*The multicast rekey will work with rekey as source address. * *Explanation*
*KS with multicast rekey with physical interface as source address* The router sends multicast packets out of all interfaces. When you have a physical interface has the source address for rekey and the GMs are connected to physical interface network then you need not configure *"ip pim"* or *"multicasting-routing"*. The GMs get multicast packets and the source of the IP packet and source address in the rekey will obviously match. Hence the GMs accept the rekey packet happily. *KS with multicast rekey with loopback interface as source address* The routers sends the multicast packet out of all interfaces including the loopback interface. Since this is a loopback interface, it is not able to route the packet as the other physical interfaces. So I enable ip pim sparse-mode on all the concerned interfaces (KS's loopback, outgoing interface and GM's interface). Also the pim rp-address is configured on the KS/GM and the address is the loopback interface IP addres. So the packet is now routable which is sent to the rp and then the GMs gets the multicast from rp. Since the packets are from loopback interface the source address of multicast packet and rekey matches. Hence rekeys are accepted by the GM. Tacack, this should clarify your question of having loopback interface as source. Conclusion - When you have loopback interface as source then pim and multicasting routing should be used. With regards Kings On Wed, Nov 10, 2010 at 4:38 PM, Kingsley Charles < [email protected]> wrote: > More observations with multicast rekey > > > - If both address ipv4 and rekey address configured, the address ipv4 > takes precedence for the source address of the rekey > - If only rekey address, source address in rekey acl is used. > - If both address ipv4 and rekey is not configured, source address is > 0.0.0.0. > - There is a source address in the rekey packet itself. Don't confuse > it with source address of the packet. > - The address ipv4 and rekey acl source address decides the source of > the rekey packet. > - The IP packet uses the source address of the outgoing physical > interface IP address. > > > With unicast rekey, the GM accepts rekey even if there is mis-match between > the rekey source address and IP packet source address. > > With multicast rekey, the GM accepts the rekeys only if the rekey source > address and IP packet source address matches. As per my investigation, you > need to configure the address ipv4 or source address in the rekey with > outgoing physical IP address to make the GM to accept rekeys. > > Plesae let me know, if I am missing something or wrong. > > > With regards > Kings > > > On Wed, Nov 10, 2010 at 4:08 PM, Kingsley Charles < > [email protected]> wrote: > >> Great, this mail thread is an eye opener. >> >> Still we have one problem left. Is your GM receiving the rekeys? Issue "sh >> crypto gdoi" on your GM and see, if there is an increase for the rekey >> counters? >> >> The rekeys might reach the GM but is not accepted because the source >> address in the "sh crypto gdoi gm rekey" and actual address in the reky is >> different. >> >> This is what Tacack was also mentioning. >> >> You will see the counters always zero. Though you see the IP address of >> loopback address in log messages on the KS, when sent out it changes to >> physical interface IP address. >> >> router3#sh crypto gdoi gm rekey >> Group king (Multicast) >> >> Number of Rekeys received (cumulative) : 0 >> Number of Rekeys received after registration : 0 >> >> Rekey (KEK) SA information : >> dst src conn-id my-cookie his-cookie >> New : 239.1.2.3 4.4.4.4 5462 7D989438 2A16D52E >> Current : --- --- --- --- --- >> Previous: --- --- --- --- --- >> >> router3#sh crypto gdoi >> GROUP INFORMATION >> >> Group Name : king >> Group Identity : 7 >> Rekeys received : 0 >> IPSec SA Direction : Both >> Active Group Server : 10.20.30.43 >> Group Server list : 10.20.30.43 >> >> GM Reregisters in : 132 secs >> Rekey Received(hh:mm:ss) : 00:18:03 >> >> >> Rekeys received >> Cumulative : 0 >> After registration : 0 >> >> With regards >> Kings >> >> >> On Wed, Nov 10, 2010 at 1:40 PM, Jerome Dolphin <[email protected]>wrote: >> >>> Aaargh, that was it, I did not enable