Hi Eugene, I'm pretty sure the issue here is your not advertising 239.0.0.1 outside of the R1 router.
There are two ways you can do it: conf t access-list 10 permit 239.0.0.1 ip pim rp-address 1.1.1.1 10 ! This goes along with how you have configured it currently. Or you could do it with: access-list 1 permit 239.0.0.1 ip pim send-rp-announce Lo0 scope 16 group-list 1 ip pim send-rp-discovery Lo0 scope 16 interval 30 ! Then on R2 you can do "show ip mroute 239.0.0.1" and you should see it's learnt by the tunnel. Cheers, Warrick On Tue, Aug 7, 2012 at 3:01 PM, Mike Rojas <[email protected]> wrote: > Eugene, > > Im on it right now.... 1:00 AM.... > > Mike... > > ________________________________ > From: [email protected] > To: [email protected]; [email protected] > CC: [email protected] > > Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel > Date: Tue, 7 Aug 2012 06:23:40 +0000 > > > Now, I’m totally confused, sorry for confusing you guys ;) > > Do I have to or not have to add mroute on GM ? > > > > On KS R1 GDOI relevant sections: > > > > interface Loopback0 > > ip address 1.1.1.1 255.255.255.0 > > ip pim sparse-mode > > interface Tunnel126 > > ip address 10.10.10.1 255.255.255.0 > > ip pim sparse-mode > > tunnel source FastEthernet0/0 > > tunnel destination 192.168.5.2 > > > > ip multicast-routing > > ip pim rp-address 1.1.1.1 > > > > crypto gdoi group GDOI-GROUP > > identity number 126 > > server local > > rekey address ipv4 REKEY-ACL > > rekey retransmit 10 number 2 > > rekey authentication mypubkey rsa GETVPN-KEYS > > sa ipsec 1 > > profile IPSEC-PROF > > match address ipv4 GETVPN-ENCR-TRAFF > > replay counter window-size 64 > > address ipv4 1.1.1.1 > > redundancy > > local priority 255 > > peer address ipv4 5.5.5.5 > > > > ip access-list extended GETVPN-ENCR-TRAFF > > permit ip host 2.2.2.2 host 6.6.6.6 > > permit ip host 6.6.6.6 host 2.2.2.2 > > ip access-list extended REKEY-ACL > > permit udp host 1.1.1.1 eq 848 host 239.0.0.1 eq 848 > > > > GM R2 > > > > crypto gdoi group GETVPN-GR > > identity number 126 > > server address ipv4 1.1.1.1 > > server address ipv4 5.5.5.5 > > interface Loopback0 > > ip address 2.2.2.2 255.255.255.0 > > ip pim sparse-mode > > interface Tunnel126 > > ip address 10.10.10.2 255.255.255.0 > > ip pim sparse-mode > > tunnel source FastEthernet0/0 > > tunnel destination 192.168.3.1 > > > > ip multicast-routing > > ip pim rp-address 1.1.1.1 > > > > What I don’t understand is what this 224.0.1.40 multicast address that I see > both on KS and GM > > > > R1#sh ip pim rp > > Group: 239.0.0.1, RP: 1.1.1.1, next RP-reachable in 00:01:27 > > Group: 224.0.1.40, RP: 1.1.1.1, next RP-reachable in 00:00:29 > > > > R2#sh ip pim rp > > Group: 224.0.1.40, RP: 1.1.1.1, uptime 00:26:29, expires never > > > > > > > > From: Mike Rojas [mailto:[email protected]] > Sent: Monday, August 06, 2012 8:47 PM > To: Eugene Pefti; [email protected] > Cc: [email protected] > Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel > > > > If I am not mistaken, > > On the Router 1 (inside router if Im not too Costa Rican at 9:44 PM ), you > need to point the RP-address to the loopback and then on router 2, create an > static Mroute towards that tunnel interface... > > Try it out, if not, it will be a long long Night for me... > > Mike. > >> From: [email protected] >> To: [email protected] >> Date: Tue, 7 Aug 2012 03:21:28 +0000 >> CC: [email protected] >> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE >> tunnel >> >> Argh... >> Multicast routing has been my weakest point. Never understood the >> subtleties in various pim modes ;) >> Enabled it on both devices, still no luck. >> >> From GM: >> >> R2#sh cry gdoi group GETVPN-GR >> Group Name : GETVPN-GR >> Group Identity : 126 >> Rekeys received : 0 >> IPSec SA Direction : Both >> Active Group Server : 1.1.1.1 >> Group Server list : 1.1.1.1 >> 5.5.5.5 >> >> GM Reregisters in : 3298 secs >> Rekey Received : never >> >> >> Rekeys received >> Cumulative : 0 >> After registration : 0 >> >> >> >> -----Original Message----- >> From: Warrick Mitchell [mailto:[email protected]] >> Sent: Monday, August 06, 2012 7:38 PM >> To: Eugene Pefti >> Cc: CCIE Security Maillist >> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE >> tunnel >> >> Hi Eugene, >> >> You need to enable multicast on both devices "ip multicast-routing" >> and then on the tunnel you will need "ip pim sparse-mode" >> >> Cheers, >> Warrick >> >> On Tue, Aug 7, 2012 at 10:05 AM, Eugene Pefti <[email protected]> >> wrote: >> > Guys, >> > >> > I'm trying to recreate the scenario I ran into Lab 17 my own way and >> > stumbled upon multicast rekeying. >> > >> > >> > >> > This is the rudimentary diagram: >> > >> > >> > >> > R1 (192.168.3.1 - KS) -----------ASA context ---------R2 >> > (192.168.5.2 - GM) >> > >> > (loopback 1.1.1.1) >> > (loopback 2.2.2.2) >> > >> > >> > >> > R1 sends key via multicasts: >> > >> > >> > >> > ip access-list extended REKEY-ACL >> > >> > permit udp host 1.1.1.1 eq 848 host 239.1.1.254 eq 848 >> > >> > >> > >> > I created GRE tunnel between R1 and R2 to overcome multicontext ASA >> > limitation. >> > >> > >> > >> > R1: >> > >> > interface Tunnel126 >> > >> > ip address 10.10.10.1 255.255.255.0 >> > >> > tunnel source FastEthernet0/0 >> > >> > tunnel destination 192.168.5.2 >> > >> > >> > >> > R2: >> > >> > interface Tunnel126 >> > >> > ip address 10.10.10.2 255.255.255.0 >> > >> > tunnel source FastEthernet0/0 >> > >> > tunnel destination 192.168.3.1 >> > >> > >> > >> > Tunnel is up but how can I tell R1 to use this tunnel to send >> > multicast rekeys ? >> > >> > >> > >> > Eugene >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> > please visit www.ipexpert.com >> > >> > Are you a CCNP or CCIE and looking for a job? Check out >> > www.PlatinumPlacement.com >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
