Re: [OSL | CCIE_Security] GET VPN configuration.

Sun, 30 Aug 2009 12:45:22 -0700 

Hi Stu,
my session is over, unfortunately. R1/7/8 are all conencted to Cat2, no vlans, just using the default vlan 1. I have the re-lab the configuration durin the week. I'll post the outputs, thanks! 

Regards
Simon

Am 30.08.2009 um 21:40 schrieb Stuart Hare:


Simon,

GETVPN has proved to be a rather sneaky VPN technology.

I have had it where all output looks ok but only had one way traffic  
flow for instance.



Make sure that there isnt a device in the transit path that maybe  
dropping either ESP or NAT-T, depending on your setup.
As the group member and the key servers register / exchange policies  
etc using isakmp, it sometimes appears that everything is in place.  
But phase 2 between the peers may not be fully complete.


If you still having trouble post up some output:
sh cry gdoi
sh cry isa sa det
sh cry ipsec sa

Stu




2009/8/30 Simon Baumann <[email protected]>
Hi,

it's me again wih an GET VPN topic ;) I configured an GET VPN with 3  
routers, like this example: http://www.wr-mem.com/?p=307


Here are the configs:

######################################################################################################
key server (r1 of PG sec pod):
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.0.2
crypto isakmp key cisco address 192.168.0.3
!
!
crypto ipsec transform-set trans_gdoi esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec_gdoi_profile
 set transform-set trans_gdoi
!
crypto gdoi group group_getvpn
 identity number 1111
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa getvpn_rekey
  rekey transport unicast
  sa ipsec 1
   profile ipsec_gdoi_profile
   match address ipv4 100
   replay counter window-size 64
  address ipv4 192.168.0.1
!

interface Loopback1
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 192.168.0.0
 no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 100 permit ip 10.3.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255
######################################################################################################

client 1 (r7 of PG sec pod):
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.0.1
!
!
crypto gdoi group group_getvpn
 identity number 1111
 server address ipv4 192.168.0.1
!
!
crypto map map_getvpn 10 gdoi
 set group group_getvpn
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.0.2 255.255.255.0
 duplex auto
 speed auto
 crypto map map_getvpn
!
router eigrp 1
 network 10.1.1.0 0.0.0.255
 network 192.168.0.0
 no auto-summary
######################################################################################################

client 2 (r8 of PG sec pod):
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.0.1
!
!
crypto gdoi group group_getvpn
 identity number 1111
 server address ipv4 192.168.0.1
!
!
crypto map map_getvpn 10 gdoi
 set group group_getvpn
!
interface Loopback1
 ip address 10.3.3.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.0.3 255.255.255.0
 duplex auto
 speed auto
 crypto map map_getvpn
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
router eigrp 1
 network 10.3.3.0 0.0.0.255
 network 192.168.0.0
 no auto-summary
!
######################################################################################################


The GET VPN is up. But I can't ping the other loopback interfaces  
when sourcing the ping from the local loopback as source. When I ping
without an spefiic source interface, the traffic seems to go  
unencrypted to the other interface: the paket counters of the ipsec  
sa's do'nt increase.


Any hints what I have to check first? TIA!

Regards
Simon


_______________________________________________

For more information regarding industry leading CCIE Lab training,  
please visit www.ipexpert.com






_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com






















					Reply via email to