224.0.0.1 is all system mulitcast address. They are host membership queries for the multicast.
Though not an issue here I am wondering why is it being discarded when you have multicast-routing enabled on the ASA. With regards Kings On Thu, Nov 25, 2010 at 1:15 AM, Mark Senteza <[email protected]>wrote: > Tyson's config did fix my problem. > > I'm now seeing this on the GMs: > > GM Reregisters in : 2967 secs > Rekey Received(hh:mm:ss) : 00:01:52 > > > Rekeys received > Cumulative : 1 > After registration : 1 > > One other question, my rekeying is now working using multicast, but on the > ASA I saw these logs in the buffer: > > Nov 24 2010 20:22:51: %ASA-7-710006: IGMP request discarded from 192.1.24.4 > to outside:224.0.0.1 > Nov 24 2010 20:23:26: %ASA-7-710006: IGMP request discarded from 10.2.2.5 > to inside:224.0.0.1 > Nov 24 2010 20:23:51: %ASA-7-710006: IGMP request discarded from 192.1.24.4 > to outside:224.0.0.1 > > Should I open up IGMP in my "OUTSIDE" ACL on the outside interface. I dont > have an ACL on the inside interface. > > I've got a much better understanding of multicast rekey now. Thanks all > > Mark > > > > > On Thu, Nov 18, 2010 at 11:43 PM, Kingsley Charles < > [email protected]> wrote: > >> Tyson's config should fix your problem. >> >> For your first question, you need multicast configuration on all >> participation GETVPN routers, if the KS and GM are not directly connected or >> you are using a loopack interface as the source address for rekeys on the >> KS. >> >> >> With regards >> Kings >> >> On Fri, Nov 19, 2010 at 2:29 AM, Tyson Scott <[email protected]> wrote: >> >>> Rekey has never actually happened. You can see that on the group members >>> in the output below >>> >>> Rekeys received >>> Cumulative : 0 >>> After registration : 0 >>> >>> Registration doesn't occur with Multicast. Registration is always a >>> unicast function. >>> >>> >>> >>> The ASA and R5 would need to be running multicast for it to work. The >>> GM's as they are endpoints can join as hosts without multicast routing but >>> it is recommended that you configure them with MR >>> >>> >>> >>> The following should be corrected >>> >>> >>> >>> R5 >>> >>> ip access-list ext MULTICAST-REKEY >>> >>> permit udp host 10.5.5.5 host 239.1.1.1 eq 848 >>> >>> ! >>> >>> interface Loopback0 >>> >>> ip pim sparse-mode >>> >>> >>> >>> R7 >>> >>> ip multicast-routing >>> >>> ip pim rp-address 10.5.5.5 >>> >>> ! >>> >>> interface Fa0/1.24 >>> >>> ip pim sparse-mode >>> >>> >>> >>> ASA >>> >>> multicast-routing >>> >>> int E0/0 >>> >>> pim >>> >>> int E0/1 >>> >>> pim >>> >>> pim rp-address 10.5.5.5 >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>> >>> Managing Partner / Sr. Instructor - IPexpert, Inc. >>> >>> Mailto: [email protected] >>> >>> Telephone: +1.810.326.1444, ext. 208 >>> >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> >>> eFax: +1.810.454.0130 >>> >>> >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Mark Senteza >>> *Sent:* Thursday, November 18, 2010 2:19 PM >>> *To:* [email protected] >>> *Subject:* [OSL | CCIE_Security] GETVPN with Multicast Rekey >>> >>> >>> >>> Hey all, >>> >>> I'm trying to really understand Multicast Rekeying with GET VPN, but it >>> seems I just keep coming up with more questions than I can answer. I need >>> some help on a couple of issues. I'll copy a couple of related configs and >>> attach my logical lab layout soon as I offload whats on my mind. >>> >>> 1. Are you required to run multicast on all GET VPN participating >>> routers, in order to properly configure Multicast rekey or on only the KS? >>> Reason I ask, is because one of my GMs (R7) isnt running any >>> multicast-related configuration, yet still came up good and encrypts >>> required traffic to GM router R4, which I configured with multicast. >>> >>> 2. In my scenario, I have an ASA in between the GMs and the KS, running >>> in single mode. Previously to changing to multicast rekey, I had unicast >>> rekeying setup on the KS, and I opened up UDP 848 to the KS on the ASA. I >>> removed these lines and instead changed to UDP 848 to the multicast host >>> (239.1.1.1). I dont get any hits on my ACL but the group comes up and >>> rekeying seems to work fine. I dont understand what I'm doing wrong. Or If >>> it is right, I still dont get it. I want to avoid shot in the dark >>> configurations that I dont really understand. Can I get some clarification >>> on the right config required on the ASA when multicast keying is deployed. >>> >>> Onto the related configs: >>> >>> ********** >>> >>> *ROUTER R5 - KS* >>> >>> ip domain-name cisco.com >>> crypto key generate rsa general mod 1024 label GETVPN >>> >>> ip access-list extended MULTICAST-REKEY >>> permit udp any host 239.1.1.1 eq 848 >>> permit