Re: [OSL | CCIE_Security] Lab 15 task 4.4 / GETVPN

Jerome Dolphin Tue, 09 Nov 2010 01:24:03 -0800

Hi all, the problem is not multicast config, I have configured RP mapping,
mcast routing and PIM where needed. I can see the *,G for the rekey mcast
address on the KS, the KS is also the RP, and I can see the GMs in the KS/RP
OIL.


R2#show ip mroute 239.0.1.2 | sec 239.0.1.2
(*, 239.0.1.2), 00:35:07/00:02:28, RP 2.2.2.2, flags: SJC
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Serial1/1.5, Forward/Sparse, 00:00:50/00:02:09
    Serial1/1.6, Forward/Sparse, 00:33:41/00:02:28
R2#
R2#show ip pim rp map
PIM Group-to-RP Mappings

Group(s): 224.0.0.0/4, Static
    RP: 2.2.2.2 (?)
R2#


!It seems that in my setup the rekey ACL defines what interface the rekey
mcast is sent out of. Perhaps this is a 12.4(15)T14 issue, or perhaps this
is deliberate IOS behaviour:

R2#show run | i crypto gdoi group|match address|rekey address
ipv4|access-list (101|121|122)
crypto gdoi group GETVPN1
  rekey address ipv4 121
   match address ipv4 122
access-list 101 permit ip any host 239.0.1.2
access-list 121 permit udp host 192.1.25.2 eq 848 host 239.0.1.2 eq 848
access-list 122 permit ip 9.0.0.0 0.255.255.255 host 192.1.6.16
access-list 122 permit ip host 192.1.6.16 9.0.0.0 0.255.255.255
R2#


!trigger rekey by changing crypto ACL
!rekey is sent out physical interface with ip address 192.1.25.5
!R5 recieves the rekey but R6 does not.

R2#debug ip packet 101
IP packet debugging is on for access list 101
R2#
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip access-l ex 122
R2(config-ext-nacl)#40 permit ip host 111.111.111.111 host 222.222.222.222
R2(config-ext-nacl)#end
R2#
*Mar  1 00:10:22.771: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:10:22.863: IP: s=192.1.25.2 (local), d=239.0.1.2 (Serial1/1.5),
len 1256, sending broad/multicast
R2#
*Mar  1 00:10:22.871: %GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey
for group GETVPN1 from address 192.1.25.2 to 239.0.1.2  with seq # 1
*Mar  1 00:10:23.055: IP: s=192.1.25.5 (Serial1/1.5), d=239.0.1.2, len 28,
rcvd 0
R2#


!change rekey ACL to source rekeys from loopback0, and rekeys are only sent
out loopback 0
!debugs on GMs confirm no GMs recieve the rekey

R2#
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip access-l ex 121
R2(config-ext-nacl)#no 10
R2(config-ext-nacl)#10 permit udp host 2.2.2.2 eq 848 host 239.0.1.2 eq 848
R2(config-ext-nacl)#ip access-l ex 122
R2(config-ext-nacl)#no 40
R2(config-ext-nacl)#end
R2#
*Mar  1 00:15:01.916: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:15:02.008: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
1272, sending broad/multicast
*Mar  1 00:15:02.016: %GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey
for group GETVPN1 from address 2.2.2.2 to 239.0.1.2  with seq # 1
R2#
*Mar  1 00:15:02.024: IP: s=2.2.2.2 (Loopback0), d=239.0.1.2, len 1272,
unroutable
R2#


!change rekey ACL to a source address of any, and the rekey is sent out ALL
interfaces
!debugs on GMs confirm all GMs recieve the rekey mcast packets, but do not
treat them as rekeys

R2(config)#ip access-l ex 121
R2(config-ext-nacl)#no 10
R2(config-ext-nacl)#10 permit udp any eq 848 host 239.0.1.2 eq 848
R2(config-ext-nacl)#ip access-l ex 122
R2(config-ext-nacl)#40 permit ip host 111.111.111.111 host 222.222.222.222
R2(config-ext-nacl)#^Z
R2#
*Mar  1 00:19:24.091: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:19:24.175: IP: s=192.1.12.2 (local), d=239.0.1.2
(FastEthernet0/1), len 1256, sending broad/multicast
*Mar  1 00:19:24.183: IP: s=192.1.24.2 (local), d=239.0.1.2 (Serial1/1.4),
len 1256, sending broad/multicast
*Mar  1 00:19:24.187: IP: s=192.1.25.2 (local), d=239.0.1.2 (Serial1/1.5),
len 1256, sending broad/multicast
*Mar  1 00:19:24.191: IP: s=192.1.26.2 (local), d=239.0.1.2 (Serial1/1.6),
len 1256, sending broad/multicast
*Mar  1 00:19:24.199: IP: s=2.2.2.2 (local), d=239.0.1.2 (Loopback0), len
1256, sending broad/multicast
*Mar  1 00:19:24.203: %GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey
for group GETVPN1 from address 0.0.0.0 to 239.0.1.2  with seq # 1
*Mar  1 00:19:24.215: IP: s=2.2.2.2 (Loopback0), d=239.0.1.2, len 1256,
unroutable
R2#

Unfortunately, when the source address is defined as 'any' in the rekey ACL,
the GMs receive the mcast rekey, but they don't accept it as valid, I guess
because they're actually looking for a source of 0.0.0.0:

R5#show crypto gdoi gm rekey
Group GETVPN1 (Multicast)
    Number of Rekeys received (cumulative)       : 0
    Number of Rekeys received after registration : 0

Rekey (KEK) SA information :
          dst             src             conn-id  my-cookie  his-cookie
New     : 239.0.1.2       0.0.0.0           1015   57BD8510   764B72D0
Current : ---             ---               ---    ---        ---
Previous: ---             ---               ---    ---        ---

R5#


So that's it, I never want to look at a GETVPN problem again :)

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Re: [OSL | CCIE_Security] Lab 15 task 4.4 / GETVPN

Reply via email to