SlideShare a Scribd company logo

LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN

J
JobSnijders

Job Snijders discusses the advantages of using Locator/Identifier Separation Protocol (LISP) for building large virtual private networks (VPNs), detailing its implementation and benefits over traditional methods like DMVPN. The document outlines the challenges faced, current configurations, and integration of various components, including map servers and key servers for secure tunnel management. Snijders concludes with the positive performance experience from pilot deployments and plans for broader implementation.

Technology
1 of 32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Applied LISP LISP is good for you! Job Snijders job@instituut.net Protégé of InTouch N.V., The Netherlands
Who am I? Job Snijders • One of the chosen few: I got native v6 at home • Love bleeding edge stuff • Co-author LISP LCAF draft
What’s InTouch NV? • 16 years old (73 in internet years) • Managed Service provider • Nice & decent network through West-Europe • Sells technology independent products which we call “services” • Example: Large private networks for multinationals in multi-tenant way
What is LISP? • http://en.wikipedia.org/wiki/Locator/Identifie r_Separation_Protocol • Abstraction layer • Location independent prefixes • IPv4 over IPv4, IPv6 over IPv4, IPv4 over IPv6, IPv6 over IPv6
Problem statement Dear Santa, I’d like a manageable way of building large virtual private networks over the internet. your friend, Job
Our typical “Satellite” office • 2 (cheap) internet connections from 2 ISP’s • 1 (cheap) router • 1 RFC1918 prefix behind it • 5 to 10 people behind it that need access to corporate IT: Active Directory, Exchange, etc
Our typical “Satellite” office
Current approach Remember: We don’t own the last mile. We have to deliver over the top. • Build 2 GRE or DMVPN tunnels • Use plain IPSEC or GETVPN • OSPF for tunnel/link failover
DMVPN is horrible:
LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN
Quick overview • Replace DMVPN + OSPF with LISP • GETVPN stays because we need security • Components: – Map-Server (NX-OS) – Key-Server (IOS) – Proxy Router (IOS because we do GETVPN) – xTR (IOS)
Helicopter overview
Proxy Router (PxTR) bridge between LISP world and VRF • Public IP address (reachable for all xTR’s) • Talk BGP with VRF intouch-office • GRE Tunnel to MapServer for LISP+ALT – Talk BGP with MapServer • GRE Tunnel to Keyserver – because PxTR and xTR functionality don’t mix (this is an implementation limitation, not protocol)
PxTR Picture interface LISP0 ip policy route-map nexthop crypto map GETVPN_MAP end route-map nexthop permit 10 match ip address 10 set ip next-hop 172.16.0.1
PxTR Config ip lisp path-mtu-discovery min 1280 max 1500 ip lisp alt-vrf lisp ip lisp proxy-etr ip lisp proxy-itr 212.2.2.2 interface FastEthernet0/1.300 encapsulation dot1Q 300 ip address 172.16.0.20 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 address-family ipv4 vrf lisp no synchronization redistribute connected redistribute static neighbor 10.0.1.1 remote-as 65100 neighbor 10.0.1.1 update-source Tunnel321 neighbor 10.0.1.1 activate neighbor 10.0.1.1 next-hop-self neighbor 10.0.1.1 soft-reconfiguration inbound exit-address-family
Pxtr# show ip route vrf lisp Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.1.0/30 is directly connected, Tunnel321 L 10.0.1.2/32 is directly connected, Tunnel321 172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks B 172.16.31.1/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.3/32 [20/0] via 10.0.1.1, 1d06h B 172.16.31.4/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.5/32 [20/0] via 10.0.1.1, 5d20h B 172.16.31.6/32 [20/0] via 10.0.1.1, 1d05h B 172.16.42.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.43.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.45.0/24 [20/0] via 10.0.1.1, 5d20h B 172.16.46.0/24 [20/0] via 10.0.1.1, 1d04h
MapServer • Similar to DNS Server • Public reachable IP address • Not a part of the GETVPN cloud • xTR’s register themselves at the MapServer • PxTR talks with MapServer to know who is where (over that GRE tunnel)
