Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel

[Eugene Pefti]

Now, I'm totally confused, sorry for confusing you guys ;)
Do I have to or not have to add mroute on GM ?

On KS R1 GDOI relevant sections:

interface Loopback0
   ip address 1.1.1.1 255.255.255.0
  ip pim sparse-mode
interface Tunnel126
   ip address 10.10.10.1 255.255.255.0
   ip pim sparse-mode
   tunnel source FastEthernet0/0
   tunnel destination 192.168.5.2

ip multicast-routing
ip pim rp-address 1.1.1.1

crypto gdoi group GDOI-GROUP
identity number 126
server local
  rekey address ipv4 REKEY-ACL
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEYS
  sa ipsec 1
   profile IPSEC-PROF
   match address ipv4 GETVPN-ENCR-TRAFF
   replay counter window-size 64
  address ipv4 1.1.1.1
  redundancy
     local priority 255
     peer address ipv4 5.5.5.5

ip access-list extended GETVPN-ENCR-TRAFF
  permit ip host 2.2.2.2 host 6.6.6.6
  permit ip host 6.6.6.6 host 2.2.2.2
ip access-list extended REKEY-ACL
  permit udp host 1.1.1.1 eq 848 host 239.0.0.1 eq 848

GM R2

crypto gdoi group GETVPN-GR
   identity number 126
   server address ipv4 1.1.1.1
  server address ipv4 5.5.5.5
interface Loopback0
   ip address 2.2.2.2 255.255.255.0
   ip pim sparse-mode
interface Tunnel126
   ip address 10.10.10.2 255.255.255.0
   ip pim sparse-mode
   tunnel source FastEthernet0/0
   tunnel destination 192.168.3.1

ip multicast-routing
ip pim rp-address 1.1.1.1

What I don't understand is what this 224.0.1.40 multicast address that I see 
both on KS and GM

R1#sh ip pim rp
Group: 239.0.0.1, RP: 1.1.1.1, next RP-reachable in 00:01:27
Group: 224.0.1.40, RP: 1.1.1.1, next RP-reachable in 00:00:29

R2#sh ip pim rp
Group: 224.0.1.40, RP: 1.1.1.1, uptime 00:26:29, expires never



From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Monday, August 06, 2012 8:47 PM
To: Eugene Pefti; wyvernfl...@gmail.com
Cc: ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel

If I am not mistaken,

On the Router 1  (inside router if Im not too Costa Rican at 9:44 PM ), you 
need to point the RP-address to the loopback and then on router 2, create an 
static Mroute towards that tunnel interface...

Try it out, if not, it will be a long long Night for me...

Mike.
> From: eug...@koiossystems.com<mailto:eug...@koiossystems.com>
> To: wyvernfl...@gmail.com<mailto:wyvernfl...@gmail.com>
> Date: Tue, 7 Aug 2012 03:21:28 +0000
> CC: 
> ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel
>
> Argh...
> Multicast routing has been my weakest point. Never understood the subtleties 
> in various pim modes ;)
> Enabled it on both devices, still no luck.
>
> From GM:
>
> R2#sh cry gdoi group GETVPN-GR
> Group Name : GETVPN-GR
> Group Identity : 126
> Rekeys received : 0
> IPSec SA Direction : Both
> Active Group Server : 1.1.1.1
> Group Server list : 1.1.1.1
> 5.5.5.5
>
> GM Reregisters in : 3298 secs
> Rekey Received : never
>
>
> Rekeys received
> Cumulative : 0
> After registration : 0
>
>
>
> -----Original Message-----
> From: Warrick Mitchell [mailto:wyvernfl...@gmail.com]
> Sent: Monday, August 06, 2012 7:38 PM
> To: Eugene Pefti
> Cc: CCIE Security Maillist
> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel
>
> Hi Eugene,
>
> You need to enable multicast on both devices "ip multicast-routing"
> and then on the tunnel you will need "ip pim sparse-mode"
>
> Cheers,
> Warrick
>
> On Tue, Aug 7, 2012 at 10:05 AM, Eugene Pefti 
> <eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:
> > Guys,
> >
> > I'm trying to recreate the scenario I ran into Lab 17 my own way and
> > stumbled upon multicast rekeying.
> >
> >
> >
> > This is the rudimentary diagram:
> >
> >
> >
> > R1 (192.168.3.1 - KS) -----------ASA context ---------R2
> > (192.168.5.2 - GM)
> >
> > (loopback 1.1.1.1)
> > (loopback 2.2.2.2)
> >
> >
> >
> > R1 sends key via multicasts:
> >
> >
> >
> > ip access-list extended REKEY-ACL
> >
> > permit udp host 1.1.1.1 eq 848 host 239.1.1.254 eq 848
> >
> >
> >
> > I created GRE tunnel between R1 and R2 to overcome multicontext ASA
> > limitation.
> >
> >
> >
> > R1:
> >
> > interface Tunnel126
> >
> > ip address 10.10.10.1 255.255.255.0
> >
> > tunnel source FastEthernet0/0
> >
> > tunnel destination 192.168.5.2
> >
> >
> >
> > R2:
> >
> > interface Tunnel126
> >
> > ip address 10.10.10.2 255.255.255.0
> >
> > tunnel source FastEthernet0/0
> >
> > tunnel destination 192.168.3.1
> >
> >
> >
> > Tunnel is up but how can I tell R1 to use this tunnel to send
> > multicast rekeys ?
> >
> >
> >
> > Eugene
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > For more information regarding industry leading CCIE Lab training,
> > please visit www.ipexpert.com<http://www.ipexpert.com>
> >
> > Are you a CCNP or CCIE and looking for a job? Check out
> > www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please 
> visit www.ipexpert.com<http://www.ipexpert.com>
>
> Are you a CCNP or CCIE and looking for a job? Check out 
> www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com