0 0.0.0.0 21.0.0.1
ip route 0.0.0.0 0.0.0.0 12.0.0.1
ip route 1.0.0.0 255.255.255.0 12.0.0.1
ip route 2.0.0.0 255.255.255.0 21.0.0.1

HQa:

track 10 ip sla 10
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 1.0.0.3      
crypto isakmp key FOO address 2.0.0.3      
!
crypto gdoi group V4GROUP
 identity number 10001
 server address ipv4 1.0.0.3
 server address ipv4 2.0.0.3
 client registration interface FastEthernet0/0
!
crypto map MAP-V4 10 gdoi
 set group V4GROUP
!
interface LISP0
 ip mtu 1456
 crypto map MAP-V4
!
interface FastEthernet0/0
 ip address 1.0.0.2 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 ip address 10.0.10.1 255.255.255.0
 duplex full
 glbp 1 ip 10.0.10.254
 glbp 1 timers 1 3
 glbp 1 preempt
 glbp 1 weighting 254 lower 10 upper 250
 glbp 1 load-balancing weighted
 glbp 1 weighting track 10 decrement 250
 glbp 1 forwarder preempt delay minimum 3
!
router lisp
 loc-reach-algorithm rloc-probing
 database-mapping 10.0.10.0/24 1.0.0.2 priority 1 weight 50
 database-mapping 10.0.10.0/24 2.0.0.2 priority 1 weight 50
 ipv4 itr map-resolver 1.0.0.3
 ipv4 itr map-resolver 2.0.0.3
 ipv4 itr
 ipv4 etr map-server 1.0.0.3 key cisco
 ipv4 etr map-server 2.0.0.3 key cisco
 ipv4 etr
 exit
!
ip route 0.0.0.0 0.0.0.0 1.0.0.1
!
ip sla 10
 icmp-echo 1.0.0.1
 threshold 800
 timeout 1000
 frequency 2
ip sla schedule 10 life forever start-time now

HQb:

track 10 ip sla 10
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 1.0.0.3      
crypto isakmp key FOO address 2.0.0.3      
!
crypto gdoi group V4GROUP
 identity number 10001
 server address ipv4 1.0.0.3
 server address ipv4 2.0.0.3
 client registration interface FastEthernet0/0
!
crypto map MAP-V4 10 gdoi
 set group V4GROUP
!
interface LISP0
 ip mtu 1456
 crypto map MAP-V4
!
interface FastEthernet0/0
 ip address 2.0.0.2 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 ip address 10.0.10.2 255.255.255.0
 duplex full
 glbp 1 ip 10.0.10.254
 glbp 1 timers 1 3
 glbp 1 priority 200
 glbp 1 preempt
 glbp 1 weighting 254 lower 10 upper 250
 glbp 1 load-balancing weighted
 glbp 1 weighting track 10 decrement 250
 glbp 1 forwarder preempt delay minimum 3
!
router lisp
 loc-reach-algorithm rloc-probing
 database-mapping 10.0.10.0/24 1.0.0.2 priority 1 weight 50
 database-mapping 10.0.10.0/24 2.0.0.2 priority 1 weight 50
 ipv4 itr map-resolver 1.0.0.3
 ipv4 itr map-resolver 2.0.0.3
 ipv4 itr
 ipv4 etr map-server 1.0.0.3 key cisco
 ipv4 etr map-server 2.0.0.3 key cisco
 ipv4 etr
 exit
!
ip route 0.0.0.0 0.0.0.0 2.0.0.1
!
ip sla 10
 icmp-echo 2.0.0.1
 threshold 800
 timeout 1000
 frequency 2
ip sla schedule 10 life forever start-time now

