Hi,
Does anyone know what would be the ffect of not generating RSA keys to KS?
*- I removed the crypto keys on the KS.*
lemon-isrtrial1-1668(config)#crypto key zeroize rsa gdoi-key
% Keys to be removed are named named 'gdoi-key'.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
*- Rest GDOI in GM but nothing happens.*
lemon-isrtrial2-1668(config)#do clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded
policies.
% All Group Members are required to re-register.
Are you sure you want to proceed ? [yes/no]: yes
lemon-isrtrial2-1668(config)#do sho crypto gdoi
GROUP INFORMATION
Group Name : gdoi-group
Group Identity : 1
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 192.168.16.1
Group Server list : 192.168.16.1
GM Reregisters in : 1177 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
Rekey Acks sent : 0
ACL Downloaded From KS 192.168.16.1:
access-list permit ip 192.168.16.0 0.0.0.255 host 239.1.1.1
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 4849
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
GigabitEthernet0/0:
IPsec SA:
spi: 0xA975C10F(2843066639)
transform: esp-256-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (1238)
Anti-Replay(Time Based) : 10 sec interval
lemon-isrtrial2-1668(config)#do sho cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.16.1 192.168.16.9 GDOI_IDLE 1023 ACTIVE
192.168.16.9 192.168.16.1 GDOI_REKEY 1024 ACTIVE
Thanks
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
