Re: [OSL | CCIE_Security] GET VPN configuration.

Kingsley Charles Sun, 30 Aug 2009 21:33:27 -0700

Hi Simon

With GETVPN, the internal IP address is retained in the ESP packet unlike
other IPSec where it is wrapped with routable IP address. GETVPN is to be
used on private networks.


In your case when you ping from one loopback address to other loopback
address, all the devices in the path should have routes for both the
loopback addresses.

Just disable GETVPN group member and see, if you are able ping normally
without IPSec  to verify the connectivity.

You can't encrypt traffic to and from Key server. Key server will only
authenticate and push the IPSec SAs to peer. Encryption is only for group
member to group member.

Please remove the following from the ACL.

access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255

With regards
Kings




On Mon, Aug 31, 2009 at 12:38 AM, Simon Baumann <[email protected]>wrote:

> Hi, it's me again wih an GET VPN topic ;) I configured an GET VPN with 3
> routers, like this example: http://www.wr-mem.com/?p=307
>
> Here are the configs:
>
>
> ######################################################################################################
> *key server (r1 of PG sec pod):*
>  crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 192.168.0.2
> crypto isakmp key cisco address 192.168.0.3
> !
> !
> crypto ipsec transform-set trans_gdoi esp-3des esp-sha-hmac
> !
> crypto ipsec profile ipsec_gdoi_profile
>  set transform-set trans_gdoi
> !
> crypto gdoi group group_getvpn
>  identity number 1111
>  server local
>   rekey retransmit 10 number 2
>   rekey authentication mypubkey rsa getvpn_rekey
>   rekey transport unicast
>   sa ipsec 1
>    profile ipsec_gdoi_profile
>    match address ipv4 100
>    replay counter window-size 64
>   address ipv4 192.168.0.1
> !
>
> interface Loopback1
>  ip address 10.0.0.1 255.255.255.0
> !
> interface FastEthernet0/1
>  ip address 192.168.0.1 255.255.255.0
>  duplex auto
>  speed auto
> !
> router eigrp 1
>  network 10.0.0.0 0.0.0.255
>  network 192.168.0.0
>  no auto-summary
> !
> ip forward-protocol nd
> no ip http server
> no ip http secure-server
> !
> access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
> access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255
> access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
> access-list 100 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
> access-list 100 permit ip 10.3.3.0 0.0.0.255 10.0.0.0 0.0.0.255
> access-list 100 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255
>
> ######################################################################################################
>
> *client 1 (r7 of PG sec pod):*
>  !
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 192.168.0.1
> !
> !
> crypto gdoi group group_getvpn
>  identity number 1111
>  server address ipv4 192.168.0.1
> !
> !
> crypto map map_getvpn 10 gdoi
>  set group group_getvpn
> !
> interface Loopback1
>  ip address 10.1.1.1 255.255.255.0
> !
> interface FastEthernet0/0
>  ip address 192.168.0.2 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map map_getvpn
> !
> router eigrp 1
>  network 10.1.1.0 0.0.0.255
>  network 192.168.0.0
>  no auto-summary
>
> ######################################################################################################
>
> *client 2 (r8 of PG sec pod):*
>  !
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 192.168.0.1
> !
> !
> crypto gdoi group group_getvpn
>  identity number 1111
>  server address ipv4 192.168.0.1
> !
> !
> crypto map map_getvpn 10 gdoi
>  set group group_getvpn
> !
> interface Loopback1
>  ip address 10.3.3.1 255.255.255.0
> !
> interface FastEthernet0/0
>  ip address 192.168.0.3 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map map_getvpn
> !
> interface FastEthernet0/1
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface Serial0/0/0
>  no ip address
>  shutdown
> !
> router eigrp 1
>  network 10.3.3.0 0.0.0.255
>  network 192.168.0.0
>  no auto-summary
> !
>
> ######################################################################################################
>
> The GET VPN is up. But I can't ping the other loopback interfaces when
> sourcing the ping from the local loopback as source. When I ping
> without an spefiic source interface, the traffic seems to go unencrypted to
> the other interface: the paket counters of the ipsec sa's do'nt increase.
>
> Any hints what I have to check first? TIA!
>
> Regards
> Simon
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Re: [OSL | CCIE_Security] GET VPN configuration.

Reply via email to