Hey all,
Thanks for the feedback on previous show crypto outputs. I have been
configuring GETVPN and studying the show crypto outputs and as usual its
thrown up a couple of things that I need to ask
The basic layout of my GETVPN network is:
R1 (KS)
-----------------inside--ASA--outside-----------------------------R3---------------------------R2
R2 and R3 are the GETVPN Groups Members.
Config on the KS is as follows:
ip access-list ext GETVPN-TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
crypto key generate rsa general-key modulus 1024 label GETVPN export
crypto isakmp policy 23
auth pre
encr 3des
hash md5
crypto isakmp key CISCO address 0.0.0.0
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac
crypto ipsec profile GETVPN-IPSECPROF
set transform-set 3DESMD5
crypto gdoi group GETVPN123
identity number 123
server local
rekey lifetime seconds 300
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN
rekey transport unicast
sa ipsec 123
profile GETVPN-IPSECPROF
match address ipv4 GETVPN-TRAFFIC
replay counter window-size 64
address ipv4 1.1.1.1
crypto map GDOI local-address Loopback0
crypto map GDOI 10 gdoi
set group GETVPN123
interface FastEthernet0/0.10
ip address 10.100.10.1 255.255.255.0
crypto map GDOI
interface Loopback0
ip address 1.1.1.1 255.255.255.0
Show crypto output from Router R2
CCIELAB-ROUTER-R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot
status
1.1.1.1 2.2.2.2 GDOI_IDLE 1011 0 ACTIVE
2.2.2.2 1.1.1.1 GDOI_REKEY 1014 0 ACTIVE
2.2.2.2 1.1.1.1 GDOI_REKEY 1013 0 ACTIVE
CCIELAB-ROUTER-R2#show crypto gdoi
GROUP INFORMATION
Group Name : GETVPN123
Group Identity : 123
Rekeys received : 8
IPSec SA Direction : Both
Active Group Server : 1.1.1.1
Group Server list : 1.1.1.1
GM Reregisters in : 3385 secs
Rekey Received(hh:mm:ss) : 00:02:29
Rekeys received
Cumulative : 8
After registration : 2
Rekey Acks sent : 8
ACL Downloaded From KS 1.1.1.1:
access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 300
Encrypt Algorithm : 3DES
Key Size : 192
*Sig Hash Algorithm : HMAC_AUTH_SHA*
Sig Key Length (bits) : 1024
TEK POLICY:
FastEthernet0/0.23:
IPsec SA:
sa direction:inbound
spi: 0xC14AA712(3242895122)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1441)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0xC14AA712(3242895122)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1441)
Anti-Replay : Disabled
In the above "show crypto gdoi" output from the group member, why is it that
under the KEK POLICY, the Sig Hash Algorithm is showing "HMAC_AUTH_SHA" ? I
dont have SHA configured anywhere. In my ISAKMP and IPsec policies I
configured MD5. Has the SHA got anything to do with the crypto key I
generated with the label "GETVPN" or has it got something to do with the
"crypto gdoi group" configuration. Or both ?
I also see reference to SHA when I run the "show crypto engine connection
active" on both the GM and KS. I dont have any other ISAKMP policies
configured on either routers, so I'm confused with where the SHA is coming
from.
CCIELAB-ROUTER-R2#show crypto engin conn active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1011 IKE MD5+3DES 0 0 2.2.2.2
1015 IKE SHA+3DES 0 0
1016 IKE SHA+3DES 0 0
2027 IPsec 3DES+MD5 0 5 192.168.0.0
2028 IPsec 3DES+MD5 5 0 192.168.0.0
2029 IPsec 3DES+MD5 0 0 0.0.0.0
2030 IPsec 3DES+MD5 0 0 0.0.0.0
2031 IPsec 3DES+MD5 0 0 192.168.0.0
2032 IPsec 3DES+MD5 0 0 192.168.0.0
2033 IPsec 3DES+MD5 0 0 192.168.0.0
2034 IPsec 3DES+MD5 0 0 192.168.0.0
2035 IPsec 3DES+MD5 0 0 0.0.0.0
2036 IPsec 3DES+MD5 0 0 0.0.0.0
2037 IPsec 3DES+MD5 0 0 192.168.0.0
2038 IPsec 3DES+MD5 0 0 192.168.0.0
2055 IPsec 3DES+MD5 0 0 192.168.0.0
2056 IPsec 3DES+MD5 0 0 192.168.0.0
CCIELAB-ROUTER-R1#show crypto engin conn active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1010 IKE MD5+3DES 0 0 1.1.1.1
1011 IKE MD5+3DES 0 0 1.1.1.1
1015 IKE SHA+3DES 0 0
And "show crypto ipsec sa" from the GM router R2
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 0.0.0.0
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.23
current outbound spi: 0xC14AA712(3242895122)
inbound esp sas:
spi: 0xC14AA712(3242895122)
transform: *esp-3des esp-md5-hmac* ,
in use settings ={Tunnel, }
*conn id: 2027*, flow_id: NETGX:27, crypto map: GDOI
sa timing: remaining key lifetime (sec): (176)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x5100880C(1358989324)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2033, flow_id: NETGX:33, crypto map: GDOI
sa timing: remaining key lifetime (sec): (1811)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x895F95E(144046430)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2055, flow_id: NETGX:55, crypto map: GDOI
sa timing: remaining key lifetime (sec): (2184)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0xC14AA712(3242895122)
transform: *esp-3des esp-md5-hmac* ,
in use settings ={Tunnel, }
*conn id: 2028*, flow_id: NETGX:28, crypto map: GDOI
sa timing: remaining key lifetime (sec): (176)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x5100880C(1358989324)
transform:* esp-3des esp-md5-hmac *,
in use settings ={Tunnel, }
*conn id: 2034*, flow_id: NETGX:34, crypto map: GDOI
sa timing: remaining key lifetime (sec): (1811)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x895F95E(144046430)
transform: *esp-3des esp-md5-hmac *,
in use settings ={Tunnel, }
*conn id: 2056*, flow_id: NETGX:56, crypto map: GDOI
sa timing: remaining key lifetime (sec): (2184)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
Appreciate any ideas on this
Thanks
Mark
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
