- Preface
-
- Configuring Authentication
- RADIUS Change of Authorization
- Message Banners for AAA Authentication
- AAA-Domain Stripping at Server Group Level
- AAA Double Authentication Secured by Absolute Timeout
- Throttling of AAA RADIUS Records
- RADIUS Packet of Disconnect
- AAA Authorization and Authentication Cache
- Configuring Authorization
- Configuring Accounting
- AAA-SERVER-MIB Set Operation
- Per VRF AAA
- AAA Support for IPv6
- TACACS+ over IPv6
- AAA Dead-Server Detection
- Login Password Retry Lockout
- MSCHAP Version 2
- AAA Broadcast Accounting-Mandatory Response Support
- Password Strength and Management for Common Criteria
- Secure Reversible Passwords for AAA
-
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Configuring an FQDN ACL
- Refining an IP Access List
- IP Named Access Control Lists
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- ACL IP Options Selective Drop
- Displaying and Clearing IP Access List Data Using ACL Manageability
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 ACL Undetermined-Transport Support
- Configuring Template ACLs
- IPv6 Template ACL
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
- Security (ACL) Enhancements
- IPv6 Object Groups for ACLs
-
- Configuring RADIUS
- RADIUS for Multiple UDP Ports
- AAA DNIS Map for Authorization
- AAA Server Groups
- Framed-Route in RADIUS Accounting
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Logical Line ID
- RADIUS Route Download
- RADIUS Server Load Balancing
- RADIUS Server Reorder on Failure
- RADIUS Separate Retransmit Counter for Accounting
- RADIUS VC Logging
- RADIUS Centralized Filter Management
- RADIUS EAP Support
- RADIUS Interim Update at Call Connect
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor-Specific Attributes
- RADIUS Attribute 8 Framed-IP-Address in Access Requests
- RADIUS Attribute 82 Tunnel Assignment ID
- RADIUS Tunnel Attribute Extensions
- RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
- RADIUS Attribute Value Screening
- RADIUS Attribute 55 Event-Timestamp
- RADIUS Attribute 104
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
-
- Overview of Cisco TrustSec
- Cisco TrustSec SGT Exchange Protocol IPv4
- TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Prerequisites for Cisco TrustSec SGT Exchange Protocol IPv4
- Enabling Bidirectional SXP Support
- Cisco TrustSec Interface-to-SGT Mapping
- Cisco TrustSec Subnet to SGT Mapping
- Flexible NetFlow Export of Cisco TrustSec Fields
- Cisco TrustSec SGT Caching
- CTS SGACL Support
- Accessing TrustSec Operational Data Externally
-
- Cisco IOS XE PKI Overview
- Deploying RSA Keys Within a PKI
- Configuring Authorization and Revocation of Certificates in a PKI
- Configuring Certificate Enrollment for a PKI
- Setting Up Secure Device Provisioning for Enrollment in a PKI
- PKI Credentials Expiry Alerts
- Configuring and Managing a Certificate Server for PKI Deployment
- Storing PKI Credentials
- Source Interface Selection for Outgoing Traffic with Certificate Authority
- PKI Trustpool Management
- PKI Split VRF in Trustpoint
- EST Client Support
- Configuring Route Processor Redundancy for PKI
-
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Firewall Stateful Inspection of ICMP
- LISP and Zone-Based Firewalls Integration and Interoperability
- Application Aware Firewall
- Firewall Support of Skinny Client Control Protocol
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Configuring the VRF-Aware Software Infrastructure
- FTP66 ALG Support for IPv6 Firewalls
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
-
- IPsec Anti-Replay Window Expanding and Disabling
- Pre-Fragmentation for IPsec VPNs
- Invalid Security Parameter Index Recovery
- IPsec Dead Peer Detection Periodic Message Option
- IPsec NAT Transparency
- IPsec Extended Sequence Number
- DF Bit Override Functionality with IPsec Tunnels
- IPsec Security Association Idle Timers
- IPv6 IPsec Quality of Service
- IPv6 Virtual Tunnel Interface
-
- Dynamic Multipoint VPN
- IPv6 over DMVPN
- DMVPN Configuration Using FQDN
- DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
- DMVPN Tunnel Health Monitoring and Recovery
- DMVPN Event Tracing
- NHRP MIB
- DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
- Sharing IPsec with Tunnel Protection
- Per-Tunnel QoS for DMVPN
- Configuring TrustSec DMVPN Inline Tagging Support
- Spoke-to-Spoke NHRP Summary Maps
- BFD Support on DMVPN
- DMVPN Support for IWAN
- Configuring MPLS over DMVPN
- DHCP Tunnels Support
- Per-Tunnel QoS Support for Multiple Policy Maps (MPOL)
-
- Introduction to FlexVPN
- Configuring Internet Key Exchange Version 2
- Configuring Quantum-Safe Encryption Using Postquantum Preshared Keys
- Configuring the FlexVPN Server
- Configuring the FlexVPN Client
- Configuring FlexVPN Spoke to Spoke
- Configuring IKEv2 Load Balancer
- Configuring IKEv2 Fragmentation
- Configuring IKEv2 Reconnect
- Configuring MPLS over FlexVPN
- Configuring IKEv2 Packet of Disconnect
- Configuring IKEv2 Change of Authorization Support
- Configuring Aggregate Authentication
- Appendix: FlexVPN RADIUS Attributes
- Appendix: IKEv2 and Legacy VPNs
-
- Cisco Group Encrypted Transport VPN
- GET VPN GM Removal and Policy Trigger
- GDOI MIB Support for GET VPN
- GET VPN Resiliency
- GETVPN Resiliency GM - Error Detection
- GETVPN CRL Checking
- GET VPN Support with Suite B
- GET VPN Support of IPsec Inline Tagging for Cisco TrustSec
- GETVPN GDOI Bypass
- GETVPN G-IKEv2
- 8K GM Scale Improvement
- GET VPN Interoperability
- Perfect Forward Secrecy for GETVPN
- Index
- GET VPN Resiliency
- Prerequisites for GET VPN Resiliency
- Restrictions for GET VPN Resiliency
- Information About GET VPN Resiliency
- Periodic Reminder Sync-Up Rekey
- Pre-Positioned Rekey
GET VPN Resiliency
The GET VPN Resiliency feature improves the resiliency of Cisco Group Encrypted Transport (GET) VPN so that data traffic disruption is prevented or minimized when errors occur.
Restrictions for GET VPN Resiliency
- All key servers (KSs) and group members (GMs) must be upgraded for Long SA Lifetime.
Information About GET VPN Resiliency
Long SA Lifetime
The long security association (SA) lifetime functionality extends the maximum lifetime of the key encryption key (KEK) and traffic encryption key (TEK) from 24 hours to 30 days. This functionality also lets you configure key servers (KSs) to continue to send periodic reminder rekeys to group members (GMs) that do not respond with an acknowledgment in the last scheduled rekey.
By using a long SA lifetime in combination with periodic reminder rekeys, a KS can effectively synchronize GMs if they miss a scheduled rekey before the keys roll over.
 Note |
For a lifetime longer than 24 hours, the encryption algorithm must be Advanced Encryption Standard-cipher block chaining (AES-CBC) or Advanced Encryption Standard-Galois/Counter Mode (AES-GCM) with an AES key of 128 bits or stronger. |
You can use the long SA lifetime functionality along with the GETVPN Suite-B feature to use AES-GSM and Galois Message Authentication Code-Advanced Encryption Standard (GMAC-AES) as traffic encryption key (TEK) policy transforms in a group for packets encapsulated with GCM-AES and GMAC-AES.
Migrating to Long SA Lifetime
When migrating to the long SA lifetime functionality (greater than or equal to one day), the following rules apply:
-
When a long SA lifetime is configured on a crypto IPsec profile, GETVPN displays a warning message to not use the IPsec profile for a non- Group Domain of Interpretation (GDOI) group.
-
If group members are registered to a key server with short SA lifetime and the key server changes the policy to long SA lifetime, GETVPN checks the software version of all the GMs when the crypto gdoi ks rekey command is configured to initiate the policy change. If the GMs registered with the KS do not support long SA lifetime, a message is displayed to discourage the policy change until all GMs are upgraded.
-
When the Long SA feature is enabled in KS, it will block registration from GMs running older Cisco IOS releases, which does not support this feature.
