>From memory I based my config on the following information and testing in my >lab. To repeat myself again "I'm not 100% sure if this is the correct config, >but I know that it worked for me.." ;-)
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html Group Member Configuration for Multicast Rekey Following configuration need to be added to the GMs to receive multicast rekey. This can be used only if multicast routing is enabled on rest of the network. Below configuration uses SSM for multicast. The configuration may need to be changed according to the existing multicast mechanism deployed in the network. ip multicast-routing ! Enable SSM ip igmp ssm-map enable ip pim ssm range 1 ! ACL used in ssm range command access-list 1 permit 239.192.1.190 0.0.0.0 interface FastEthernet4 ! Interface where crypto map is applied ip pim sparse-mode ! Join for each KS serving the group ip igmp join-group 239.192.1.190 source <IP-Addr-of-KS-1> ip igmp join-group 239.192.1.190 source <IP-Addr-of-KS-2> ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: 09 March 2010 11:58 To: Bartlett Graham A Cc: [email protected] Subject: Re: [OSL | CCIE_Security] GETVPN and multicast through ASA Hi Bartlett Why do you need the following on GM: ip igmp join-group multicast_address ip multicast-routing When the GMs downloads the rekey policy, it starts listening to the multicast address sent the KS though the ACL having the multicast address. There is no need to enable multicast routing and join-group. Either ASA should be configured as SMR-IGMP proxy where is just forwards the IGMP or make the ASA as part of the mutlicasting routing.\ With regards Kings On Tue, Mar 9, 2010 at 4:48 PM, Bartlett Graham A <[email protected]<mailto:[email protected]>> wrote: >From my notes with the KS on the inside of the ASA, from memory this worked >and the rekey was performed using multicast. I'm not 100% sure if this is the >correct config, but I know that it worked for me.. On the ASA you need an ACL to allow multicast traffic in. pim multicast-routing pim rp-address address_of_KS on KS ip multicast-routing ip pim sparese-mode ip pim rp-address address_of_KS on GM ip igmp join-group multicast_address ip multicast-routing ________________________________ From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael Davis Sent: 09 March 2010 11:03 To: Badar Farooq Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] GETVPN and multicast through ASA Hi - Yes it took a while. It has stopped working. When I issued the "clear crypto isakmp" command it stopped working. So now I can try to work out how to get the multicast through the ASA. From: Badar Farooq [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, March 09, 2010 9:56 PM To: Michael Davis Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] GETVPN and multicast through ASA Well, the registration would work fine. Reduce the rekey restransmit time to minimum and run debugs on the GMs to see if you are receiving rekeys once they are retransmitted. ( alternatively, you can change the ACL to force a rekey). But remember, clearing GDOI on GMs or any change on GMs will cause re-registration which will work fine. (Its unicast and in opposite direction) With ASA in between multicast rekey should NOT work. But lets first make sure its not working and then we can implement the workarounds later. On Tue, Mar 9, 2010 at 1:49 PM, Michael Davis <[email protected]<mailto:[email protected]>> wrote: Hi Everyone - I configured a GETVPN using 3 1760's running 12.4 (15)T. I put an ASA 5510 between the KS and the 2 GM's. I set the keying as unicast which worked fine. I changed the keying to multicast and it is still working?? Shouldn't I have to do something on the ASA to pass multicast traffic for GETVPN. I vaguely remember Tyson doing this in the bootcamp to make it work so I am a bit confused. Can anyone please clarify what we need to do if a getvpn using multicast keys traverses an ASA or another router? Thanks Michael _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com/> "This e-mail is intended for the recipient only. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely upon this e-mail. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail." "Recipients should note that all e-mail traffic on MOD systems is subject to monitoring and auditing." _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com/> "This e-mail is intended for the recipient only. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely upon this e-mail. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail." "Recipients should note that all e-mail traffic on MOD systems is subject to monitoring and auditing."
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
