Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel

Mon, 06 Aug 2012 20:43:49 -0700 

Argh...
Multicast routing has been my weakest point. Never understood the subtleties in 
various pim modes ;)
Enabled it on both devices, still no luck.

>From GM:

R2#sh cry gdoi group GETVPN-GR
    Group Name               : GETVPN-GR
    Group Identity           : 126
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 1.1.1.1
    Group Server list        : 1.1.1.1
                               5.5.5.5
                               
    GM Reregisters in        : 3298 secs
    Rekey Received           : never


    Rekeys received          
         Cumulative          : 0
         After registration  : 0



-----Original Message-----
From: Warrick Mitchell [mailto:[email protected]] 
Sent: Monday, August 06, 2012 7:38 PM
To: Eugene Pefti
Cc: CCIE Security Maillist
Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel

Hi Eugene,

You need to enable multicast on both devices "ip multicast-routing"
and then on the tunnel you will need "ip pim sparse-mode"

Cheers,
Warrick

On Tue, Aug 7, 2012 at 10:05 AM, Eugene Pefti <[email protected]> wrote:
> Guys,
>
> I'm trying to recreate the scenario I ran into Lab 17 my own way and 
> stumbled upon multicast rekeying.
>
>
>
> This is the rudimentary diagram:
>
>
>
>           R1 (192.168.3.1 - KS) -----------ASA context ---------R2
> (192.168.5.2 - GM)
>
> (loopback 1.1.1.1)
> (loopback 2.2.2.2)
>
>
>
> R1 sends key via multicasts:
>
>
>
> ip access-list extended REKEY-ACL
>
> permit udp host 1.1.1.1 eq 848 host 239.1.1.254 eq 848
>
>
>
> I created GRE tunnel between R1 and R2 to overcome multicontext ASA 
> limitation.
>
>
>
> R1:
>
> interface Tunnel126
>
> ip address 10.10.10.1 255.255.255.0
>
> tunnel source FastEthernet0/0
>
> tunnel destination 192.168.5.2
>
>
>
> R2:
>
> interface Tunnel126
>
> ip address 10.10.10.2 255.255.255.0
>
> tunnel source FastEthernet0/0
>
> tunnel destination 192.168.3.1
>
>
>
> Tunnel is up but how can I tell R1 to use this tunnel to send 
> multicast rekeys ?
>
>
>
> Eugene
>
>
>
>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, 
> please visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out 
> www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to