Rekey has never actually happened. You can see that on the group members in
the output below
Rekeys received
Cumulative : 0
After registration : 0
Registration doesn't occur with Multicast. Registration is always a unicast
function.
The ASA and R5 would need to be running multicast for it to work. The GM's
as they are endpoints can join as hosts without multicast routing but it is
recommended that you configure them with MR
The following should be corrected
R5
ip access-list ext MULTICAST-REKEY
permit udp host 10.5.5.5 host 239.1.1.1 eq 848
!
interface Loopback0
ip pim sparse-mode
R7
ip multicast-routing
ip pim rp-address 10.5.5.5
!
interface Fa0/1.24
ip pim sparse-mode
ASA
multicast-routing
int E0/0
pim
int E0/1
pim
pim rp-address 10.5.5.5
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: <mailto:[email protected]> [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: <http://www.ipexpert.com/chat>
www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at <http://www.ipexpert.com/> www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of Mark Senteza
Sent: Thursday, November 18, 2010 2:19 PM
To: [email protected]
Subject: [OSL | CCIE_Security] GETVPN with Multicast Rekey
Hey all,
I'm trying to really understand Multicast Rekeying with GET VPN, but it
seems I just keep coming up with more questions than I can answer. I need
some help on a couple of issues. I'll copy a couple of related configs and
attach my logical lab layout soon as I offload whats on my mind.
1. Are you required to run multicast on all GET VPN participating routers,
in order to properly configure Multicast rekey or on only the KS? Reason I
ask, is because one of my GMs (R7) isnt running any multicast-related
configuration, yet still came up good and encrypts required traffic to GM
router R4, which I configured with multicast.
2. In my scenario, I have an ASA in between the GMs and the KS, running in
single mode. Previously to changing to multicast rekey, I had unicast
rekeying setup on the KS, and I opened up UDP 848 to the KS on the ASA. I
removed these lines and instead changed to UDP 848 to the multicast host
(239.1.1.1). I dont get any hits on my ACL but the group comes up and
rekeying seems to work fine. I dont understand what I'm doing wrong. Or If
it is right, I still dont get it. I want to avoid shot in the dark
configurations that I dont really understand. Can I get some clarification
on the right config required on the ASA when multicast keying is deployed.
Onto the related configs:
**********
ROUTER R5 - KS
ip domain-name cisco.com
crypto key generate rsa general mod 1024 label GETVPN
ip access-list extended MULTICAST-REKEY
permit udp any host 239.1.1.1 eq 848
permit ip any host 239.1.1.1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 10.4.4.4
crypto isakmp key cisco address 10.7.7.7
crypto ipsec transform-set GETVPN esp-3des esp-md5-hmac
crypto ipsec profile GETVPN
set transform-set GETVPN
crypto gdoi group GETVPN
identity number 1
server local
rekey address ipv4 MULTICAST-REKEY
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN
sa ipsec 1
profile GETVPN
match address ipv4 GETVPN
replay counter window-size 64
ip multicast-routing
ip pim rp-address 10.5.5.5
crypto map VPN local-address Loopback0
crypto map VPN 10 gdoi
set group GETVPN
interface GigabitEthernet0/1.2
ip address 10.2.2.5 255.255.255.0
ip pim sparse-mode
crypto map VPN
interface Loopback0
ip address 10.5.5.5 255.255.255.0
R5#show crypto gdoi
GROUP INFORMATION
Group Name : GETVPN (Multicast)
Group Identity : 1
Group Members : 2
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85870 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : GETVPN
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 3071 secs
ACL Configured : access-list GETVPN
Group Server list : Local
**********
ROUTER R4 - GM - with multicast-related configuration turned on
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 10.5.5.5
crypto gdoi group GETVPN
identity number 1
server address ipv4 10.5.5.5
ip multicast-routing <-
Is this required at all on the GM ?
ip pim rp-address 10.5.5.5 <- Is
this required at all on the GM ?
crypto map VPN local-address Loopback0
crypto map VPN 10 gdoi
set group GETVPN
interface FastEthernet0/1.24
encapsulation dot1Q 24
ip address 192.1.24.4 255.255.255.0
ip pim sparse-mode
crypto map VPN
R4#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
239.1.1.1 0.0.0.0 GDOI_REKEY 1006 0 ACTIVE
10.5.5.5 10.4.4.4 GDOI_IDLE 1005 0 ACTIVE
R4#show crypto gdoi
GROUP INFORMATION
Group Name : GETVPN
Group Identity : 1
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 10.5.5.5
Group Server list : 10.5.5.5
GM Reregisters in : 3500 secs
Rekey Received(hh:mm:ss) : 00:44:08
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 10.5.5.5:
access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255
access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255
KEK POLICY:
Rekey Transport Type : Multicast
Lifetime (secs) : 86400
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
FastEthernet0/1.24:
IPsec SA:
sa direction:inbound
spi: 0x8874B13C(2289348924)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (3560)
Anti-Replay : Disabled
**********
ROUTER R7 - GM - WITHOUT multicast-related configuration turned on
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 10.5.5.5
crypto gdoi group GETVPN
identity number 1
server address ipv4 10.5.5.5
crypto map VPN local-address Loopback0
crypto map VPN 10 gdoi
set group GETVPN
interface Loopback0
ip address 10.7.7.7 255.255.255.0
interface FastEthernet0/1.24
encapsulation dot1Q 24
ip address 192.1.24.7 255.255.255.0
crypto map VPN
interface FastEthernet0/1.7
encapsulation dot1Q 7
ip address 192.1.7.7 255.255.255.0
R7#show crypto gdoi
GROUP INFORMATION
Group Name : GETVPN
Group Identity : 1
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 10.5.5.5
Group Server list : 10.5.5.5
GM Reregisters in : 3205 secs
Rekey Received(hh:mm:ss) : 00:47:46
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 10.5.5.5:
access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255
access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