pim on the loopback. This is >>> working now. Many thanks Tyson. Full device config in case anyone else is >>> interested: >>> >>> ! >>> version 12.4 >>> service timestamps debug datetime msec >>> service timestamps log datetime msec >>> no service password-encryption >>> ! >>> hostname R2 >>> ! >>> boot-start-marker >>> boot-end-marker >>> ! >>> ! >>> no aaa new-model >>> memory-size iomem 5 >>> clock timezone EST -5 >>> clock summer-time EDT recurring >>> ip cef >>> ! >>> ! >>> ! >>> ! >>> no ip domain lookup >>> ip domain name ipexpert.com >>> ip multicast-routing >>> ! >>> multilink bundle-name authenticated >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> archive >>> log config >>> hidekeys >>> ! >>> >>> ! >>> crypto isakmp policy 10 >>> encr aes >>> authentication pre-share >>> group 5 >>> crypto isakmp key ipexpert address 0.0.0.0 0.0.0.0 >>> ! >>> ! >>> crypto ipsec transform-set TSET1 esp-aes 256 esp-sha-hmac >>> ! >>> crypto ipsec profile ISAPROF1 >>> set transform-set TSET1 >>> ! >>> crypto gdoi group GETVPN1 >>> identity number 123 >>> >>> server local >>> rekey algorithm aes 192 >>> rekey address ipv4 121 >>> rekey lifetime seconds 600 >>> rekey retransmit 10 number 2 >>> rekey authentication mypubkey rsa R2.ipexpert.com >>> sa ipsec 1 >>> profile ISAPROF1 >>> match address ipv4 122 >>> replay counter window-size 64 >>> ! >>> ! >>> ! >>> ip tcp synwait-time 5 >>> ! >>> ! >>> ! >>> ! >>> interface Loopback0 >>> ip address 2.2.2.2 255.0.0.0 >>> ip pim sparse-mode >>> ! >>> interface FastEthernet0/0 >>> no ip address >>> shutdown >>> speed 100 >>> full-duplex >>> ! >>> interface FastEthernet0/1 >>> ip address 192.1.12.2 255.255.255.0 >>> speed 100 >>> full-duplex >>> ! >>> interface Serial1/0 >>> no ip address >>> shutdown >>> no fair-queue >>> serial restart-delay 0 >>> ! >>> interface Serial1/1 >>> no ip address >>> encapsulation frame-relay >>> serial restart-delay 0 >>> no frame-relay inverse-arp >>> ! >>> interface Serial1/1.4 point-to-point >>> ip address 192.1.24.2 255.255.255.0 >>> snmp trap link-status >>> frame-relay interface-dlci 204 >>> ! >>> interface Serial1/1.5 point-to-point >>> ip address 192.1.25.2 255.255.255.0 >>> ip pim sparse-mode >>> snmp trap link-status >>> frame-relay interface-dlci 205 >>> ! >>> interface Serial1/1.6 point-to-point >>> ip address 192.1.26.2 255.255.255.0 >>> ip pim sparse-mode >>> snmp trap link-status >>> frame-relay interface-dlci 206 >>> ! >>> interface Serial1/2 >>> no ip address >>> shutdown >>> serial restart-delay 0 >>> ! >>> interface Serial1/3 >>> no ip address >>> shutdown >>> serial restart-delay 0 >>> ! >>> router ospf 1 >>> router-id 2.2.2.2 >>> log-adjacency-changes >>> network 2.2.2.2 0.0.0.0 area 0 >>> network 172.16.12.0 0.0.0.255 area 0 >>> network 192.1.12.0 0.0.0.255 area 0 >>> network 192.1.24.0 0.0.0.255 area 0 >>> network 192.1.25.0 0.0.0.255 area 0 >>> network 192.1.26.0 0.0.0.255 area 0 >>> ! >>> router bgp 245 >>> no synchronization >>> bgp router-id 2.2.2.2 >>> bgp log-neighbor-changes >>> neighbor 4.4.4.4 remote-as 245 >>> neighbor 4.4.4.4 update-source Loopback0 >>> neighbor 4.4.4.4 route-reflector-client >>> neighbor 5.5.5.5 remote-as 245 >>> neighbor 5.5.5.5 update-source Loopback0 >>> neighbor 5.5.5.5 route-reflector-client >>> no auto-summary >>> ! >>> ip forward-protocol nd >>> ip route 195.1.1.0 255.255.255.0 192.1.12.10 >>> ! >>> ! >>> no ip http server >>> no ip http secure-server >>> ip pim rp-address 2.2.2.2 >>> >>> ! >>> access-list 101 permit ip any host 239.0.1.2 >>> access-list 121 permit udp host 2.2.2.2 eq 848 host 239.0.1.2 eq 848 >>> >>> access-list 122 permit ip 9.0.0.0 0.255.255.255 host 192.1.6.16 >>> access-list 122 permit ip host 192.1.6.16 9.0.0.0 0.255.255.255 >>> no cdp log mismatch duplex >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> control-plane >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> line con 0 >>> exec-timeout 0 0 >>> privilege level 15 >>> logging synchronous >>> stopbits 1 >>> line aux 0 >>> line vty 0 4 >>> login >>> ! >>> ntp authentication-key 1 md5 060506324F41 7 >>> ntp authenticate >>> ntp trusted-key 1 >>> ntp clock-period 17179495 >>> ntp source Loopback0 >>> ntp server 192.1.12.8 key 1 >>> ! >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