ip any host 239.1.1.1 >>> >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> >>> crypto isakmp key cisco address 10.4.4.4 >>> crypto isakmp key cisco address 10.7.7.7 >>> >>> crypto ipsec transform-set GETVPN esp-3des esp-md5-hmac >>> >>> crypto ipsec profile GETVPN >>> set transform-set GETVPN >>> >>> crypto gdoi group GETVPN >>> identity number 1 >>> server local >>> rekey address ipv4 MULTICAST-REKEY >>> rekey retransmit 10 number 2 >>> rekey authentication mypubkey rsa GETVPN >>> sa ipsec 1 >>> profile GETVPN >>> match address ipv4 GETVPN >>> replay counter window-size 64 >>> >>> ip multicast-routing >>> ip pim rp-address 10.5.5.5 >>> >>> crypto map VPN local-address Loopback0 >>> crypto map VPN 10 gdoi >>> set group GETVPN >>> >>> interface GigabitEthernet0/1.2 >>> ip address 10.2.2.5 255.255.255.0 >>> ip pim sparse-mode >>> crypto map VPN >>> >>> interface Loopback0 >>> ip address 10.5.5.5 255.255.255.0 >>> >>> >>> R5#show crypto gdoi >>> GROUP INFORMATION >>> >>> Group Name : GETVPN (Multicast) >>> Group Identity : 1 >>> Group Members : 2 >>> IPSec SA Direction : Both >>> Active Group Server : Local >>> Group Rekey Lifetime : 86400 secs >>> Group Rekey >>> Remaining Lifetime : 85870 secs >>> Rekey Retransmit Period : 10 secs >>> Rekey Retransmit Attempts: 2 >>> Group Retransmit >>> Remaining Lifetime : 0 secs >>> >>> IPSec SA Number : 1 >>> IPSec SA Rekey Lifetime: 3600 secs >>> Profile Name : GETVPN >>> Replay method : Count Based >>> Replay Window Size : 64 >>> SA Rekey >>> Remaining Lifetime : 3071 secs >>> ACL Configured : access-list GETVPN >>> >>> Group Server list : Local >>> >>> >>> ********** >>> >>> *ROUTER R4 - GM* - *with multicast-related configuration turned on* >>> >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> >>> crypto isakmp key cisco address 10.5.5.5 >>> >>> crypto gdoi group GETVPN >>> identity number 1 >>> server address ipv4 10.5.5.5 >>> >>> ip multicast-routing >>> * <- Is this required at all on the GM ? >>> *ip pim rp-address 10.5.5.5 *<- >>> Is this required at all on the GM ?* >>> >>> crypto map VPN local-address Loopback0 >>> crypto map VPN 10 gdoi >>> set group GETVPN >>> >>> interface FastEthernet0/1.24 >>> encapsulation dot1Q 24 >>> ip address 192.1.24.4 255.255.255.0 >>> ip pim sparse-mode >>> crypto map VPN >>> >>> >>> R4#show crypto isa sa >>> >>> IPv4 Crypto ISAKMP SA >>> dst src state conn-id slot status >>> 239.1.1.1 0.0.0.0 GDOI_REKEY 1006 0 ACTIVE >>> 10.5.5.5 10.4.4.4 GDOI_IDLE 1005 0 ACTIVE >>> >>> R4#show crypto gdoi >>> GROUP INFORMATION >>> >>> Group Name : GETVPN >>> Group Identity : 1 >>> Rekeys received : 0 >>> IPSec SA Direction : Both >>> Active Group Server : 10.5.5.5 >>> Group Server list : 10.5.5.5 >>> >>> GM Reregisters in : 3500 secs >>> Rekey Received(hh:mm:ss) : 00:44:08 >>> >>> >>> Rekeys received >>> Cumulative : 0 >>> After registration : 0 >>> >>> ACL Downloaded From KS 10.5.5.5: >>> access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255 >>> access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255 >>> >>> KEK POLICY: >>> Rekey Transport Type : Multicast >>> Lifetime (secs) : 86400 >>> Encrypt Algorithm : 3DES >>> Key Size : 192 >>> Sig Hash Algorithm : HMAC_AUTH_SHA >>> Sig Key Length (bits) : 1024 >>> >>> TEK POLICY: >>> FastEthernet0/1.24: >>> IPsec SA: >>> sa direction:inbound >>> spi: 0x8874B13C(2289348924) >>> transform: esp-3des esp-md5-hmac >>> sa timing:remaining key lifetime (sec): (3560) >>> Anti-Replay : Disabled >>> >>> >>> ********** >>> >>> *ROUTER R7 - GM* - *WITHOUT multicast-related configuration turned on* >>> >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> >>> crypto isakmp key cisco address 10.5.5.5 >>> >>> crypto gdoi group GETVPN >>> identity number 1 >>> server address ipv4 10.5.5.5 >>> >>> crypto map VPN local-address Loopback0 >>> crypto map VPN 10 gdoi >>> set group GETVPN >>> >>> interface Loopback0 >>> ip address 10.7.7.7 255.255.255.0 >>> >>> interface FastEthernet0/1.24 >>> encapsulation dot1Q 24 >>> ip address 192.1.24.7 255.255.255.0 >>> crypto map VPN >>> >>> interface FastEthernet0/1.7 >>> encapsulation dot1Q 7 >>> ip address 192.1.7.7 255.255.255.0 >>> >>> >>> R7#show crypto gdoi >>> GROUP INFORMATION >>> >>> Group Name : GETVPN >>> Group Identity : 1 >>> Rekeys received : 0 >>> IPSec SA Direction : Both >>> Active Group Server : 10.5.5.5 >>> Group Server list : 10.5.5.5 >>> >>> GM Reregisters in : 3205 secs >>> Rekey Received(hh:mm:ss) : 00:47:46 >>> >>> >>> Rekeys received >>> Cumulative : 0 >>> After registration : 0 >>> >>> ACL Downloaded From KS 10.5.5.5: >>> access-list permit ip 192.1.7.0 0.0.0.255 192.1.49.0 0.0.0.255 >>> access-list permit ip 192.1.49.0 0.0.0.255 192.1.7.0 0.0.0.255 >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