MapServer picture (think DNS!)
MapServer Config lisp site jobsnijders-thuis eid-prefix 172.16.31.3/32 eid-prefix 172.16.42.0/24 authentication-key 3 28923r98234ed6cace39629cdd637 description Job Snijders home lisp site kevin-home-xtr eid-prefix 172.16.31.6/32 eid-prefix 172.16.46.0/24 authentication-key 3 3fac3b00cfbfd17b3e9ec69b8c43efd description Kevin home lisp site keyserver eid-prefix 172.16.31.1/32 authentication-key 3 023489234eabce94ed6cace3dd637 description keyserver
KeyServer • Reachable for every xTR over the LISP cloud • Has 1 /32 EID • Tunnel to PxTR so PxTR can join in the GDOI without being an xTR
KeyServer Picture
KeyServer Config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp database-mapping 172.16.31.1/32 IPv4- interface FastEthernet0/0.95 priority 0 weight 100 ip lisp itr map-resolver 212.2.2.2 ip lisp itr ip lisp etr map-server 212.2.2.2 key k3ys3rv3r ip lisp etr accept-map-request-mapping ip lisp etr
KeyServer config #2 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 ! crypto isakmp policy 50 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set GETVPN_TS esp-3des esp-sha-hmac ! crypto ipsec profile GETVPN_PROFILE set transform-set GETVPN_TS ! crypto gdoi group GETVPN_GROUP identity number 666 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa public-intouch-office-ks-key rekey transport unicast sa ipsec 1 profile GETVPN_PROFILE match address ipv4 LAN replay time window-size 36 address ipv4 172.16.31.1 interface Loopback0 ip address 172.16.31.1 255.255.255.255 ! interface Tunnel10 description to PxTR ip address 10.0.2.1 255.255.255.252 tunnel source FastEthernet0/0.95 tunnel destination 212.26.197.2 ! interface LISP0 end ip access-list extended LAN deny udp any eq 848 any eq 848 deny udp any eq isakmp any eq isakmp deny ip 172.16.31.0 0.0.0.255 172.16.31.0 0.0.0.255 permit ip any any
xTR “the satellite office router” • 1 or 2 uplinks to the internet (just transport) • Push all packets from LAN to PxTR or other xTR’s • All “vpn” packets go with encrypted payload over the internets • “internet access” is done via Firewall in the VRF
xTR Picture xTR
xTR config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp path-mtu-discovery min 1280 max 1500 ip lisp use-petr 212.2.2.2 ip lisp database-mapping 172.16.31.5/32 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp database-mapping 172.16.45.0/24 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp itr map-resolver 212.3.3.3 ip lisp itr ip lisp etr map-server 212.3.3.3 key blablakeymap ip lisp etr accept-map-request-mapping ip lisp etr
xTR config #1 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth ! ! crypto gdoi group GETVPN_GROUP_GM identity number 666 server address ipv4 172.16.31.1 client registration interface Loopback0 crypto map GETVPN_MAP 10 gdoi set group GETVPN_GROUP_GM interface Loopback0 ip address 172.16.31.5 255.255.255.255 ! interface LISP0 crypto map GETVPN_MAP interface FastEthernet0/0 description LAN ip address 172.16.45.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360
A Sample traceroute: from satellite office to server behind the VRF job@DennyCrane:~$ traceroute 172.16.4.202 traceroute to 172.16.4.202 (172.16.4.202), 30 hops max, 60 byte packets 1 172.16.42.253 (172.16.42.253) 6.102 ms 7.229 ms 7.212 ms 2 172.16.0.20 (172.16.0.20) 18.650 ms 18.651 ms 18.622 ms 3 172.16.0.1 (172.16.0.1) 13.968 ms 13.993 ms 14.020 ms 4 172.16.4.202 (172.16.4.202) 13.931 ms 13.899 ms 13.897 ms job@DennyCrane:~$
Things to worry about • MTU (with 1500 internet you have 1390 payload) • Security – Mapserver registrations are unencrypted – RFC1918 ip addresses are visible when wiretapping – But GETVPN protects everything and ensures integrity (So I think LISP is actually doing pretty fine)
Our status At InTouch we have been running this for a while now with a select group of “special” customers (read: guinea pigs)
Near Future We have got that much faith that we will deploy this to real customers in the next 3 weeks
Conclusion LISP is good for you! Any questions? job@instituut.net

