Kindly send me the contents of the following: Today's Topics: 1. GET VPN (Stuart Hare) 2. Re: GET VPN (Tyson Scott) 3. Re: GET VPN (Tyson Scott)
Winnie Kithinji Security Engineer -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Friday, April 10, 2009 1:44 AM To: [email protected] Subject: CCIE_Security Digest, Vol 34, Issue 5 Send CCIE_Security mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/mailman/listinfo/ccie_security or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Security digest..." Today's Topics: 1. GET VPN (Stuart Hare) 2. Re: GET VPN (Tyson Scott) 3. Re: GET VPN (Tyson Scott) ---------------------------------------------------------------------- Message: 1 Date: Thu, 9 Apr 2009 19:58:43 +0100 From: Stuart Hare <[email protected]> Subject: [OSL | CCIE_Security] GET VPN To: OSL Security <[email protected]>, Cisco certification <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" After doing some extensive reading on GET VPN this week and labbing it up today, I have a few questions I cannot find answers to in the documentation. First off, does anyone know where you can find some documentation around the expected output from the show & debug commands on both the key server and group members? The only output i have found is for 'sh crypto gdoi' but nothing else, and to be honest that command alone is not much help :) In terms of the key server / group member relationship, Im aware that the Key servers role is to provide registration to the group for new group members using GDOI, and alos provide the necessary policies (ipsec, gm acl etc) and keys to each group member, to enable secure communication. What I am unable to confirm from the docs is whether these are the only Key server roles, or whether it can actually participate in the VPN or not. >From the drawings and examples videos I have seen I expected that the Key Server was also a group member as such, and it too could communicate securely with the GM's. When I have labbed this up today using the configurations from the security configuration guide, it seems that it cannot? I successfully have ipsec between the GM's but when i try to access the networks behind the Key Server device traffic is dropped (encrypt counter encrements on the sa but no return traffic). And when I check the key server I have no ipsec sa's at all, even though the isakmp sa's are GDOI_IDLE. My issue is Im not sure that although I have implemented as per the guide, whether I actually have a working configuration? Also is it common practice in GET VPN not to encrypt the MPLS/Frame relay subnets, to preserve the reachability across the cloud? Cheers Stu -- Stuart Hare [email protected] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20090409/8758 165c/attachment.htm ------------------------------ Message: 2 Date: Thu, 9 Apr 2009 17:39:47 -0400 From: "Tyson Scott" <[email protected]> Subject: Re: [OSL | CCIE_Security] GET VPN To: "'Stuart Hare'" <[email protected]> Cc: 'Cisco certification' <[email protected]>, [email protected] Message-ID: <004501c9b95b$b5fb7d50$21f277...@com> Content-Type: text/plain; charset="us-ascii" Stuart, You only encrypt traffic behind the Group Members. You would not encrypt the Private WAN traffic whatever medium that may be as that would not work. Did you apply a crypto map to the interface on the KEY server? Based on the configuration guides you don't apply a crypto map so it would not participate in the encryption. But I have not tested trying to make the Key server a group member so I am not sure if you can do it as I have not yet tested it, but I know that is not the intended design based on the configuration guides and the SRND guide. Our Bootcamp Lab2 has a good example of GET VPN in it, I may be able to get you a copy of this material. Since I have been working on Identity Management stuff for the last two weeks I don't remember everything I had put in that lab so I would need to look at GET VPN again if I haven't answered all your questions. Some commands that you can use from the key server Show crypto gdoi ks members Show crypto gdoi gm [options] Etc. All the information you will need will be under show crypto gdoi [options] Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Stuart Hare Sent: Thursday, April 09, 2009 2:59 PM To: OSL Security; Cisco certification Subject: [OSL | CCIE_Security] GET VPN After doing some extensive reading on GET VPN this week and labbing it up today, I have a few questions I cannot find answers to in the documentation. First off, does anyone know where you can find some documentation around the expected output from the show & debug commands on both the key server and group members? The only output i have found is for 'sh crypto gdoi' but nothing