More observations with multicast rekey
- If both address ipv4 and rekey address configured, the address ipv4 takes precedence for the source address of the rekey - If only rekey address, source address in rekey acl is used. - If both address ipv4 and rekey is not configured, source address is 0.0.0.0. - There is a source address in the rekey packet itself. Don't confuse it with source address of the packet. - The address ipv4 and rekey acl source address decides the source of the rekey packet. - The IP packet uses the source address of the outgoing physical interface IP address. With unicast rekey, the GM accepts rekey even if there is mis-match between the rekey source address and IP packet source address. With multicast rekey, the GM accepts the rekeys only if the rekey source address and IP packet source address matches. As per my investigation, you need to configure the address ipv4 or source address in the rekey with outgoing physical IP address to make the GM to accept rekeys. Plesae let me know, if I am missing something or wrong. With regards Kings On Wed, Nov 10, 2010 at 4:08 PM, Kingsley Charles < [email protected]> wrote: > Great, this mail thread is an eye opener. > > Still we have one problem left. Is your GM receiving the rekeys? Issue "sh > crypto gdoi" on your GM and see, if there is an increase for the rekey > counters? > > The rekeys might reach the GM but is not accepted because the source > address in the "sh crypto gdoi gm rekey" and actual address in the reky is > different. > > This is what Tacack was also mentioning. > > You will see the counters always zero. Though you see the IP address of > loopback address in log messages on the KS, when sent out it changes to > physical interface IP address. > > router3#sh crypto gdoi gm rekey > Group king (Multicast) > > Number of Rekeys received (cumulative) : 0 > Number of Rekeys received after registration : 0 > > Rekey (KEK) SA information : > dst src conn-id my-cookie his-cookie > New : 239.1.2.3 4.4.4.4 5462 7D989438 2A16D52E > Current : --- --- --- --- --- > Previous: --- --- --- --- --- > > router3#sh crypto gdoi > GROUP INFORMATION > > Group Name : king > Group Identity : 7 > Rekeys received : 0 > IPSec SA Direction : Both > Active Group Server : 10.20.30.43 > Group Server list : 10.20.30.43 > > GM Reregisters in : 132 secs > Rekey Received(hh:mm:ss) : 00:18:03 > > > Rekeys received > Cumulative : 0 > After registration : 0 > > With regards > Kings > > > On Wed, Nov 10, 2010 at 1:40 PM, Jerome Dolphin <[email protected]>wrote: > >> Aaargh, that was it, I did not enable pim on the loopback. This is working >> now. Many thanks Tyson. Full device config in case anyone else is >> interested: >> >> ! >> version 12.4 >> service timestamps debug datetime msec >> service timestamps log datetime msec >> no service password-encryption >> ! >> hostname R2 >> ! >> boot-start-marker >> boot-end-marker >> ! >> ! >> no aaa new-model >> memory-size iomem 5 >> clock timezone EST -5 >> clock summer-time EDT recurring >> ip cef >> ! >> ! >> ! >> ! >> no ip domain lookup >> ip domain name ipexpert.com >> ip multicast-routing >> ! >> multilink bundle-name authenticated >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> archive >> log config >> hidekeys >> ! >> >> ! >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> group 5 >> crypto isakmp key ipexpert address 0.0.0.0 0.0.0.0 >> ! >> ! >> crypto ipsec transform-set TSET1 esp-aes 256 esp-sha-hmac >> ! >> crypto ipsec profile ISAPROF1 >> set transform-set TSET1 >> ! >> crypto gdoi group GETVPN1 >> identity number 123 >> >> server local >> rekey algorithm aes 192 >> rekey address ipv4 121 >> rekey lifetime seconds 600 >> rekey retransmit 10 number 2 >> rekey authentication mypubkey rsa R2.ipexpert.com >> sa ipsec 1 >> profile ISAPROF1 >> match address ipv4 122 >> replay counter window-size 64 >> ! >> ! >> ! >> ip tcp synwait-time 5 >> ! >> ! >> ! >> ! >> interface Loopback0 >> ip address 2.2.2.2 255.0.0.0 >> ip pim sparse-mode >> ! >> interface FastEthernet0/0 >> no ip address >> shutdown >> speed 100 >> full-duplex >> ! >> interface FastEthernet0/1 >> ip address 192.1.12.2 255.255.255.0 >> speed 100 >> full-duplex >> ! >> interface Serial1/0 >> no ip address >> shutdown >> no fair-queue >> serial restart-delay 0 >> ! >> interface Serial1/1 >> no ip address >> encapsulation frame-relay >> serial restart-delay 0 >> no frame-relay inverse-arp >> ! >> interface Serial1/1.4 point-to-point >> ip address 192.1.24.2 255.255.255.0 >> snmp trap link-status >> frame-relay interface-dlci 204 >> ! >> interface Serial1/1.5 point-to-point >> ip address 192.1.25.2 255.255.255.0 >> ip pim sparse-mode >> snmp trap link-status >> frame-relay interface-dlci 205 >> ! >> interface Serial1/1.6 point-to-point >> ip address 192.1.26.2 255.255.255.0 >> ip pim sparse-mode >> snmp trap link-status >> frame-relay interface-dlci 206 >> ! >> interface Serial1/2 >> no ip address >> shutdown >> serial restart-delay 0 >> ! >> interface Serial1/3 >> no ip address >> shutdown >> serial restart-delay 0 >> ! >> router ospf 1 >> router-id 2.2.2.2 >> log-adjacency-changes >> network 2.2.2.2 0.0.0.0 area 0 >> network 172.16.12.0 0.0.0.255 area 0 >> network 192.1.12.0 0.0.0.255 area 0 >> network 192.1.24.0 0.0.0.255 area 0 >> network 192.1.25.0 0.0.0.255 area 0 >> network 192.1.26.0 0.0.0.255 area 0 >> ! >> router bgp 245 >> no synchronization >> bgp router-id 2.2.2.2 >> bgp log-neighbor-changes >> neighbor 4.4.4.4 remote-as 245 >> neighbor 4.4.4.4 update-source Loopback0 >> neighbor 4.4.4.4 route-reflector-client >> neighbor 5.5.5.5 remote-as 245 >> neighbor 5.5.5.5 update-source Loopback0 >> neighbor 5.5.5.5 route-reflector-client >> no auto-summary >> ! >> ip forward-protocol nd >> ip route 195.1.1.0 255.255.255.0 192.1.12.10 >> ! >> ! >> no ip http server >> no ip http secure-server >> ip pim rp-address 2.2.2.2 >> >> ! >> access-list 101 permit ip any host 239.0.1.2 >> access-list 121 permit udp host 2.2.2.2 eq 848 host 239.0.1.2 eq 848 >> >> access-list 122 permit ip 9.0.0.0 0.255.255.255 host 192.1.6.16 >> access-list 122 permit ip host 192.1.6.16 9.0.0.0 0.255.255.255 >> no cdp log mismatch duplex >> ! >> ! >> ! >> ! >> ! >> ! >> control-plane >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> line con 0 >> exec-timeout 0 0 >> privilege level 15 >> logging synchronous >> stopbits 1 >> line aux 0 >> line vty 0 4 >> login >> ! >> ntp authentication-key 1 md5 060506324F41 7 >> ntp authenticate >> ntp trusted-key 1 >> ntp clock-period 17179495 >> ntp source Loopback0 >> ntp server 192.1.12.8 key 1 >> ! >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
