Hi Tyson, Thanks for the information. If there is a re-key failure will the GM failed in ISAKMP (show crypto isakmp sa) and GDOI (show crypto gdoi)?
Thanks, Dean On Sun, Aug 2, 2009 at 9:49 AM, Tyson Scott <[email protected]> wrote: > Dean, > > > > I am sorry I forgot to reply to your email yesterday. > > > > So the RSA key is not used to do initial setup. It is used during the > re-key process based on the documentation. After you cleared the process > try setting the re-key interval to a really low denominator and wait for the > re-key period. You should see a failure in the re-key event without the RSA > KEY. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Dean Armada > *Sent:* Saturday, August 01, 2009 7:43 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] GET VPN - RSA Keys > > > > Hi, > > Does anyone know what would be the ffect of not generating RSA keys to KS? > > > *- I removed the crypto keys on the KS.* > > lemon-isrtrial1-1668(config)#crypto key zeroize rsa gdoi-key > % Keys to be removed are named named 'gdoi-key'. > % All router certs issued using these keys will also be removed. > Do you really want to remove these keys? [yes/no]: yes > > > *- Rest GDOI in GM but nothing happens.* > > lemon-isrtrial2-1668(config)#do clear crypto gdoi > % The Key Server and Group Member will destroy created and downloaded > policies. > % All Group Members are required to re-register. > > Are you sure you want to proceed ? [yes/no]: yes > > lemon-isrtrial2-1668(config)#do sho crypto gdoi > GROUP INFORMATION > > Group Name : gdoi-group > Group Identity : 1 > Rekeys received : 0 > IPSec SA Direction : Both > Active Group Server : 192.168.16.1 > Group Server list : 192.168.16.1 > > GM Reregisters in : 1177 secs > Rekey Received : never > > > Rekeys received > Cumulative : 0 > After registration : 0 > Rekey Acks sent : 0 > > ACL Downloaded From KS 192.168.16.1: > access-list permit ip 192.168.16.0 0.0.0.255 host 239.1.1.1 > > KEK POLICY: > Rekey Transport Type : Unicast > Lifetime (secs) : 4849 > Encrypt Algorithm : AES > Key Size : 256 > Sig Hash Algorithm : HMAC_AUTH_SHA > Sig Key Length (bits) : 1024 > > TEK POLICY for the current KS-Policy ACEs Downloaded: > GigabitEthernet0/0: > IPsec SA: > spi: 0xA975C10F(2843066639) > transform: esp-256-aes esp-sha-hmac > sa timing:remaining key lifetime (sec): (1238) > Anti-Replay(Time Based) : 10 sec interval > > > lemon-isrtrial2-1668(config)#do sho cry isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > 192.168.16.1 192.168.16.9 GDOI_IDLE 1023 ACTIVE > 192.168.16.9 192.168.16.1 GDOI_REKEY 1024 ACTIVE > > > > Thanks >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
