Tyson's config should fix your problem. For your first question, you need multicast configuration on all participation GETVPN routers, if the KS and GM are not directly connected or you are using a loopack interface as the source address for rekeys on the KS.
With regards Kings On Fri, Nov 19, 2010 at 2:29 AM, Tyson Scott <[email protected]> wrote: > Rekey has never actually happened. You can see that on the group members > in the output below > > Rekeys received > Cumulative : 0 > After registration : 0 > > Registration doesn't occur with Multicast. Registration is always a > unicast function. > > > > The ASA and R5 would need to be running multicast for it to work. The GM's > as they are endpoints can join as hosts without multicast routing but it is > recommended that you configure them with MR > > > > The following should be corrected > > > > R5 > > ip access-list ext MULTICAST-REKEY > > permit udp host 10.5.5.5 host 239.1.1.1 eq 848 > > ! > > interface Loopback0 > > ip pim sparse-mode > > > > R7 > > ip multicast-routing > > ip pim rp-address 10.5.5.5 > > ! > > interface Fa0/1.24 > > ip pim sparse-mode > > > > ASA > > multicast-routing > > int E0/0 > > pim > > int E0/1 > > pim > > pim rp-address 10.5.5.5 > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mark Senteza > *Sent:* Thursday, November 18, 2010 2:19 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] GETVPN with Multicast Rekey > > > > Hey all, > > I'm trying to really understand Multicast Rekeying with GET VPN, but it > seems I just keep coming up with more questions than I can answer. I need > some help on a couple of issues. I'll copy a couple of related configs and > attach my logical lab layout soon as I offload whats on my mind. > > 1. Are you required to run multicast on all GET VPN participating routers, > in order to properly configure Multicast rekey or on only the KS? Reason I > ask, is because one of my GMs (R7) isnt running any multicast-related > configuration, yet still came up good and encrypts required traffic to GM > router R4, which I configured with multicast. > > 2. In my scenario, I have an ASA in between the GMs and the KS, running in > single mode. Previously to changing to multicast rekey, I had unicast > rekeying setup on the KS, and I opened up UDP 848 to the KS on the ASA. I > removed these lines and instead changed to UDP 848 to the multicast host > (239.1.1.1). I dont get any hits on my ACL but the group comes up and > rekeying seems to work fine. I dont understand what I'm doing wrong. Or If > it is right, I still dont get it. I want to avoid shot in the dark > configurations that I dont really understand. Can I get some clarification > on the right config required on the ASA when multicast keying is deployed. > > Onto the related configs: > > ********** > > *ROUTER R5 - KS* > > ip domain-name cisco.com > crypto key generate rsa general mod 1024 label GETVPN > > ip access-list extended MULTICAST-REKEY > permit udp any host 239.1.1.1 eq 848 > permit ip any host 239.1.1.1 > > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > > crypto isakmp key cisco address 10.4.4.4 > crypto isakmp key cisco address 10.7.7.7 > > crypto ipsec transform-set GETVPN esp-3des esp-md5-hmac > > crypto ipsec profile GETVPN > set transform-set GETVPN > > crypto gdoi group GETVPN > identity number 1 > server local > rekey address ipv4 MULTICAST-REKEY > rekey retransmit 10 number 2 > rekey authentication mypubkey rsa GETVPN > sa ipsec 1 > profile GETVPN > match address ipv4 GETVPN > replay counter window-size 64 > > ip multicast-routing > ip pim rp-address 10.5.5.5 > > crypto map VPN local-address Loopback0 > crypto map VPN 10 gdoi > set group GETVPN > > interface GigabitEthernet0/1.2 > ip address 10.2.2.5 255.255.255.0 > ip pim sparse-mode > crypto map VPN > > interface Loopback0 > ip address 10.5.5.5 255.255.255.0 > > > R5#show crypto gdoi > GROUP INFORMATION > > Group Name : GETVPN (Multicast) > Group Identity : 1 > Group Members : 2 > IPSec SA Direction : Both > Active Group Server : Local > Group Rekey Lifetime : 86400 secs > Group Rekey > Remaining Lifetime : 85870 secs > Rekey Retransmit Period : 10 secs > Rekey Retransmit Attempts: 2 > Group Retransmit > Remaining Lifetime : 0 secs > > IPSec SA Number : 1 > IPSec SA Rekey Lifetime: 3600 secs > Profile Name : GETVPN > Replay method : Count Based > Replay Window Size : 64 > SA Rekey > Remaining Lifetime : 3071 secs > ACL Configured : access-list GETVPN > > Group Server list : Local > > > ********** > > *ROUTER R4 - GM* - *with multicast-related configuration turned on* > > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > > crypto isakmp key cisco address 10.5.5.5 > > crypto gdoi group GETVPN > identity number 1 > server address ipv4 10.5.5.5 > > ip multicast-routing *<- > Is this required at all on the GM ? > *ip pim rp-address 10.5.5.5 *<- > Is this required at all on the GM ?* > > crypto map VPN local-address Loopback0 > crypto map VPN 10 gdoi > set group GETVPN > > interface FastEthernet0/1.24 > encapsulation dot1Q 24 > ip address 192.1.24.4 255.255.255.0 > ip pim sparse-mode > crypto map VPN > > > R4#show crypto isa sa > > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > 239.1.1.1 0.0.0.0 GDOI_REKEY 1006 0 ACTIVE > 10.5.5.5 10.4.4.4 GDOI_IDLE 1005 0 ACTIVE > > R4#show crypto gdoi > GROUP INFORMATION > > Group Name : GETVPN > Group Identity : 1 > Rekeys received : 0 > IPSec SA Direction : Both > Active Group Server : 10.5.5.5 > Group Server list : 10.5.5.5 > > GM Reregisters in : 3500 secs > Rekey Received(hh:mm:ss) : 00:44:08 > > > Rekeys received > Cumulative : 0 > After registration : 0 > > ACL Downloaded From KS 10.5.5.5: > access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255 > access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255 > > KEK POLICY: > Rekey Transport Type : Multicast > Lifetime (secs) : 86400 > Encrypt Algorithm : 3DES > Key Size : 192 > Sig Hash Algorithm : HMAC_AUTH_SHA > Sig Key Length (bits) : 1024 > > TEK POLICY: > FastEthernet0/1.24: > IPsec SA: > sa direction:inbound > spi: 0x8874B13C(2289348924) > transform: esp-3des esp-md5-hmac > sa timing:remaining key lifetime (sec): (3560) > Anti-Replay : Disabled > > > ********** > > *ROUTER R7 - GM* - *WITHOUT multicast-related configuration turned on* > > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > > crypto isakmp key cisco address 10.5.5.5 > > crypto gdoi group GETVPN > identity number 1 > server address ipv4 10.5.5.5 > > crypto map VPN local-address Loopback0 > crypto map VPN 10 gdoi > set group GETVPN > > interface Loopback0 > ip address 10.7.7.7 255.255.255.0 > > interface FastEthernet0/1.24 > encapsulation dot1Q 24 > ip address 192.1.24.7 255.255.255.0 > crypto map VPN > > interface FastEthernet0/1.7 > encapsulation dot1Q 7 > ip address 192.1.7.7 255.255.255.0 > > > R7#show crypto gdoi > GROUP INFORMATION > > Group Name : GETVPN > Group Identity : 1 > Rekeys received : 0 > IPSec SA Direction : Both > Active Group Server : 10.5.5.5 > Group Server list : 10.5.5.5 > > GM Reregisters in : 3205 secs > Rekey Received(hh:mm:ss) : 00:47:46 > > > Rekeys received > Cumulative : 0 > After registration : 0 > > ACL Downloaded From KS 10.5.5.5: > access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255 > access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255 > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