Clock Skew Mitigation
Sometimes with longer security association (SA) lifetimes, a group member (GM) may not receive updates from a key server for a longer duration. This may result in group members experiencing clock skew for key encryption key (KEK) lifetime, traffic encryption key (TEK) lifetime, and Time-Based Anti-Replay (TBAR) pseudotime. The refresh rekey and rollover to new outbound IPsec SA helps GMs in mitigating clock skew issues.
Refresh Rekey
If the traffic encryption key (TEK) lifetime is set for a duration greater than two days and Time-Based Anti-Replay (TBAR) is disabled, a key server sends a refresh rekey every 24 hours which updates the key encryption key (KEK) lifetime, TEK lifetime, and TBAR pseudotime on all group members (GMs). In simple terms, a refresh rekey is a retransmission of the current KEK policy, TEK policy, and TBAR pseudotime (if enabled) to all GMs, regardless of the status of receiving a unicast acknowledgment (ACK) for the last rekey. If TBAR is enabled, the refresh rekey is sent every two hours to synchronize the pseudotime, so that an additional refresh rekey is not required.
Rollover to New Outbound IPsec SA
When a long SA lifetime (greater than one day) is configured, the rollover happens when the remaining lifetime of the traffic encryption key (TEK) reaches 1% of the old TEK configured lifetime that has a lower limit of 30 seconds and not 30 seconds of the old TEK’s remaining lifetime. This allows a greater clock skew between the group members (GMs) before discarding traffic from one GM rolling over to the new TEK late (after the other GM has already deleted the old TEK). This mitigates the GM from being “offline” (disconnected from the KS) for a long duration and from being unable to receive the refresh rekeys to mitigate the clock skew.
Periodic Reminder Sync-Up Rekey
The periodic reminder sync-up rekey functionality in the key server (KS) lets you to send periodic reminder rekeys to group members (GMs) who do not respond with an acknowledgment (ACK) in the last scheduled rekey. This functionality in combination with the long SA lifetime functionality is effective for a KS to synchronize with GMs when they miss a scheduled rekey before the keys rollover. In a KS group configuration, a new keyword periodic is added to the rekey retransmit command when configuring the rekey retransmission.
Each periodic rekey increments the sequence number, similar to rekey retransmissions. The GM is removed from the database on the KS after 3 scheduled rekeys (not retransmissions) for which the GM does not send an ACK.
Pre-Positioned Rekey
The pre-positioned rekey functionality allows the key server (KS) to send a rekey earlier than half the duration of the SA lifetime, when a longer SA lifetime (greater than one day) is configured. The normal behavior of sending the rekey is used for a short SA lifetime. When group members (GMs) receive this early rekey, they continue to use the old TEK as outbound until rolled over to the new TEK as outbound. The pre-positioned rekey feature along with the Long SA Lifetime feature improves key rollover stability. This functionality allows the (KS) sufficient time to recover rekey errors, such as periodic reminder rekeys and synchronize rekeys.
How to Configure GET VPN Resiliency
Ensuring That GMs Are Running Software Versions That Support Long SA Lifetime
You should use the Long SA Lifetime feature only after all devices in the GET VPN network are upgraded to GET VPN software versions that support this feature.
Perform this task on the key server (or primary key server) to ensure that all devices in the network support long SA lifetime.
SUMMARY STEPS
- enable
- show crypto gdoi feature long-sa-lifetime
- show crypto gdoi feature long-sa-lifetime | include No
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
show crypto gdoi feature long-sa-lifetime Example: |
|
|
Step 3 |
show crypto gdoi feature long-sa-lifetime | include No Example: |
|
Configuring Long SA Lifetime for TEK
To configure long SA lifetime for traffic encryption key (TEK), perform the following steps.
SUMMARY STEPS
- enable
- configure terminal
- crypto ipsec profile name
- set security-association lifetime days days
- end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
configure terminal Example: |
|
|
Step 3 |
crypto ipsec profile name Example: |
|
|
Step 4 |
set security-association lifetime days days Example: |
|
|
Step 5 |
end Example: |
|
Configuring Long SA Lifetime for KEK
To configure long SA lifetime for key encryption key (TEK), perform the following steps.
SUMMARY STEPS
- enable
- configure terminal
- crypto gdoi group group-name
- identity number number
- server local
- rekey lifetime days days
- end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
configure terminal Example: |
|
|
Step 3 |
crypto gdoi group group-name Example: |
|
|
Step 4 |
identity number number Example: |
|
|
Step 5 |
server local Example: |
|
|
Step 6 |
rekey lifetime days days Example: |
|
|
Step 7 |
end Example: |
|
Configuring the Periodic Reminder Sync-Up Rekey
To configure the periodic reminder sync-up rekey, perform the following steps.
