Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
10
Helpful
5
Replies

PKI with GETVPN

Go to solution
Yiwei
Level 1
Level 1

‎09-26-2019 11:30 AM

Hello, 

I just took over GETVPN topology:



GETVPN.jpg

 

We use KS as CA server. The GM5 is the CE in the HQ and established BGP peering with every branch through VPLS network.

I have a few concepts need to clarify:

 

1.If KS have an issue with a certificate from CA. All branch cannot access HQ or they can still access HQ without data encrypt?

2. If GM5 have an issue with a certificate from CA. Can branch still establish BGP peering with HQ and access HQ?

3. We have KS2 in our DR site but we only enable CA server on KS1 in the HQ. If CA+KS crash, can all GM register with KS2 and access HQ before the certificate expired?

 

Thanks!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-29-2019 06:02 AM

1.If KS have an issue with a certificate from CA. All branch cannot access HQ or they can still access HQ without data encrypt?

All branch offices will be able to access HQ until the next rekey is performed.  If the problem still exists on the KS then rekey will fail.

 

2. If GM5 have an issue with a certificate from CA. Can branch still establish BGP peering with HQ and access HQ?

Again, until there is a rekey BGP will remain established.  Once there is a rekey and the certificate problem still exists on GM5 all branch offices will not be able to reach HQ.

 

3. We have KS2 in our DR site but we only enable CA server on KS1 in the HQ. If CA+KS crash, can all GM register with KS2 and access HQ before the certificate expired?

As long as there is a valid certificate chain issued to KS2 and installed, and the coop configuration is up and running, the branch offices should be able to register with KS2.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP
In response to Yiwei

‎10-09-2019 02:29 PM - edited ‎10-09-2019 02:31 PM

Lets say you are able to allocate a /16 subnet for the GMs for the IPs of the GMs facing the VPLS network.  For this discussion lets say 10.255.0.0/16.  then you could have a standing exclusion for the GMs to enroll with the CA.  If you plan on doing this on a per site basis when a new site is introduced then you would need to wait for a rekey to happen so the GMs download the new ACL, or force a rekey and this will cause a short outage.

 

But, yes, you will need to exclude traffic from the GMs to the CA for certificate enrollment.

 

Another option would be to stage the configuration at you location where you can install the certificate yourself over a closed network and then send the router to the site.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎09-29-2019 06:02 AM

1.If KS have an issue with a certificate from CA. All branch cannot access HQ or they can still access HQ without data encrypt?

All branch offices will be able to access HQ until the next rekey is performed.  If the problem still exists on the KS then rekey will fail.

 

2. If GM5 have an issue with a certificate from CA. Can branch still establish BGP peering with HQ and access HQ?

Again, until there is a rekey BGP will remain established.  Once there is a rekey and the certificate problem still exists on GM5 all branch offices will not be able to reach HQ.

 

3. We have KS2 in our DR site but we only enable CA server on KS1 in the HQ. If CA+KS crash, can all GM register with KS2 and access HQ before the certificate expired?

As long as there is a valid certificate chain issued to KS2 and installed, and the coop configuration is up and running, the branch offices should be able to register with KS2.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Yiwei
Level 1
Level 1
In response to Marius Gunnerud

‎09-30-2019 07:45 AM

Hello Marius,

Thank you very much. I really appreciate it!

Thanks,
Yiwei
0 Helpful

Go to solution
Yiwei
Level 1
Level 1
In response to Marius Gunnerud

‎10-09-2019 11:41 AM

Hi @Marius Gunnerud ,

 

How do you think about this topology?

The CE of the VPLS in the HQ is as GM as well.

That meant we will have a GETVPN in front of the GETVPN right?

When we want to open a new branch, the VPLS CE of the new branch cannot establish a tunnel because it doesn't have a certificate from CA. But the CE of the VPLS in the HQ is GM, so it has GETVPN to encrypt data between each VPLS CE. So we need to use ACL to exclude the traffic from new CE in order to let the new branch to get the certificate first. Is that correct?

 

Many Thanks,

Yiwei 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Yiwei

‎10-09-2019 02:29 PM - edited ‎10-09-2019 02:31 PM

Lets say you are able to allocate a /16 subnet for the GMs for the IPs of the GMs facing the VPLS network.  For this discussion lets say 10.255.0.0/16.  then you could have a standing exclusion for the GMs to enroll with the CA.  If you plan on doing this on a per site basis when a new site is introduced then you would need to wait for a rekey to happen so the GMs download the new ACL, or force a rekey and this will cause a short outage.

 

But, yes, you will need to exclude traffic from the GMs to the CA for certificate enrollment.

 

Another option would be to stage the configuration at you location where you can install the certificate yourself over a closed network and then send the router to the site.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Yiwei
Level 1
Level 1
In response to Marius Gunnerud

‎10-11-2019 08:44 AM

Thank you so much!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents