Hi Eugene, Can you post your "crypto gdoi group" config from R1? Is it set to rekey via unicast or multicast?
Cheers, Warrick On Tue, Aug 7, 2012 at 11:21 AM, Eugene Pefti <[email protected]> wrote: > Argh... > Multicast routing has been my weakest point. Never understood the subtleties > in various pim modes ;) > Enabled it on both devices, still no luck. > > From GM: > > R2#sh cry gdoi group GETVPN-GR > Group Name : GETVPN-GR > Group Identity : 126 > Rekeys received : 0 > IPSec SA Direction : Both > Active Group Server : 1.1.1.1 > Group Server list : 1.1.1.1 > 5.5.5.5 > > GM Reregisters in : 3298 secs > Rekey Received : never > > > Rekeys received > Cumulative : 0 > After registration : 0 > > > > -----Original Message----- > From: Warrick Mitchell [mailto:[email protected]] > Sent: Monday, August 06, 2012 7:38 PM > To: Eugene Pefti > Cc: CCIE Security Maillist > Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel > > Hi Eugene, > > You need to enable multicast on both devices "ip multicast-routing" > and then on the tunnel you will need "ip pim sparse-mode" > > Cheers, > Warrick > > On Tue, Aug 7, 2012 at 10:05 AM, Eugene Pefti <[email protected]> wrote: >> Guys, >> >> I'm trying to recreate the scenario I ran into Lab 17 my own way and >> stumbled upon multicast rekeying. >> >> >> >> This is the rudimentary diagram: >> >> >> >> R1 (192.168.3.1 - KS) -----------ASA context ---------R2 >> (192.168.5.2 - GM) >> >> (loopback 1.1.1.1) >> (loopback 2.2.2.2) >> >> >> >> R1 sends key via multicasts: >> >> >> >> ip access-list extended REKEY-ACL >> >> permit udp host 1.1.1.1 eq 848 host 239.1.1.254 eq 848 >> >> >> >> I created GRE tunnel between R1 and R2 to overcome multicontext ASA >> limitation. >> >> >> >> R1: >> >> interface Tunnel126 >> >> ip address 10.10.10.1 255.255.255.0 >> >> tunnel source FastEthernet0/0 >> >> tunnel destination 192.168.5.2 >> >> >> >> R2: >> >> interface Tunnel126 >> >> ip address 10.10.10.2 255.255.255.0 >> >> tunnel source FastEthernet0/0 >> >> tunnel destination 192.168.3.1 >> >> >> >> Tunnel is up but how can I tell R1 to use this tunnel to send >> multicast rekeys ? >> >> >> >> Eugene >> >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