More Related Content

PPT
ospf routing protocol
Ameer Agel
 
PDF
BGP Multihoming Techniques
APNIC
 
PPTX
Routing information protocol
Saranya Parthasarathy
 
PDF
Eigrp
firey
 
PDF
BGP Unnumbered で遊んでみた
akira6592
 
PPTX
CCNA2 Verson6 Chapter6
Chaing Ravuth
 
PPT
Ospf
DeeN Mohammad
 
PDF
Open vSwitch Offload: Conntrack and the Upstream Kernel
Netronome
 
ospf routing protocol
Ameer Agel
 
BGP Multihoming Techniques
APNIC
 
Routing information protocol
Saranya Parthasarathy
 
Eigrp
firey
 
BGP Unnumbered で遊んでみた
akira6592
 
CCNA2 Verson6 Chapter6
Chaing Ravuth
 
Ospf
DeeN Mohammad
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Netronome
 

What's hot (20)

PPTX
CCNP ROUTE V7 CH6
Chaing Ravuth
 
PDF
"SRv6の現状と展望" ENOG53@上越
Kentaro Ebisawa
 
PDF
Implementing cisco mpls
Matiullah Jamil
 
PDF
Les commandes CISCO (routeur)
EL AMRI El Hassan
 
PPTX
Border Gatway Protocol
Shashank Asthana
 
PPT
Mpls L3_vpn
Reza Farahani
 
PDF
01 introduction to mpls
Achmad Mardiansyah
 
PDF
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
PDF
Segment Routing Lab
Cisco Canada
 
PPTX
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
PPTX
Chapitre 6 - Protocoles TCP/IP, UDP/IP
Tarik Zakaria Benmerar
 
PDF
Segment Routing Technology Deep Dive and Advanced Use Cases
Cisco Canada
 
PDF
Juniper MPLS Tutorial by Soricelli
Febrian ‎
 
PPT
Technologie wdm
Salvator Fayssal
 
PDF
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 
PDF
Redondance de routeur (hsrp, vrrp, glbp)
EL AMRI El Hassan
 
PPTX
An introduction to MPLS networks and applications
Shawn Zandi
 
PPTX
IPv6 address
Pina Parmar
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
PPT
Juniper mpls best practice part 2
Febrian ‎
 
CCNP ROUTE V7 CH6
Chaing Ravuth
 
"SRv6の現状と展望" ENOG53@上越
Kentaro Ebisawa
 
Implementing cisco mpls
Matiullah Jamil
 
Les commandes CISCO (routeur)
EL AMRI El Hassan
 
Border Gatway Protocol
Shashank Asthana
 
Mpls L3_vpn
Reza Farahani
 
01 introduction to mpls
Achmad Mardiansyah
 
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Segment Routing Lab
Cisco Canada
 
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
Chapitre 6 - Protocoles TCP/IP, UDP/IP
Tarik Zakaria Benmerar
 
Segment Routing Technology Deep Dive and Advanced Use Cases
Cisco Canada
 
Juniper MPLS Tutorial by Soricelli
Febrian ‎
 
Technologie wdm
Salvator Fayssal
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 
Redondance de routeur (hsrp, vrrp, glbp)
EL AMRI El Hassan
 
An introduction to MPLS networks and applications
Shawn Zandi
 
IPv6 address
Pina Parmar
 
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Juniper mpls best practice part 2
Febrian ‎
 
Ad

Similar to LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN (20)

PDF
TechWiseTV Workshop: Software-Defined Access
Robb Boyd
 
PDF
Nxll18 vpn (s2 s gre & dmvpn)
Netwax Lab
 
PPT
Vpn(4)
Suraj Kumar
 
PDF
Nxll17 dynamic routing with asa
Netwax Lab
 
PPTX
[오픈소스컨설팅] Linux Network Troubleshooting
Open Source Consulting
 
PDF
How You Will Get Hacked Ten Years from Now
julievreeland
 
PDF
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Shixiong Shang
 
PDF
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Russia
 
PDF
Tech f42
SelectedPresentations
 
PPTX
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
PDF
IPv6 Fundamentals & Securities
Don Anto
 
PPTX
Support for Network-based User Mobility with LISP
Andrea Galvani
 
PDF
Configuring Ip Sec Between A Router And A Pix
angelitoh11
 
PDF
MPLS LAB Practice Vol.1.pdf
SupakornVisutthicho
 
PPTX
Ipv6
Yan Drugalya
 
PDF
FD.io - The Universal Dataplane
Open Networking Summit
 
PPT
dokumen.tips_linux-networking-commands.ppt
ThorOdinson55
 
PDF
IPSec VPN
NetProtocol Xpert
 
PDF
Run Your Own 6LoWPAN Based IoT Network
Samsung Open Source Group
 
PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
TechWiseTV Workshop: Software-Defined Access
Robb Boyd
 
Nxll18 vpn (s2 s gre & dmvpn)
Netwax Lab
 
Vpn(4)
Suraj Kumar
 
Nxll17 dynamic routing with asa
Netwax Lab
 
[오픈소스컨설팅] Linux Network Troubleshooting
Open Source Consulting
 
How You Will Get Hacked Ten Years from Now
julievreeland
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Shixiong Shang
 
