Hi guys,
Sorry for the wordy question, I've done my best to compress it :)
When I change my interesting traffic ACL on R2, it says it's sending rekey:
R2(config)#ip access-l ex 122
R2(config-ext-nacl)#40 permit ip host 44.44.44.44 host 55.55.55.55
R2(config-ext-nacl)#^Z
R2#
Nov 7 23:53:18.540: %SYS-5-CONFIG_I: Configured from console by console
Nov 7 23:53:18.644: %GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey
for group GETVPN1 from address 2.2.2.2 to 239.0.1.2 with seq # 1
R2#
But if I run a debug ip packet at R5 and R6, I never see the rekey arrive.
My R2 config matches the solution guide.
The solution guide didn't involve any multicast configuration (RP mapping,
PIM), so I tried adding basic multicast configuration to see if that would
help, but alas no luck.
On R2 I do see the following:
R2#sho ip access-l 101
Extended IP access list 101
10 permit ip any host 239.0.1.2 (125 matches)
R2#deb ip pack 101
IP packet debugging is on for access list 101
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip access-l ex 122
R2(config-ext-nacl)#50 permit ip host 66.66.66.66 host 77.77.77.77
R2(config-ext-nacl)#^Z
R2#
Nov 7 23:56:38.792: %SYS-5-CONFIG_I: Configured from console by console
Nov 7 23:56:38.892: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
6168, sending broad/multicast
Nov 7 23:56:38.896: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
1508, sending fragment
Nov 7 23:56:38.904: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
1508, sending fragment
Nov 7 23:56:38.908: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
1508, sending fragment
Nov 7 23:56:38.912: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
1508, sending fragment
Nov 7 23:56:38.912: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
216, sending last fragment
Nov 7 23:56:38.912: %GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey
for group GETVPN1 from address 2.2.2.2 to 239.0.1.2 with seq # 1
R2#
Nov 7 23:56:38.924: IP: s=2.2.2.2 (Loopback0), d=239.0.1.2, len 1508,
unroutable
Nov 7 23:56:38.928: IP: s=2.2.2.2 (Loopback0), d=239.0.1.2, len 1508,
unroutable
Nov 7 23:56:38.932: IP: s=2.2.2.2 (Loopback0), d=239.0.1.2, len 1508,
unroutable
Nov 7 23:56:38.932: IP: s=2.2.2.2 (Loopback0), d=239.0.1.2, len 1508,
unroutable
Nov 7 23:56:38.932: IP: s=2.2.2.2 (Loopback0), d=239.0.1.2, len 216,
unroutable
R2#
So I think this means that R2 is only sending the rekey out Lo0, which is
useless. If I change the GDOI server ip address to a physical interface IP
address e.g S1/1.5, then rekey works for R5 which is connected to S1/1.5,
but not R6.
Here is full R2 config:
!
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
crypto gdoi group GETVPN1
identity address ipv4 2.2.2.2
server local
rekey algorithm aes 192
rekey address ipv4 121
rekey lifetime seconds 600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa R2.ipexpert.com
sa ipsec 1
profile ISAPROF1
match address ipv4 122
replay counter window-size 64
address ipv4 2.2.2.2
!
access-list 121 permit udp host 2.2.2.2 eq 848 host 239.0.1.2 eq 848
access-list 122 permit ip 9.0.0.0 0.255.255.255 host 192.1.6.16
access-list 122 permit ip host 192.1.6.16 9.0.0.0 0.255.255.255
!
Anyone seen something similar? I'm thinking perhaps this is a bug with
12.4(15)T14...
Cheers, Jerome
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
