How it Works
Cisco
Loading...
ISR G2 Series
Configuration Manual
16 pgs319.5 Kb0

Cisco ISR G2 Series, ISR 1941, ISR 2900 Series, ISR 1900 Series, ISR 3900 Series Configuration Manual

...
Verizon Wireless Dynamic Mobile
Network Routing LTE - Cisco
Guide
Integrated Services Router (ISR G2)
and Connected Grid Router
Mobile Router Configuration Guide - Group Encrypted
Revision 3.5
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Public Information. Page 1 of 16
Introduction
Group Encrypted Transport VPN (GETVPN) is a tunnel-less technology that provides end-to-end security for voice,
video, and data in a native mode for a full meshed network. Group Encrypted Transport VPN expands the standard
IP Security (IPsec) with the concept of trusted group members to provide secure any-to-any communication over a
variety of network infrastructures. The main benefits over existing VPN solutions include:
Large-scale any-to-any encrypted communications
Native routing without tunnel overlay
Transport agnostic:
Private WAN and LAN
Frame Relay
Multiprotocol Label Switching (MPLS)
Third and Fourth-generation (3G and 4G) with Verizon Wireless Dynamic Mobile Network Routing
(DMNR)
Centralized management of policies and keys in the key server
The immediate and long-term benefits of implementing Group Encrypted Transport VPN include:
Minimal configuration of crypto endpoints
All devices, with the exception of key servers, share the same configuration; thus there is less chance of
making mistakes. There is no peer configuration or crypto access control lists (ACLs).
Native routing
No modifications are required to the existing routing protocol configuration.
No tunnel overlay
No additional complexity of generic-routing-encapsulation (GRE) tunnels and Next Hop Resolution
Protocol (NHRP) as in the case of Dynamic Multipoint VPN (DMVPN). There are no secondary routing
protocols over the tunnels.
Group encryption
Group Encrypted Transport VPN minimizes latency because encryption is not performed on a per-link
basis, but is encrypted only at the source (ATM or branch office) and decrypted at the destination
(headquarters or data center).
RF usage conservation
With only VPN there are no frequent periodic keep-alives. For example, Dead Peer Detection (DPD) and
Internet Key Exchange (IKE).
Group member (GM) re-registrations are at 3600 seconds and ISAKMP (Internet Security Association
and Key Management Protocol) SA lifetime is 24 hours, resulting in a very low RF usage because
encryption is used.
High availability
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Public Information. Page 2 of 16
Notes
1. The lifetime of the ISAKMP sessions on the key server should be no less than 24 hours.
2. Advanced Encryption Standard (AES) mode is recommended for the Traffic Encryption Key and Key
Encryption Key.
3. Use multiple key servers with the co-operative protocol. There should be persistent multiple paths between co-
op key servers.
4. If there are multiple key servers, RSA keys should be generated on one of the co-op key servers as exportable
and should be imported on all other key servers.
5. The encryption policy should have explicit denies for traffic not requiring encryption followed by global permit
statements that are symmetric.
6. On the group member, specify the loopback address that is routed by NEMO as the source of rekey messages
with the command crypto map crypto-name local-address Loopback XYZ.
7. For a key system, it is recommended to always use a loopback interface as the key system IP address for the
Group Domain of Interpretation (GDOI) protocol.
8. Fail/open and fail/closed modes are both supported with DMNR.
9. Unicast rekey process is the only rekey method supported.
10. The GDOI crypto map must be applied to the NEMO Tunnel interface using the template method as shown in
Figure 1.
Assumptions and Guidelines
This document assumes the reader has followed the “Verizon Wireless Dynamic Mobile Network Routing - Mobile
Router Configuration Guide for Primary Wireless Access” document and DMNR is operating and verified before
attempting the tasks outlined herein.
For implementation please consult Cisco for proper customer-premises-equipment (CPE) hardware selection and
scalability.
Hardware Platforms and Software Images
This document is written based on the following software versions and hardware. The following list is not the
complete list of platforms supported. Consult Cisco for the required software image.
Key sever: 7206VXR: 12.4 (22)T ADVIPSERVICESK9-M, 3945: 15.1(3)T1 Universal K9, 3845: 15.1(3)T1
ADVIPSERVICESK9-MZ
MPLS/CE GM:
1900/2900/3900 with LTE eHWIC: IOS 15.3(3)M2 with security license
C819G-4G-V IOS 15.3(3)M2 (security license included)
CGR2010 with LTE GRWIC: 15.3(1)T1 with security license
881G with EVDO: 15.1(1)T universalk9-MZ
ASR 1002: 15.1(1)S2 ADVENTERPRISEk9, 2911:15.1(2)T3 Universal K9
The Cisco 1941 Integrated Services Router is shown as the LTE/group member example. Many Cisco Integrated
Services Routers (ISRs) that can run NEMO and Group Encrypted Transport VPN can be used, but a Cisco IOS®
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Public Information. Page 3 of 16
Software Release 12.4(15)T and later Advanced IP or Cisco IOS Software Release 15.1(3)T (exact) Data and
Security license are the minimum required with 3G.
For ISR 1900, 2900. 3900 with LTE eHWIC or C819G-4G-V, the minimum IOS Software release is 15.3(3)M2.
For CGR-2010, the minimum IOS release is 15.3(1)T1.
Figure 1. Architecture
1. Mobile IP is enabled on the group member.
2. The high-speed WAN interface card (HWIC) or modem registers to The Verizon Enterprise Home Agent (EHA)
and obtains a /32 address.
3. Mobile IP registration to EHA is followed by dynamic NEMO GRE Tunnel creation.
4. After registration and authentication to EHA, a dynamic mobile default route (M) is installed with AD 3.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Public Information. Page 4 of 16
Implementation:
Group Member
C1941-NEMO-LTE#wr t Building configuration... ! ! Last configuration change at 15:18:27 UTC Thu Aug 2 2012 version 15.2 service internal service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname C1941-NEMO-LTE ! boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.153-3.M2.bin boot-end-marker
! enable password cisco ! ip dhcp excluded-address 10.21.65.129 10.21.65.136 ! ip dhcp pool mobile network 10.21.65.128 255.255.255.128 default-router 10.21.65.129 option 150 ip 11.11.11.11 dns-server 4.2.2.2 ! ip cef no ip domain lookup no ipv6 cef ! multilink bundle-name authenticated chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK" ! license udi pid CISCO1941W-A/K9 sn FTX153901PZ license boot module c1900 technology-package securityk9 license boot module c1900 technology-package datak9 hw-module ism 0 ! controller Cellular 0/0 ! no ip ftp passive ip ftp source-interface Vlan2 !
!### Define ISAKMP Policy and PSK ###
crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp key nemo address 0.0.0.0 0.0.0.0 no-xauth
! !
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Public Information. Page 5 of 16
Loading...
+ 11 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use