Re: [OSL | CCIE_Security] GET VPN configuration.

Sun, 30 Aug 2009 14:30:23 -0700 

Hi Simon,

I guess you were trying to ping the loopback of the key server.

The key server can't be part of ipsec. That's why it was not working. Only the 
members participate in IPSEC by downloading the IPSEC SAs from the key server. 

here are some results from the lab.

if you try to ping client 2 From the key server, you will get this error
ping 10.3.3.1 source loopback 1

*Mar  1 00:08:56.811: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC 
packet.
        (ip) vrf/dest_addr= /10.3.3.1, src_addr= 10.0.0.1, prot= 1

>From the key server
R1#show crypto ipsec sa
No SAs found

>From the clients

R8#ping 10.1.1.1 source loopback 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/79/104 m

R7#show crypto ipsec sa | inc ident|encap|decap
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   local  ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   local  ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

Regards,
Mohammed Gazzaz

From: [email protected]
To: [email protected]
Date: Sun, 30 Aug 2009 21:43:37 +0200
CC: [email protected]
Subject: Re: [OSL | CCIE_Security] GET VPN configuration.

Hi Stu,my session is over, unfortunately. R1/7/8 are all conencted to Cat2, no 
vlans, just using the default vlan 1.I have the re-lab the configuration durin 
the week. I'll post the outputs, thanks!
RegardsSimon
Am 30.08.2009 um 21:40 schrieb Stuart Hare:Simon,   GETVPN has proved to be a 
rather sneaky VPN technology.  I have had it where all output looks ok but only 
had one way traffic flow for instance.   Make sure that there isnt a device in 
the transit path that maybe dropping either ESP or NAT-T, depending on your 
setup. As the group member and the key servers register / exchange policies etc 
using isakmp, it sometimes appears that everything is in place. But phase 2 
between the peers may not be fully complete.   If you still having trouble post 
up some output: sh cry gdoi  sh cry isa sa det sh cry ipsec sa   Stu   

  2009/8/30 Simon Baumann <[email protected]>
  Hi, it's me again wih an GET VPN topic ;) I configured an GET VPN with 3 
routers, like this example: http://www.wr-mem.com/?p=307 
 Here are the configs: 
 
######################################################################################################
 key server (r1 of PG sec pod):  crypto isakmp policy 10  encr 3des  hash md5  
authentication pre-share  group 2   crypto isakmp key cisco address 192.168.0.2 
crypto isakmp key cisco address 192.168.0.3 ! ! crypto ipsec transform-set 
trans_gdoi esp-3des esp-sha-hmac  ! crypto ipsec profile ipsec_gdoi_profile  
set transform-set trans_gdoi  ! crypto gdoi group group_getvpn  identity number 
1111  server local   rekey retransmit 10 number 2   rekey authentication 
mypubkey rsa getvpn_rekey   rekey transport unicast   sa ipsec 1    profile 
ipsec_gdoi_profile    match address ipv4 100    replay counter window-size 64   
address ipv4 192.168.0.1 ! 
 interface Loopback1  ip address 10.0.0.1 255.255.255.0 ! interface 
FastEthernet0/1  ip address 192.168.0.1 255.255.255.0  duplex auto  speed auto 
! router eigrp 1  network 10.0.0.0 0.0.0.255  network 192.168.0.0  no 
auto-summary !          ip forward-protocol nd no ip http server no ip http 
secure-server ! access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255 access-list 100 
permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 100 permit ip 
10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255 access-list 100 permit ip 10.3.3.0 
0.0.0.255 10.0.0.0 0.0.0.255 access-list 100 permit ip 10.3.3.0 0.0.0.255 
10.1.1.0 0.0.0.255 
######################################################################################################
 
 client 1 (r7 of PG sec pod):  ! crypto isakmp policy 10  encr 3des  hash md5  
authentication pre-share  group 2 crypto isakmp key cisco address 192.168.0.1 ! 
! crypto gdoi group group_getvpn  identity number 1111  server address ipv4 
192.168.0.1 ! ! crypto map map_getvpn 10 gdoi   set group group_getvpn ! 
interface Loopback1  ip address 10.1.1.1 255.255.255.0 ! interface 
FastEthernet0/0  ip address 192.168.0.2 255.255.255.0  duplex auto  speed auto  
crypto map map_getvpn ! router eigrp 1  network 10.1.1.0 0.0.0.255  network 
192.168.0.0  no auto-summary 
######################################################################################################
 
 client 2 (r8 of PG sec pod):  ! crypto isakmp policy 10  encr 3des  hash md5  
authentication pre-share  group 2 crypto isakmp key cisco address 192.168.0.1 ! 
         ! crypto gdoi group group_getvpn  identity number 1111  server address 
ipv4 192.168.0.1 ! ! crypto map map_getvpn 10 gdoi   set group group_getvpn ! 
interface Loopback1  ip address 10.3.3.1 255.255.255.0 ! interface 
FastEthernet0/0  ip address 192.168.0.3 255.255.255.0  duplex auto  speed auto  
crypto map map_getvpn ! interface FastEthernet0/1  no ip address  shutdown  
duplex auto  speed auto ! interface Serial0/0/0  no ip address  shutdown ! 
router eigrp 1  network 10.3.3.0 0.0.0.255  network 192.168.0.0  no 
auto-summary ! 
######################################################################################################
 
 The GET VPN is up. But I can't ping the other loopback interfaces when 
sourcing the ping from the local loopback as source. When I ping without an 
spefiic source interface, the traffic seems to go unencrypted to the other 
interface: the paket counters of the ipsec sa's do'nt increase. 
 Any hints what I have to check first? TIA! 
 Regards Simon 

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com
 



_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to