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Russia
 
Tech f42
SelectedPresentations
 
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
IPv6 Fundamentals & Securities
Don Anto
 
Support for Network-based User Mobility with LISP
Andrea Galvani
 
Configuring Ip Sec Between A Router And A Pix
angelitoh11
 
MPLS LAB Practice Vol.1.pdf
SupakornVisutthicho
 
Ipv6
Yan Drugalya
 
FD.io - The Universal Dataplane
Open Networking Summit
 
dokumen.tips_linux-networking-commands.ppt
ThorOdinson55
 
IPSec VPN
NetProtocol Xpert
 
Run Your Own 6LoWPAN Based IoT Network
Samsung Open Source Group
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Ad

Recently uploaded (20)

PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Approach and Philosophy of On baking technology
30anthuong17
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Teaching material agriculture food technology
LiaRayya
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 

LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN

  • 1. Applied LISP LISP is good for you! Job Snijders job@instituut.net Protégé of InTouch N.V., The Netherlands
  • 2. Who am I? Job Snijders • One of the chosen few: I got native v6 at home • Love bleeding edge stuff • Co-author LISP LCAF draft
  • 3. What’s InTouch NV? • 16 years old (73 in internet years) • Managed Service provider • Nice & decent network through West-Europe • Sells technology independent products which we call “services” • Example: Large private networks for multinationals in multi-tenant way
  • 4. What is LISP? • http://en.wikipedia.org/wiki/Locator/Identifie r_Separation_Protocol • Abstraction layer • Location independent prefixes • IPv4 over IPv4, IPv6 over IPv4, IPv4 over IPv6, IPv6 over IPv6
  • 5. Problem statement Dear Santa, I’d like a manageable way of building large virtual private networks over the internet. your friend, Job
  • 6. Our typical “Satellite” office • 2 (cheap) internet connections from 2 ISP’s • 1 (cheap) router • 1 RFC1918 prefix behind it • 5 to 10 people behind it that need access to corporate IT: Active Directory, Exchange, etc
  • 8. Current approach Remember: We don’t own the last mile. We have to deliver over the top. • Build 2 GRE or DMVPN tunnels • Use plain IPSEC or GETVPN • OSPF for tunnel/link failover
  • 11. Quick overview • Replace DMVPN + OSPF with LISP • GETVPN stays because we need security • Components: – Map-Server (NX-OS) – Key-Server (IOS) – Proxy Router (IOS because we do GETVPN) – xTR (IOS)
  • 13. Proxy Router (PxTR) bridge between LISP world and VRF • Public IP address (reachable for all xTR’s) • Talk BGP with VRF intouch-office • GRE Tunnel to MapServer for LISP+ALT – Talk BGP with MapServer • GRE Tunnel to Keyserver – because PxTR and xTR functionality don’t mix (this is an implementation limitation, not protocol)
  • 14. PxTR Picture interface LISP0 ip policy route-map nexthop crypto map GETVPN_MAP end route-map nexthop permit 10 match ip address 10 set ip next-hop 172.16.0.1
  • 15. PxTR Config ip lisp path-mtu-discovery min 1280 max 1500 ip lisp alt-vrf lisp ip lisp proxy-etr ip lisp proxy-itr 212.2.2.2 interface FastEthernet0/1.300 encapsulation dot1Q 300 ip address 172.16.0.20 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 address-family ipv4 vrf lisp no synchronization redistribute connected redistribute static neighbor 10.0.1.1 remote-as 65100 neighbor 10.0.1.1 update-source Tunnel321 neighbor 10.0.1.1 activate neighbor 10.0.1.1 next-hop-self neighbor 10.0.1.1 soft-reconfiguration inbound exit-address-family
  • 16. Pxtr# show ip route vrf lisp Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.1.0/30 is directly connected, Tunnel321 L 10.0.1.2/32 is directly connected, Tunnel321 172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks B 172.16.31.1/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.3/32 [20/0] via 10.0.1.1, 1d06h B 172.16.31.4/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.5/32 [20/0] via 10.0.1.1, 5d20h B 172.16.31.6/32 [20/0] via 10.0.1.1, 1d05h B 172.16.42.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.43.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.45.0/24 [20/0] via 10.0.1.1, 5d20h B 172.16.46.0/24 [20/0] via 10.0.1.1, 1d04h
