Tyson's config did fix my problem.
I'm now seeing this on the GMs:
GM Reregisters in : 2967 secs
Rekey Received(hh:mm:ss) : 00:01:52
Rekeys received
Cumulative : 1
After registration : 1
One other question, my rekeying is now working using multicast, but on the
ASA I saw these logs in the buffer:
Nov 24 2010 20:22:51: %ASA-7-710006: IGMP request discarded from 192.1.24.4
to outside:224.0.0.1
Nov 24 2010 20:23:26: %ASA-7-710006: IGMP request discarded from 10.2.2.5 to
inside:224.0.0.1
Nov 24 2010 20:23:51: %ASA-7-710006: IGMP request discarded from 192.1.24.4
to outside:224.0.0.1
Should I open up IGMP in my "OUTSIDE" ACL on the outside interface. I dont
have an ACL on the inside interface.
I've got a much better understanding of multicast rekey now. Thanks all
Mark
On Thu, Nov 18, 2010 at 11:43 PM, Kingsley Charles <
[email protected]> wrote:
> Tyson's config should fix your problem.
>
> For your first question, you need multicast configuration on all
> participation GETVPN routers, if the KS and GM are not directly connected or
> you are using a loopack interface as the source address for rekeys on the
> KS.
>
>
> With regards
> Kings
>
> On Fri, Nov 19, 2010 at 2:29 AM, Tyson Scott <[email protected]> wrote:
>
>> Rekey has never actually happened. You can see that on the group members
>> in the output below
>>
>> Rekeys received
>> Cumulative : 0
>> After registration : 0
>>
>> Registration doesn't occur with Multicast. Registration is always a
>> unicast function.
>>
>>
>>
>> The ASA and R5 would need to be running multicast for it to work. The
>> GM's as they are endpoints can join as hosts without multicast routing but
>> it is recommended that you configure them with MR
>>
>>
>>
>> The following should be corrected
>>
>>
>>
>> R5
>>
>> ip access-list ext MULTICAST-REKEY
>>
>> permit udp host 10.5.5.5 host 239.1.1.1 eq 848
>>
>> !
>>
>> interface Loopback0
>>
>> ip pim sparse-mode
>>
>>
>>
>> R7
>>
>> ip multicast-routing
>>
>> ip pim rp-address 10.5.5.5
>>
>> !
>>
>> interface Fa0/1.24
>>
>> ip pim sparse-mode
>>
>>
>>
>> ASA
>>
>> multicast-routing
>>
>> int E0/0
>>
>> pim
>>
>> int E0/1
>>
>> pim
>>
>> pim rp-address 10.5.5.5
>>
>>
>>
>> Regards,
>>
>>
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>
>> Managing Partner / Sr. Instructor - IPexpert, Inc.
>>
>> Mailto: [email protected]
>>
>> Telephone: +1.810.326.1444, ext. 208
>>
>> Live Assistance, Please visit: www.ipexpert.com/chat
>>
>> eFax: +1.810.454.0130
>>
>>
>>
>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with
>> training locations throughout the United States, Europe, South Asia and
>> Australia. Be sure to visit our online communities at
>> www.ipexpert.com/communities and our public website at www.ipexpert.com
>>
>>
>>
>> *From:* [email protected] [mailto:
>> [email protected]] *On Behalf Of *Mark Senteza
>> *Sent:* Thursday, November 18, 2010 2:19 PM
>> *To:* [email protected]
>> *Subject:* [OSL | CCIE_Security] GETVPN with Multicast Rekey
>>
>>
>>
>> Hey all,
>>
>> I'm trying to really understand Multicast Rekeying with GET VPN, but it
>> seems I just keep coming up with more questions than I can answer. I need
>> some help on a couple of issues. I'll copy a couple of related configs and
>> attach my logical lab layout soon as I offload whats on my mind.
>>
>> 1. Are you required to run multicast on all GET VPN participating routers,
>> in order to properly configure Multicast rekey or on only the KS? Reason I
>> ask, is because one of my GMs (R7) isnt running any multicast-related
>> configuration, yet still came up good and encrypts required traffic to GM
>> router R4, which I configured with multicast.
>>
>> 2. In my scenario, I have an ASA in between the GMs and the KS, running in
>> single mode. Previously to changing to multicast rekey, I had unicast
>> rekeying setup on the KS, and I opened up UDP 848 to the KS on the ASA. I
>> removed these lines and instead changed to UDP 848 to the multicast host
>> (239.1.1.1). I dont get any hits on my ACL but the group comes up and
>> rekeying seems to work fine. I dont understand what I'm doing wrong. Or If
>> it is right, I still dont get it. I want to avoid shot in the dark
>> configurations that I dont really understand. Can I get some clarification
>> on the right config required on the ASA when multicast keying is deployed.
