Great, this mail thread is an eye opener.
Still we have one problem left. Is your GM receiving the rekeys? Issue "sh
crypto gdoi" on your GM and see, if there is an increase for the rekey
counters?
The rekeys might reach the GM but is not accepted because the source address
in the "sh crypto gdoi gm rekey" and actual address in the reky is
different.
This is what Tacack was also mentioning.
You will see the counters always zero. Though you see the IP address of
loopback address in log messages on the KS, when sent out it changes to
physical interface IP address.
router3#sh crypto gdoi gm rekey
Group king (Multicast)
Number of Rekeys received (cumulative) : 0
Number of Rekeys received after registration : 0
Rekey (KEK) SA information :
dst src conn-id my-cookie his-cookie
New : 239.1.2.3 4.4.4.4 5462 7D989438 2A16D52E
Current : --- --- --- --- ---
Previous: --- --- --- --- ---
router3#sh crypto gdoi
GROUP INFORMATION
Group Name : king
Group Identity : 7
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 10.20.30.43
Group Server list : 10.20.30.43
GM Reregisters in : 132 secs
Rekey Received(hh:mm:ss) : 00:18:03
Rekeys received
Cumulative : 0
After registration : 0
With regards
Kings
On Wed, Nov 10, 2010 at 1:40 PM, Jerome Dolphin <[email protected]> wrote:
> Aaargh, that was it, I did not enable pim on the loopback. This is working
> now. Many thanks Tyson. Full device config in case anyone else is
> interested:
>
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R2
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> memory-size iomem 5
> clock timezone EST -5
> clock summer-time EDT recurring
> ip cef
> !
> !
> !
> !
> no ip domain lookup
> ip domain name ipexpert.com
> ip multicast-routing
> !
> multilink bundle-name authenticated
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> archive
> log config
> hidekeys
> !
>
> !
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 5
> crypto isakmp key ipexpert address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set TSET1 esp-aes 256 esp-sha-hmac
> !
> crypto ipsec profile ISAPROF1
> set transform-set TSET1
> !
> crypto gdoi group GETVPN1
> identity number 123
>
> server local
> rekey algorithm aes 192
> rekey address ipv4 121
> rekey lifetime seconds 600
> rekey retransmit 10 number 2
> rekey authentication mypubkey rsa R2.ipexpert.com
> sa ipsec 1
> profile ISAPROF1
> match address ipv4 122
> replay counter window-size 64
> !
> !
> !
> ip tcp synwait-time 5
> !
> !
> !
> !
> interface Loopback0
> ip address 2.2.2.2 255.0.0.0
> ip pim sparse-mode
> !
> interface FastEthernet0/0
> no ip address
> shutdown
> speed 100
> full-duplex
> !
> interface FastEthernet0/1
> ip address 192.1.12.2 255.255.255.0
> speed 100
> full-duplex
> !
> interface Serial1/0
> no ip address
> shutdown
> no fair-queue
> serial restart-delay 0
> !
> interface Serial1/1
> no ip address
> encapsulation frame-relay
> serial restart-delay 0
> no frame-relay inverse-arp
> !
> interface Serial1/1.4 point-to-point
> ip address 192.1.24.2 255.255.255.0
> snmp trap link-status
> frame-relay interface-dlci 204
> !
> interface Serial1/1.5 point-to-point
> ip address 192.1.25.2 255.255.255.0
> ip pim sparse-mode
> snmp trap link-status
> frame-relay interface-dlci 205
> !
> interface Serial1/1.6 point-to-point
> ip address 192.1.26.2 255.255.255.0
> ip pim sparse-mode
> snmp trap link-status
> frame-relay interface-dlci 206
> !
> interface Serial1/2
> no ip address
> shutdown
> serial restart-delay 0
> !
> interface Serial1/3
> no ip address
> shutdown
> serial restart-delay 0
> !
> router ospf 1
> router-id 2.2.2.2
> log-adjacency-changes
> network 2.2.2.2 0.0.0.0 area 0
> network 172.16.12.0 0.0.0.255 area 0
> network 192.1.12.0 0.0.0.255 area 0
> network 192.1.24.0 0.0.0.255 area 0
> network 192.1.25.0 0.0.0.255 area 0
> network 192.1.26.0 0.0.0.255 area 0
> !
> router bgp 245
> no synchronization
> bgp router-id 2.2.2.2
> bgp log-neighbor-changes
> neighbor 4.4.4.4 remote-as 245
> neighbor 4.4.4.4 update-source Loopback0
> neighbor 4.4.4.4 route-reflector-client
> neighbor 5.5.5.5 remote-as 245
> neighbor 5.5.5.5 update-source Loopback0
> neighbor 5.5.5.5 route-reflector-client
> no auto-summary
> !
> ip forward-protocol nd
> ip route 195.1.1.0 255.255.255.0 192.1.12.10
> !
> !
> no ip http server
> no ip http secure-server
> ip pim rp-address 2.2.2.2
>
> !
> access-list 101 permit ip any host 239.0.1.2
> access-list 121 permit udp host 2.2.2.2 eq 848 host 239.0.1.2 eq 848
>
> access-list 122 permit ip 9.0.0.0 0.255.255.255 host 192.1.6.16
> access-list 122 permit ip host 192.1.6.16 9.0.0.0 0.255.255.255
> no cdp log mismatch duplex
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> stopbits 1
> line aux 0
> line vty 0 4
> login
> !
> ntp authentication-key 1 md5 060506324F41 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179495
> ntp source Loopback0
> ntp server 192.1.12.8 key 1
> !
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
