Wednesday, May 26, 2010

7 wishes for 21

Its exactly 7 days to my 21st, and I am very excited. I am trying to make a wish list and I am finding it so hard (I'm just not used to making wishes :)
Anyway, here's my list - Just 7 items.

7. A smartphone: I'ld like a device that would keep me away from my laptop. I spend approximately 16hrs with *her* per day.

6. A PhotoAlbum: Yes, I intend to keep one :-)

5. A book - I can never omit this. Learning is what keeps me alive :) I'ld let you choose the kind of book :)

4. A transition ceremony: I personally consider 21 as the full transition to adulthood. I'ld like to celebrate this transition in a special way :)

3. A sincere opportunity to give back: All my life, I have experienced divine and human help in all my endeavors. I believe in paying-it-forward so I am looking for a *sincere* opportunity to give back in the little way I can.

2. A special gift in exactly 21days from now :)

1. A gift from the maker: Something special from the one who started me on this journey and has kept me for the past 2 decades.

That's it :-)

Saturday, May 8, 2010

GETVPN With Multicast Rekeying

Hi All,
A post by fellow CCIE-Sec Candidate TacAck made me do some research/revision on GETVPN Rekey. I would highlight my findings in this post.
1. There are 2 modes: Unicast and Multicast.
2. The Rekey address command references an access-list that is downloaded to the group members which makes them automatically join the group (for multicast Rekeying)
3. With Rekey Authentication, The crypto keys must be generated
4. Rekey is triggered by changing the SA access-list. Rekeys are retransmitted for a number of times n after a period p. This can be adjusted with the "rekey retransmit p n" command

Here is a sample config for the KS:

crypto isakmp policy 10
encr 3des

hash md5

authentication pre-share

crypto isakmp key CISCO address

crypto isakmp key CISCO address

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto ipsec profile GET

set transform-set TRANS

crypto gdoi group GET

identity number 123

server local

rekey address ipv4 REKEY

rekey retransmit 10 number 2

rekey authentication mypubkey rsa GET

sa ipsec 1

profile GET

match address ipv4 GET

replay counter window-size 64

address ipv4

ip access-list ext REKEY
permit udp host ho

5. If an ASA is placed in between the KS and the GMs; two things must be considered.
1. Allowing GETVPN traffic especially if GMs are outside since the GM initiate the registration process. A hole should be punched to allow udp destination 848
2. Multicast traffic should be forwarded by the ASA. If the GMs are directly connected as in a STUB, then the "igmp forward" should be enough to forward the traffic.

Nuff said, time to take a break :)
Cheers, Amplebrain