SUMMARY STEPS
- enable
- configure terminal
- crypto gdoi group group-name
- identity number number
- server local
- rekey retransmit number-of-seconds periodic
- end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
configure terminal Example: |
|
|
Step 3 |
crypto gdoi group group-name Example: |
|
|
Step 4 |
identity number number Example: |
|
|
Step 5 |
server local Example: |
|
|
Step 6 |
rekey retransmit number-of-seconds periodic Example: |
|
|
Step 7 |
end Example: |
|
Verifying and Troubleshooting GET VPN Resiliency
Verifying and Troubleshooting GET VPN Resiliency on a Key Server
To view the configuration that is running on a key server (KS), use the show running-config command and the following commands.
SUMMARY STEPS
- enable
- show crypto gdoi
- show crypto gdoi ks rekey
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
show crypto gdoi Example: |
|
|
Step 3 |
show crypto gdoi ks rekey Example: |
|
Verifying and Troubleshooting GET VPN Resiliency on a Group Member
To view the configuration that is running on a group member (GM), use the show running-config command and the following commands.
SUMMARY STEPS
- enable
- show crypto gdoi ks rekey
- show crypto gdoi ks policy
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
show crypto gdoi ks rekey Example: |
|
|
Step 3 |
show crypto gdoi ks policy Example: |
|
Configuration Examples for GET VPN Resiliency
Example: Ensuring That GMs Are Running Software Versions That Support Long SA Lifetime
The following example shows how to use the GET VPN software versioning command on the KS (or primary KS) to check whether all the devices in each group support long SA lifetimes:
Device# show crypto gdoi feature long-sa-lifetime
Group Name: GETVPN
Key Server ID Version Feature Supported
10.0.5.2 1.0.4 Yes
10.0.6.2 1.0.4 Yes
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
Group Member ID Version Feature Supported
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
10.0.3.1 1.0.4 Yes
10.0.3.2 1.0.4 Yes
You can also enter the above command on a GM (which will display the information for the GM but not for the KS or other GMs).
The following example shows how to enter the command on the KS (or primary KS) find only those devices in the GET VPN network that do not support long SA lifetimes:
Device# show crypto gdoi feature long-sa-lifetime | include No
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
Example: Configuring Long SA Lifetime
Example: Configuring Long SA Lifetime for TEK
The following example shows how to configure the long SA lifetime for traffic encryption key (TEK):
Device> enable
Device# configure terminal
Device(config)# crypto ipsec profile gdoi-p
Device(ipsec-profile)# set security-association lifetime days 15
Device(ipsec-profile)# endExample: Configuring Long SA Lifetime for KEK
The following example shows how to configure the long SA lifetime for key encryption key (KEK):
Device> enable
Device# configure terminal
Device(config)# crypto gdoi group GET
Device(config-gdoi-group)# identity number 3333
Device(config-gdoi-group)# server local
Device(gdoi-local-server)# rekey lifetime days 20
Device(gdoi-local-server)# endExample: Configuring the Periodic Reminder Sync-Up Rekey
The following example shows how to configure the periodic reminder sync-up rekey:
Device> enable
Device# configure terminal
Device(config)# crypto gdoi group group1
Device(config-gdoi-group)# identity number 3333
Device(config-gdoi-group)# server local
Device(gdoi-local-server)# rekey retransmit 10 periodic
Device(gdoi-local-server)# endAdditional References for GET VPN Resiliency
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS security commands |
|
|
Basic deployment guidelines for enabling GET VPN in an enterprise network |
Cisco IOS GET VPN Solutions Deployment Guide |
|
Designing and implementing a GET VPN network |
Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide |
Standards and RFCs
|
Standard/RFC |
Title |
|---|---|
|
RFC 2401 |
Security Architecture for the Internet Protocol |
|
RFC 6407 |
The Group Domain of Interpretation |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for GET VPN Resiliency
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
GET VPN Resiliency |
The following commands were introduced or modified: rekey lifetime, rekey retransmit, set security-association lifetime, show crypto gdoi. |
Feedback