You should actually see a message appear on the monitor session I believe if you have informational logging on. I am not positive without testing it myself. But you should see a failure occur.
Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Dean Armada [mailto:[email protected]] Sent: Saturday, August 01, 2009 10:29 PM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] GET VPN - RSA Keys Hi Tyson, Thanks for the information. If there is a re-key failure will the GM failed in ISAKMP (show crypto isakmp sa) and GDOI (show crypto gdoi)? Thanks, Dean On Sun, Aug 2, 2009 at 9:49 AM, Tyson Scott <[email protected]> wrote: Dean, I am sorry I forgot to reply to your email yesterday. So the RSA key is not used to do initial setup. It is used during the re-key process based on the documentation. After you cleared the process try setting the re-key interval to a really low denominator and wait for the re-key period. You should see a failure in the re-key event without the RSA KEY. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Dean Armada Sent: Saturday, August 01, 2009 7:43 PM To: [email protected] Subject: [OSL | CCIE_Security] GET VPN - RSA Keys Hi, Does anyone know what would be the ffect of not generating RSA keys to KS? - I removed the crypto keys on the KS. lemon-isrtrial1-1668(config)#crypto key zeroize rsa gdoi-key % Keys to be removed are named named 'gdoi-key'. % All router certs issued using these keys will also be removed. Do you really want to remove these keys? [yes/no]: yes - Rest GDOI in GM but nothing happens. lemon-isrtrial2-1668(config)#do clear crypto gdoi % The Key Server and Group Member will destroy created and downloaded policies. % All Group Members are required to re-register. Are you sure you want to proceed ? [yes/no]: yes lemon-isrtrial2-1668(config)#do sho crypto gdoi GROUP INFORMATION Group Name : gdoi-group Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 192.168.16.1 Group Server list : 192.168.16.1 GM Reregisters in : 1177 secs Rekey Received : never Rekeys received Cumulative : 0 After registration : 0 Rekey Acks sent : 0 ACL Downloaded From KS 192.168.16.1: access-list permit ip 192.168.16.0 0.0.0.255 host 239.1.1.1 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 4849 Encrypt Algorithm : AES Key Size : 256 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1024 TEK POLICY for the current KS-Policy ACEs Downloaded: GigabitEthernet0/0: IPsec SA: spi: 0xA975C10F(2843066639) transform: esp-256-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (1238) Anti-Replay(Time Based) : 10 sec interval lemon-isrtrial2-1668(config)#do sho cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.16.1 192.168.16.9 GDOI_IDLE 1023 ACTIVE 192.168.16.9 192.168.16.1 GDOI_REKEY 1024 ACTIVE Thanks
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