else, and to be honest that command alone is not much help :) In terms of the key server / group member relationship, Im aware that the Key servers role is to provide registration to the group for new group members using GDOI, and alos provide the necessary policies (ipsec, gm acl etc) and keys to each group member, to enable secure communication. What I am unable to confirm from the docs is whether these are the only Key server roles, or whether it can actually participate in the VPN or not. >From the drawings and examples videos I have seen I expected that the Key Server was also a group member as such, and it too could communicate securely with the GM's. When I have labbed this up today using the configurations from the security configuration guide, it seems that it cannot? I successfully have ipsec between the GM's but when i try to access the networks behind the Key Server device traffic is dropped (encrypt counter encrements on the sa but no return traffic). And when I check the key server I have no ipsec sa's at all, even though the isakmp sa's are GDOI_IDLE. My issue is Im not sure that although I have implemented as per the guide, whether I actually have a working configuration? Also is it common practice in GET VPN not to encrypt the MPLS/Frame relay subnets, to preserve the reachability across the cloud? Cheers Stu -- Stuart Hare [email protected] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20090409/95ea c434/attachment.htm ------------------------------ Message: 3 Date: Thu, 9 Apr 2009 17:50:22 -0400 From: "Tyson Scott" <[email protected]> Subject: Re: [OSL | CCIE_Security] GET VPN To: "'Stuart Hare'" <[email protected]>, "'OSL Security'" <[email protected]>, "'Cisco certification'" <[email protected]> Message-ID: <004f01c9b95d$303e5be0$90bb13...@com> Content-Type: text/plain; charset="us-ascii" Be aware that GET VPN is made to run on a private network that requires encryption over the private leased lines, i.e. government entities, financial entities, etc. It really doesn't have a strong use in a public setting as it does not do source protection ( meaning the originator of the packet is not hidden by the VPN gateway). The IP header remains intact only the payload is encrypted. So you would be unable to use this on the internet unless all your internal address space was also public address space. Or if you have a NAT gateway prior to the GET VPN group member. The documentation talks about using GET VPN for DMVPN but I don't really see a benefit their either. GET VPN is mostly a good benefit to organizations that need to maintain data security within their private network. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Stuart Hare Sent: Thursday, April 09, 2009 2:59 PM To: OSL Security; Cisco certification Subject: [OSL | CCIE_Security] GET VPN After doing some extensive reading on GET VPN this week and labbing it up today, I have a few questions I cannot find answers to in the documentation. First off, does anyone know where you can find some documentation around the expected output from the show & debug commands on both the key server and group members? The only output i have found is for 'sh crypto gdoi' but nothing else, and to be honest that command alone is not much help :) In terms of the key server / group member relationship, Im aware that the Key servers role is to provide registration to the group for new group members using GDOI, and alos provide the necessary policies (ipsec, gm acl etc) and keys to each group member, to enable secure communication. What I am unable to confirm from the docs is whether these are the only Key server roles, or whether it can actually participate in the VPN or not. >From the drawings and examples videos I have seen I expected that the Key Server was also a group member as such, and it too could communicate securely with the GM's. When I have labbed this up today using the configurations from the security configuration guide, it seems that it cannot? I successfully have ipsec between the GM's but when i try to access the networks behind the Key Server device traffic is dropped (encrypt counter encrements on the sa but no return traffic). And when I check the key server I have no ipsec sa's at all, even though the isakmp sa's are GDOI_IDLE. My issue is Im not sure that although I have implemented as per the guide, whether I actually have a working configuration? Also is it common practice in GET VPN not to encrypt the MPLS/Frame relay subnets, to preserve the reachability across the cloud? Cheers Stu -- Stuart Hare [email protected] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20090409/a66e 17dd/attachment.htm End of CCIE_Security Digest, Vol 34, Issue 5 ********************************************