>>
>> Onto the related configs:
>>
>> **********
>>
>> *ROUTER R5 - KS*
>>
>> ip domain-name cisco.com
>> crypto key generate rsa general mod 1024 label GETVPN
>>
>> ip access-list extended MULTICAST-REKEY
>> permit udp any host 239.1.1.1 eq 848
>> permit ip any host 239.1.1.1
>>
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>>
>> crypto isakmp key cisco address 10.4.4.4
>> crypto isakmp key cisco address 10.7.7.7
>>
>> crypto ipsec transform-set GETVPN esp-3des esp-md5-hmac
>>
>> crypto ipsec profile GETVPN
>> set transform-set GETVPN
>>
>> crypto gdoi group GETVPN
>> identity number 1
>> server local
>> rekey address ipv4 MULTICAST-REKEY
>> rekey retransmit 10 number 2
>> rekey authentication mypubkey rsa GETVPN
>> sa ipsec 1
>> profile GETVPN
>> match address ipv4 GETVPN
>> replay counter window-size 64
>>
>> ip multicast-routing
>> ip pim rp-address 10.5.5.5
>>
>> crypto map VPN local-address Loopback0
>> crypto map VPN 10 gdoi
>> set group GETVPN
>>
>> interface GigabitEthernet0/1.2
>> ip address 10.2.2.5 255.255.255.0
>> ip pim sparse-mode
>> crypto map VPN
>>
>> interface Loopback0
>> ip address 10.5.5.5 255.255.255.0
>>
>>
>> R5#show crypto gdoi
>> GROUP INFORMATION
>>
>> Group Name : GETVPN (Multicast)
>> Group Identity : 1
>> Group Members : 2
>> IPSec SA Direction : Both
>> Active Group Server : Local
>> Group Rekey Lifetime : 86400 secs
>> Group Rekey
>> Remaining Lifetime : 85870 secs
>> Rekey Retransmit Period : 10 secs
>> Rekey Retransmit Attempts: 2
>> Group Retransmit
>> Remaining Lifetime : 0 secs
>>
>> IPSec SA Number : 1
>> IPSec SA Rekey Lifetime: 3600 secs
>> Profile Name : GETVPN
>> Replay method : Count Based
>> Replay Window Size : 64
>> SA Rekey
>> Remaining Lifetime : 3071 secs
>> ACL Configured : access-list GETVPN
>>
>> Group Server list : Local
>>
>>
>> **********
>>
>> *ROUTER R4 - GM* - *with multicast-related configuration turned on*
>>
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>>
>> crypto isakmp key cisco address 10.5.5.5
>>
>> crypto gdoi group GETVPN
>> identity number 1
>> server address ipv4 10.5.5.5
>>
>> ip multicast-routing *<-
>> Is this required at all on the GM ?
>> *ip pim rp-address 10.5.5.5 *<-
>> Is this required at all on the GM ?*
>>
>> crypto map VPN local-address Loopback0
>> crypto map VPN 10 gdoi
>> set group GETVPN
>>
>> interface FastEthernet0/1.24
>> encapsulation dot1Q 24
>> ip address 192.1.24.4 255.255.255.0
>> ip pim sparse-mode
>> crypto map VPN
>>
>>
>> R4#show crypto isa sa
>>
>> IPv4 Crypto ISAKMP SA
>> dst src state conn-id slot status
>> 239.1.1.1 0.0.0.0 GDOI_REKEY 1006 0 ACTIVE
>> 10.5.5.5 10.4.4.4 GDOI_IDLE 1005 0 ACTIVE
>>
>> R4#show crypto gdoi
>> GROUP INFORMATION
>>
>> Group Name : GETVPN
>> Group Identity : 1
>> Rekeys received : 0
>> IPSec SA Direction : Both
>> Active Group Server : 10.5.5.5
>> Group Server list : 10.5.5.5
>>
>> GM Reregisters in : 3500 secs
>> Rekey Received(hh:mm:ss) : 00:44:08
>>
>>
>> Rekeys received
>> Cumulative : 0
>> After registration : 0
>>
>> ACL Downloaded From KS 10.5.5.5:
>> access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255
>> access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255
>>
>> KEK POLICY:
>> Rekey Transport Type : Multicast
>> Lifetime (secs) : 86400
>> Encrypt Algorithm : 3DES
>> Key Size : 192
>> Sig Hash Algorithm : HMAC_AUTH_SHA
>> Sig Key Length (bits) : 1024
>>
>> TEK POLICY:
>> FastEthernet0/1.24:
>> IPsec SA:
>> sa direction:inbound
>> spi: 0x8874B13C(2289348924)
>> transform: esp-3des esp-md5-hmac
>> sa timing:remaining key lifetime (sec): (3560)
>> Anti-Replay : Disabled
>>
>>
>> **********
>>
>> *ROUTER R7 - GM* - *WITHOUT multicast-related configuration turned on*
>>
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>>
>> crypto isakmp key cisco address 10.5.5.5
>>
>> crypto gdoi group GETVPN
>> identity number 1
>> server address ipv4 10.5.5.5
>>
>> crypto map VPN local-address Loopback0
>> crypto map VPN 10 gdoi
>> set group GETVPN
>>
>> interface Loopback0
>> ip address 10.7.7.7 255.255.255.0
>>
>> interface FastEthernet0/1.24
>> encapsulation dot1Q 24
>> ip address 192.1.24.7 255.255.255.0
>> crypto map VPN
>>
>> interface FastEthernet0/1.7
>> encapsulation dot1Q 7
>> ip address 192.1.7.7 255.255.255.0
>>
>>
>> R7#show crypto gdoi
>> GROUP INFORMATION
>>
>> Group Name : GETVPN
>> Group Identity : 1
>> Rekeys received : 0
>> IPSec SA Direction : Both
>> Active Group Server : 10.5.5.5
>> Group Server list : 10.5.5.5
>>
>> GM Reregisters in : 3205 secs
>> Rekey Received(hh:mm:ss) : 00:47:46
>>
>>
>> Rekeys received
>> Cumulative : 0
>> After registration : 0
>>
>> ACL Downloaded From KS 10.5.5.5:
>> access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255
>> access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