HQy:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 0.0.0.0      
crypto isakmp keepalive 15 periodic
!
crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile GDOI-PROFILE
 set transform-set GDOI-TRANS
!
crypto gdoi group V4GROUP
 identity number 10001
 server local
  rekey authentication mypubkey rsa GETKEY
  rekey retransmit 60 number 2
  rekey transport unicast
  sa ipsec 1
   profile GDOI-PROFILE
   match address ipv4 GETVPN
   replay time window-size 5
  address ipv4 1.0.0.3
  redundancy
   local priority 100
   peer address ipv4 2.0.0.3
!
interface Tunnel0
 ip address 192.168.1.2 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 11.0.0.2
!
interface Tunnel1
 ip address 192.168.1.6 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 22.0.0.2
!
interface Tunnel2
 ip address 192.168.2.2 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 12.0.0.2
!
interface Tunnel3
 ip address 192.168.2.6 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 21.0.0.2
!
interface FastEthernet0/0
 ip address 1.0.0.3 255.255.255.0
 duplex full
!
router lisp
 site hq
  authentication-key cisco
  eid-prefix 10.0.10.0/24
  exit
 !
 site site1
  authentication-key cisco
  eid-prefix 10.0.1.0/24
  exit
 !
 site site2
  authentication-key cisco
  eid-prefix 10.0.2.0/24
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 exit
!
ip route 0.0.0.0 0.0.0.0 1.0.0.1
ip route 192.168.1.9 255.255.255.255 192.168.1.1
ip route 192.168.1.9 255.255.255.255 192.168.1.5
ip route 192.168.2.9 255.255.255.255 192.168.2.1
ip route 192.168.2.9 255.255.255.255 192.168.2.5
!
ip access-list extended GETVPN
 permit ip any any

HQz:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
crypto isakmp key FOO address 0.0.0.0      
crypto isakmp keepalive 15 periodic
!
crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile GDOI-PROFILE
 set transform-set GDOI-TRANS
!
crypto gdoi group V4GROUP
 identity number 10001
 server local
  rekey authentication mypubkey rsa GETKEY
  rekey retransmit 60 number 2
  rekey transport unicast
  sa ipsec 1
   profile GDOI-PROFILE
   match address ipv4 GETVPN
   replay time window-size 5
  address ipv4 2.0.0.3
  redundancy
   local priority 100
   peer address ipv4 1.0.0.3
!
interface Tunnel0
 ip address 192.168.11.2 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 11.0.0.2
!
interface Tunnel1
 ip address 192.168.11.6 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 22.0.0.2
!
interface Tunnel2
 ip address 192.168.12.2 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 12.0.0.2
!
interface Tunnel3
 ip address 192.168.12.6 255.255.255.252
 keepalive 2 2
 tunnel source FastEthernet0/0
 tunnel destination 21.0.0.2
!
interface FastEthernet0/0
 ip address 2.0.0.3 255.255.255.0
 duplex full
!
router lisp
 site hq
  authentication-key cisco
  eid-prefix 10.0.10.0/24
  exit
 !
 site site1
  authentication-key cisco
  eid-prefix 10.0.1.0/24
  exit
 !
 site site2
  authentication-key cisco
  eid-prefix 10.0.2.0/24
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 exit
!
ip route 0.0.0.0 0.0.0.0 2.0.0.1
ip route 192.168.1.9 255.255.255.255 192.168.11.1
ip route 192.168.1.9 255.255.255.255 192.168.11.5
ip route 192.168.2.9 255.255.255.255 192.168.12.1
ip route 192.168.2.9 255.255.255.255 192.168.12.5
!
ip access-list extended GETVPN
 permit ip any any

SP1:

interface FastEthernet0/0
 ip address 11.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 1.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet2/0
 ip address 12.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet3/0
 ip address 3.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

SP2:

interface FastEthernet0/0
 ip address 22.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 2.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet2/0
 ip address 21.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet3/0
 ip address 3.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

Cisco ASA: clearing specific IPsec SA tunnel

Sometimes when troubleshooting IPsec VPNs on the Cisco ASA it's necessary to clear the current VPN. This can be achieved using the "clear crypto ipsec sa", which resets all active IPsec SA entries. This is pretty brutal in a production environment, as all traffic passing trough the tunnels is suspended until the SA tunnels are re-established.

It is possible though to clear only a specific tunnel.

You can identify the SA tunnel with the command (the local ident/remote ident combination should match your traffic pattern):

ciscoasa# show crypto ipsec sa
interface: outside    
Crypto map tag: outside_map, seq num: 1, local addr: 10.99.0.1
...      
local ident (addr/mask/prot/port): (10.100.8.0/255.255.255.0/0/0)      
remote ident (addr/mask/prot/port): (10.200.8.0/255.255.0.0/0/0)      
current_peer: 172.16.10.1
...      
current outbound spi: 65D05DD4      
current inbound spi : 3B6C2C49
inbound esp sas:      spi: 0x3B6C2C49 (996944969)
...    
outbound esp sas:      spi: 0x65D05DD4 (1708154324)
...

Notice the inbound ESP (in our case) SA SPI (3B6C2C49). To clear the desired SA tunnel, issue the command:

ciscoasa# clear crypto ipsec sa entry 172.16.10.1 esp 3B6C2C49

Follow by Email

Sponsored Links

Labels