Hi Simon As Stu said, GETVPN Key server doesn't come into the IPSec connection. Key server uses ISAKMP and GDOI to push the IPSec SAs to the Group Members. The Group Members, uses the SAs to encrypt the traffic.
With the site to site VPN, the peers needs to create the SAs for encryption. In the case of GETVPN, the overload on the peers are removed where SAs are created by Key servers and Group Member gets from the Key server. With regards Kings On Thu, Sep 3, 2009 at 3:56 AM, Stuart Hare <[email protected]>wrote: > Simon > > The key server doesnt participate in the VPN itself, its job is to look > after the group members, update policies etc. > > To my knowledge there is no way to allow this. > > Stu > > 2009/9/2 Simon Baumann <[email protected]> > > Hi Kings, >> I just re-LABed my setup - works :) Thanks. >> Is there a way to include the key server into the VPN network? >> >> Regards >> Simon >> >> Am 31.08.2009 um 06:32 schrieb Kingsley Charles: >> >> Hi Simon >> >> With GETVPN, the internal IP address is retained in the ESP packet unlike >> other IPSec where it is wrapped with routable IP address. GETVPN is to be >> used on private networks. >> >> In your case when you ping from one loopback address to other loopback >> address, all the devices in the path should have routes for both the >> loopback addresses. >> >> Just disable GETVPN group member and see, if you are able ping normally >> without IPSec to verify the connectivity. >> >> You can't encrypt traffic to and from Key server. Key server will only >> authenticate and push the IPSec SAs to peer. Encryption is only for group >> member to group member. >> >> Please remove the following from the ACL. >> >> access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 >> access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255 >> >> With regards >> Kings >> >> >> >> >> On Mon, Aug 31, 2009 at 12:38 AM, Simon Baumann >> <[email protected]>wrote: >> >>> Hi, it's me again wih an GET VPN topic ;) I configured an GET VPN with 3 >>> routers, like this example: http://www.wr-mem.com/?p=307 >>> >>> Here are the configs: >>> >>> >>> ###################################################################################################### >>> *key server (r1 of PG sec pod):* >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key cisco address 192.168.0.2 >>> crypto isakmp key cisco address 192.168.0.3 >>> ! >>> ! >>> crypto ipsec transform-set trans_gdoi esp-3des esp-sha-hmac >>> ! >>> crypto ipsec profile ipsec_gdoi_profile >>> set transform-set trans_gdoi >>> ! >>> crypto gdoi group group_getvpn >>> identity number 1111 >>> server local >>> rekey retransmit 10 number 2 >>> rekey authentication mypubkey rsa getvpn_rekey >>> rekey transport unicast >>> sa ipsec 1 >>> profile ipsec_gdoi_profile >>> match address ipv4 100 >>> replay counter window-size 64 >>> address ipv4 192.168.0.1 >>> ! >>> >>> interface Loopback1 >>> ip address 10.0.0.1 255.255.255.0 >>> ! >>> interface FastEthernet0/1 >>> ip address 192.168.0.1 255.255.255.0 >>> duplex auto >>> speed auto >>> ! >>> router eigrp 1 >>> network 10.0.0.0 0.0.0.255 >>> network 192.168.0.0 >>> no auto-summary >>> ! >>> ip forward-protocol nd >>> no ip http server >>> no ip http secure-server >>> ! >>> access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 >>> access-list 100 permit ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255 >>> access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255 >>> access-list 100 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255 >>> access-list 100 permit ip 10.3.3.0 0.0.0.255 10.0.0.0 0.0.0.255 >>> access-list 100 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255 >>> >>> ###################################################################################################### >>> >>> *client 1 (r7 of PG sec pod):* >>> ! >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key cisco address 192.168.0.1 >>> ! >>> ! >>> crypto gdoi group group_getvpn >>> identity number 1111 >>> server address ipv4 192.168.0.1 >>> ! >>> ! >>> crypto map map_getvpn 10 gdoi >>> set group group_getvpn >>> ! >>> interface Loopback1 >>> ip address 10.1.1.1 255.255.255.0 >>> ! >>> interface FastEthernet0/0 >>> ip address 192.168.0.2 255.255.255.0 >>> duplex auto >>> speed auto >>> crypto map map_getvpn >>> ! >>> router eigrp 1 >>> network 10.1.1.0 0.0.0.255 >>> network 192.168.0.0 >>> no auto-summary >>> >>> ###################################################################################################### >>> >>> *client 2 (r8 of PG sec pod):* >>> ! >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key cisco address 192.168.0.1 >>> ! >>> ! >>> crypto gdoi group group_getvpn >>> identity number 1111 >>> server address ipv4 192.168.0.1 >>> ! >>> ! >>> crypto map map_getvpn 10 gdoi >>> set group group_getvpn >>> ! >>> interface Loopback1 >>> ip address 10.3.3.1 255.255.255.0 >>> ! >>> interface FastEthernet0/0 >>> ip address 192.168.0.3 255.255.255.0 >>> duplex auto >>> speed auto >>> crypto map map_getvpn >>> ! >>> interface FastEthernet0/1 >>> no ip address >>> shutdown >>> duplex auto >>> speed auto >>> ! >>> interface Serial0/0/0 >>> no ip address >>> shutdown >>> ! >>> router eigrp 1 >>> network 10.3.3.0 0.0.0.255 >>> network 192.168.0.0 >>> no auto-summary >>> ! >>> >>> ###################################################################################################### >>> >>> The GET VPN is up. But I can't ping the other loopback interfaces when >>> sourcing the ping from the local loopback as source. When I ping >>> without an spefiic source interface, the traffic seems to go unencrypted >>> to the other interface: the paket counters of the ipsec sa's do'nt increase. >>> >>> Any hints what I have to check first? TIA! >>> >>> Regards >>> Simon >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
