Re: [OSL | CCIE_Security] GETVPN multicast rekey through ASA

manish ludhani Sat, 01 Jan 2011 04:38:54 -0800

please find below the related config.

apologies for raising it again however  i ve tried everything suggested in
previous posts


thanks regards



                                                              R5
                                                                |
                                                            (e0/0)
                                                                 |
                                                                 |
(l1 1.1.1.1)R1(fa0/0 10.10.10.1)--------(e0/0 .2)R2(e0/1
.2)-------(e1)Pix(e0)----R4(e0/1)---(F0/0)R3(l1 2.2.2.2)



*R1#
*R1#sh run | sec crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
crypto ipsec profile IPSEC_PRO
 set transform-set TSET
crypto gdoi group GET_GRP
 identity number 1234
 server local
  rekey address ipv4 MULTI_GRP
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETKEY
  sa ipsec 1
   profile IPSEC_PRO
   match address ipv4 GET_TRAFFIC
   replay counter window-size 64
ip multicast-routing
ip pim rp-address 1.1.1.1

interface Loopback1
 ip address 1.1.1.1 255.255.255.0
 ip pim sparse-mode
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip pim sparse-mode



R1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GET_GRP : 8

Group Member ID   : 2.2.2.2
Group ID          : 1234
Group Name        : GET_GRP
Key Server ID     : 0.0.0.0

Group Member ID   : 5.5.5.5
Group ID          : 1234
Group Name        : GET_GRP
Key Server ID     : 0.0.0.0


R1#sh crypto gdoi ks rekey
Group GET_GRP (Multicast)
    Number of Rekeys sent               : 8
    Number of Rekeys retransmitted      : 4
    KEK rekey lifetime (sec)            : 86400
        Remaining lifetime (sec)        : 86325
    Retransmit period                   : 10
    Number of retransmissions           : 2
    IPSec SA 1  lifetime (sec)          : 3600
        Remaining lifetime (sec)        : 3526
    Number of registrations after rekey : 0
    Multicast destination address       : 239.0.0.5


R1#sh run | sec ip access
ip access-list extended GET_TRAFFIC
 permit ip host 2.2.2.2 host 3.3.3.3
 permit ip host 2.2.2.2 host 5.5.5.5
 permit ip host 2.2.2.2 host 6.6.6.6
ip access-list extended MULTI_GRP
 permit udp host 1.1.1.1 eq 848 host 239.0.0.5 eq 848
R1#




*pix*


!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 30.30.30.1 255.255.255.0
 igmp access-group MULTI
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 20.20.20.1 255.255.255.0
 igmp access-group MULTI
!


access-list MULTI standard permit host 239.0.0.5
access-list OUTSIDE_IN extended permit ip any any log debugging
access-list OUTSIDE_IN extended permit pim any any


access-group OUTSIDE_IN in interface outside
access-group OUTSIDE_IN in interface inside

pix1# sh run multicast-routing
multicast-routing

pix1# sh run pim
pim rp-address 1.1.1.1



pix1# sh pim neighbor

Neighbor Address  Interface          Uptime    Expires DR pri Bidir

30.30.30.2        outside            00:36:04  00:01:28 1 (DR)
20.20.20.2        inside             00:36:04  00:01:28 1 (DR)




*R3*


R3#sh run | sec crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto gdoi group GET_GRP
 identity number 1234
 server address ipv4 1.1.1.1
crypto map GET_MAP local-address Loopback1
crypto map GET_MAP 10 gdoi
 set group GET_GRP
 crypto map GET_MAP


!
ip multicast-routing
!
interface Loopback1
 ip address 2.2.2.2 255.255.255.0
 ip pim sparse-mode
 ip igmp join-group 239.0.0.5
!
interface FastEthernet0/0
 ip address 40.40.40.1 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
 crypto map GET_MAP


ip pim rp-address 1.1.1.1

R3#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GET_GRP
    Group Identity           : 1234
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 1.1.1.1
    Group Server list        : 1.1.1.1

    GM Reregisters in        : 1486 secs
    Rekey Received           : never


    Rekeys received
         Cumulative          : 0
         After registration  : 0

 ACL Downloaded From KS 1.1.1.1:
   access-list  permit ip host 2.2.2.2 host 3.3.3.3

KEK POLICY:
    Rekey Transport Type     : Multicast
    Lifetime (secs)          : 86126
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0x8213D0D6(2182336726)
        transform: esp-3des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (1637)
        Anti-Replay(Time Based) : 64 sec interval





*R5*

R5#sh run | sec crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto gdoi group GET_GRP
 identity number 1234
 server address ipv4 1.1.1.1
crypto map GET_MAP local-address Loopback1
crypto map GET_MAP 10 gdoi
 set group GET_GRP
 crypto map GET_MAP

interface Loopback1
 ip address 5.5.5.5 255.255.255.0
 ip pim sparse-mode
!
interface FastEthernet0/0
 ip address 50.50.50.1 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
 crypto map GET_MAP


ip pim rp-address 1.1.1.1
ip multicast-routing


R5#sh crypto gdoi
GROUP INFORMATION

    Group Name               : GET_GRP
    Group Identity           : 1234
    Rekeys received          : 2
    IPSec SA Direction       : Both
    Active Group Server      : 1.1.1.1
    Group Server list        : 1.1.1.1

    GM Reregisters in        : 1775 secs
    Rekey Received(hh:mm:ss) : 00:27:41


    Rekeys received
         Cumulative          : 2
         After registration  : 2

 ACL Downloaded From KS 1.1.1.1:
   access-list  permit ip host 2.2.2.2 host 3.3.3.3
   access-list  permit ip host 2.2.2.2 host 5.5.5.5
   access-list  permit ip host 2.2.2.2 host 6.6.6.6

KEK POLICY:
    Rekey Transport Type     : Multicast
    Lifetime (secs)          : 86399
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024


On Sat, Jan 1, 2011 at 2:10 PM, Kingsley Charles <[email protected]
> wrote:

> Can you post the configs of KS, ASA and GM on outside.
>
>
>
> With regards
> Kings
>
>   On Sat, Jan 1, 2011 at 2:52 AM, manish ludhani <[email protected]
> > wrote:
>
>>   Hi all,
>>
>> i am stuck at GETVPN multicast rekey through ASA seems a common catch. i
>> hv looked at all the previous posts but still not
>> able to make it work.
>>
>> i am using asa in routed mode and KS is inside the firewall. i receive the
>> Rekeys on the GMs which are inside the firewall but not on the outside GMs
>> i hv enabled the routing on ASA inside outside interfaces and defined RP.
>> i tried to enable mpacket debug and noticed i was not receiving any
>> multicast traffic
>> packet tracer from inside source KS to multicast address fails (Early
>> security checks failed).
>>
>> i will b gr8ful if any1 please give me any clue.
>>
>>
>> Regards
>> Manish
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Re: [OSL | CCIE_Security] GETVPN multicast rekey through ASA

Reply via email to