- If both address ipv4 and rekey address configured, the address ipv4 takes precedence for the source address of the rekey - If only rekey address, source address in rekey acl is used. - If both address ipv4 and rekey is not configured, source address is 0.0 .0.0. - There is a source address in the rekey packet itself. Don't confuse it with source address of the packet. - The address ipv4 and rekey acl source address decides the source of the rekey packet. - The IP packet uses the source address of the outgoing physical interface IP address.
With unicast rekey, the GM accepts rekey even if there is mis-match between the rekey source address and IP packet source address. With multicast rekey, the GM accepts the rekeys only if the rekey source address and IP packet source address matches. As per my investigation, you need to configure the address ipv4 or source address in the rekey with outgoing physical IP address to make the GM to accept rekeys. On Thu, Mar 22, 2012 at 9:01 AM, Mike Rojas <[email protected]> wrote: > Hi, > > The GetVPN is able to connect without the IP address of the server > specified.... That was the trick, now the tricky part is that for > redundancy (if they asked you) you need to configure the IP address of the > server in order for the cluster to be up and then you remove it. > > The output should appear with 0.0.0.0 0.0.0.0.... > > Mike > > ------------------------------ > Date: Thu, 22 Mar 2012 01:36:39 +0300 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] GDOI Multicast Key Server ID > > > Hello , > > I am configuring GET VPN using multicast > > if in the exam they ask me to match the output and the key server id in > the show crypto gdoi ks members is 0.0.0.0 > > how my configuration should looks like > > now when i do show crypto gdoi ks members the output is showing key Server > ID : 22.22.22.22 ( what shall i do ot make it appear 0.0.0.0 ) > crypto gdoi group GET > identity number 1 > server local > rekey address ipvr 105 ( for multicast ) > rekey retransmit 10 num 2 > rekey authentication mybupkey rsa CISCO > address ipv4 22.22.22.22 ( My KS IP address ) > sa ipsec 1 > profile ipsec.prof > match address ipvr 106 ( for intersting traffic ) > replay counter window size 64 > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
