Hi Kings,
I just re-LABed my setup - works :) Thanks.
Is there a way to include the key server into the VPN network?
Regards
Simon
Am 31.08.2009 um 06:32 schrieb Kingsley Charles:
Hi Simon
With GETVPN, the internal IP address is retained in the ESP packet
unlike other IPSec where it is wrapped with routable IP address.
GETVPN is to be used on private networks.
In your case when you ping from one loopback address to other
loopback address, all the devices in the path should have routes for
both the loopback addresses.
Just disable GETVPN group member and see, if you are able ping
normally without IPSec to verify the connectivity.
You can't encrypt traffic to and from Key server. Key server will
only authenticate and push the IPSec SAs to peer. Encryption is only
for group member to group member.
Please remove the following from the ACL.
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255
With regards
Kings
On Mon, Aug 31, 2009 at 12:38 AM, Simon Baumann <[email protected]
> wrote:
Hi,
it's me again wih an GET VPN topic ;) I configured an GET VPN with 3
routers, like this example: http://www.wr-mem.com/?p=307
Here are the configs:
######################################################################################################
key server (r1 of PG sec pod):
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.0.2
crypto isakmp key cisco address 192.168.0.3
!
!
crypto ipsec transform-set trans_gdoi esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec_gdoi_profile
set transform-set trans_gdoi
!
crypto gdoi group group_getvpn
identity number 1111
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpn_rekey
rekey transport unicast
sa ipsec 1
profile ipsec_gdoi_profile
match address ipv4 100
replay counter window-size 64
address ipv4 192.168.0.1
!
interface Loopback1
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 100 permit ip 10.3.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255
######################################################################################################
client 1 (r7 of PG sec pod):
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.0.1
!
!
crypto gdoi group group_getvpn
identity number 1111
server address ipv4 192.168.0.1
!
!
crypto map map_getvpn 10 gdoi
set group group_getvpn
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.0
duplex auto
speed auto
crypto map map_getvpn
!
router eigrp 1
network 10.1.1.0 0.0.0.255
network 192.168.0.0
no auto-summary
######################################################################################################
client 2 (r8 of PG sec pod):
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.0.1
!
!
crypto gdoi group group_getvpn
identity number 1111
server address ipv4 192.168.0.1
!
!
crypto map map_getvpn 10 gdoi
set group group_getvpn
!
interface Loopback1
ip address 10.3.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.0.3 255.255.255.0
duplex auto
speed auto
crypto map map_getvpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
router eigrp 1
network 10.3.3.0 0.0.0.255
network 192.168.0.0
no auto-summary
!
######################################################################################################
The GET VPN is up. But I can't ping the other loopback interfaces
when sourcing the ping from the local loopback as source. When I ping
without an spefiic source interface, the traffic seems to go
unencrypted to the other interface: the paket counters of the ipsec
sa's do'nt increase.
Any hints what I have to check first? TIA!
Regards
Simon
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