  • 17. MapServer • Similar to DNS Server • Public reachable IP address • Not a part of the GETVPN cloud • xTR’s register themselves at the MapServer • PxTR talks with MapServer to know who is where (over that GRE tunnel)
  • 19. MapServer Config lisp site jobsnijders-thuis eid-prefix 172.16.31.3/32 eid-prefix 172.16.42.0/24 authentication-key 3 28923r98234ed6cace39629cdd637 description Job Snijders home lisp site kevin-home-xtr eid-prefix 172.16.31.6/32 eid-prefix 172.16.46.0/24 authentication-key 3 3fac3b00cfbfd17b3e9ec69b8c43efd description Kevin home lisp site keyserver eid-prefix 172.16.31.1/32 authentication-key 3 023489234eabce94ed6cace3dd637 description keyserver
  • 20. KeyServer • Reachable for every xTR over the LISP cloud • Has 1 /32 EID • Tunnel to PxTR so PxTR can join in the GDOI without being an xTR
  • 22. KeyServer Config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp database-mapping 172.16.31.1/32 IPv4- interface FastEthernet0/0.95 priority 0 weight 100 ip lisp itr map-resolver 212.2.2.2 ip lisp itr ip lisp etr map-server 212.2.2.2 key k3ys3rv3r ip lisp etr accept-map-request-mapping ip lisp etr
  • 23. KeyServer config #2 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 ! crypto isakmp policy 50 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set GETVPN_TS esp-3des esp-sha-hmac ! crypto ipsec profile GETVPN_PROFILE set transform-set GETVPN_TS ! crypto gdoi group GETVPN_GROUP identity number 666 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa public-intouch-office-ks-key rekey transport unicast sa ipsec 1 profile GETVPN_PROFILE match address ipv4 LAN replay time window-size 36 address ipv4 172.16.31.1 interface Loopback0 ip address 172.16.31.1 255.255.255.255 ! interface Tunnel10 description to PxTR ip address 10.0.2.1 255.255.255.252 tunnel source FastEthernet0/0.95 tunnel destination 212.26.197.2 ! interface LISP0 end ip access-list extended LAN deny udp any eq 848 any eq 848 deny udp any eq isakmp any eq isakmp deny ip 172.16.31.0 0.0.0.255 172.16.31.0 0.0.0.255 permit ip any any
  • 24. xTR “the satellite office router” • 1 or 2 uplinks to the internet (just transport) • Push all packets from LAN to PxTR or other xTR’s • All “vpn” packets go with encrypted payload over the internets • “internet access” is done via Firewall in the VRF
  • 26. xTR config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp path-mtu-discovery min 1280 max 1500 ip lisp use-petr 212.2.2.2 ip lisp database-mapping 172.16.31.5/32 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp database-mapping 172.16.45.0/24 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp itr map-resolver 212.3.3.3 ip lisp itr ip lisp etr map-server 212.3.3.3 key blablakeymap ip lisp etr accept-map-request-mapping ip lisp etr
  • 27. xTR config #1 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth ! ! crypto gdoi group GETVPN_GROUP_GM identity number 666 server address ipv4 172.16.31.1 client registration interface Loopback0 crypto map GETVPN_MAP 10 gdoi set group GETVPN_GROUP_GM interface Loopback0 ip address 172.16.31.5 255.255.255.255 ! interface LISP0 crypto map GETVPN_MAP interface FastEthernet0/0 description LAN ip address 172.16.45.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360
  • 28. A Sample traceroute: from satellite office to server behind the VRF job@DennyCrane:~$ traceroute 172.16.4.202 traceroute to 172.16.4.202 (172.16.4.202), 30 hops max, 60 byte packets 1 172.16.42.253 (172.16.42.253) 6.102 ms 7.229 ms 7.212 ms 2 172.16.0.20 (172.16.0.20) 18.650 ms 18.651 ms 18.622 ms 3 172.16.0.1 (172.16.0.1) 13.968 ms 13.993 ms 14.020 ms 4 172.16.4.202 (172.16.4.202) 13.931 ms 13.899 ms 13.897 ms job@DennyCrane:~$
  • 29. Things to worry about • MTU (with 1500 internet you have 1390 payload) • Security – Mapserver registrations are unencrypted – RFC1918 ip addresses are visible when wiretapping – But GETVPN protects everything and ensures integrity (So I think LISP is actually doing pretty fine)
  • 30. Our status At InTouch we have been running this for a while now with a select group of “special” customers (read: guinea pigs)
  • 31. Near Future We have got that much faith that we will deploy this to real customers in the next 3 weeks
  • 32. Conclusion LISP is good for you! Any questions? job@instituut.net