Hi Eugene,

I'm pretty sure the issue here is your not advertising 239.0.0.1
outside of the R1 router.

There are two ways you can do it:

conf t
access-list 10 permit 239.0.0.1
ip pim rp-address 1.1.1.1 10
!

This goes along with how you have configured it currently.

Or you could do it with:

access-list 1 permit 239.0.0.1
ip pim send-rp-announce Lo0 scope 16 group-list 1
ip pim send-rp-discovery Lo0 scope 16 interval 30
!

Then on R2 you can do "show ip mroute 239.0.0.1" and you should see
it's learnt by the tunnel.

Cheers,
Warrick
On Tue, Aug 7, 2012 at 3:01 PM, Mike Rojas <[email protected]> wrote:
> Eugene,
>
> Im on it right now.... 1:00 AM....
>
> Mike...
>
> ________________________________
> From: [email protected]
> To: [email protected]; [email protected]
> CC: [email protected]
>
> Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel
> Date: Tue, 7 Aug 2012 06:23:40 +0000
>
>
> Now, I’m totally confused, sorry for confusing you guys ;)
>
> Do I have to or not have to add mroute on GM ?
>
>
>
> On KS R1 GDOI relevant sections:
>
>
>
> interface Loopback0
>
>    ip address 1.1.1.1 255.255.255.0
>
>   ip pim sparse-mode
>
> interface Tunnel126
>
>    ip address 10.10.10.1 255.255.255.0
>
>    ip pim sparse-mode
>
>    tunnel source FastEthernet0/0
>
>    tunnel destination 192.168.5.2
>
>
>
> ip multicast-routing
>
> ip pim rp-address 1.1.1.1
>
>
>
> crypto gdoi group GDOI-GROUP
>
> identity number 126
>
> server local
>
>   rekey address ipv4 REKEY-ACL
>
>   rekey retransmit 10 number 2
>
>   rekey authentication mypubkey rsa GETVPN-KEYS
>
>   sa ipsec 1
>
>    profile IPSEC-PROF
>
>    match address ipv4 GETVPN-ENCR-TRAFF
>
>    replay counter window-size 64
>
>   address ipv4 1.1.1.1
>
>   redundancy
>
>      local priority 255
>
>      peer address ipv4 5.5.5.5
>
>
>
> ip access-list extended GETVPN-ENCR-TRAFF
>
>   permit ip host 2.2.2.2 host 6.6.6.6
>
>   permit ip host 6.6.6.6 host 2.2.2.2
>
> ip access-list extended REKEY-ACL
>
>   permit udp host 1.1.1.1 eq 848 host 239.0.0.1 eq 848
>
>
>
> GM R2
>
>
>
> crypto gdoi group GETVPN-GR
>
>    identity number 126
>
>    server address ipv4 1.1.1.1
>
>   server address ipv4 5.5.5.5
>
> interface Loopback0
>
>    ip address 2.2.2.2 255.255.255.0
>
>    ip pim sparse-mode
>
> interface Tunnel126
>
>    ip address 10.10.10.2 255.255.255.0
>
>    ip pim sparse-mode
>
>    tunnel source FastEthernet0/0
>
>    tunnel destination 192.168.3.1
>
>
>
> ip multicast-routing
>
> ip pim rp-address 1.1.1.1
>
>
>
> What I don’t understand is what this 224.0.1.40 multicast address that I see
> both on KS and GM
>
>
>
> R1#sh ip pim rp
>
> Group: 239.0.0.1, RP: 1.1.1.1, next RP-reachable in 00:01:27
>
> Group: 224.0.1.40, RP: 1.1.1.1, next RP-reachable in 00:00:29
>
>
>
> R2#sh ip pim rp
>
> Group: 224.0.1.40, RP: 1.1.1.1, uptime 00:26:29, expires never
>
>
>
>
>
>
>
> From: Mike Rojas [mailto:[email protected]]
> Sent: Monday, August 06, 2012 8:47 PM
> To: Eugene Pefti; [email protected]
> Cc: [email protected]
> Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel
>
>
>
> If I am not mistaken,
>
> On the Router 1  (inside router if Im not too Costa Rican at 9:44 PM ), you
> need to point the RP-address to the loopback and then on router 2, create an
> static Mroute towards that tunnel interface...
>
> Try it out, if not, it will be a long long Night for me...
>
> Mike.
>
>> From: [email protected]
>> To: [email protected]
>> Date: Tue, 7 Aug 2012 03:21:28 +0000
>> CC: [email protected]
>> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE
>> tunnel
>>
>> Argh...
>> Multicast routing has been my weakest point. Never understood the
>> subtleties in various pim modes ;)
>> Enabled it on both devices, still no luck.
>>
>> From GM:
>>
>> R2#sh cry gdoi group GETVPN-GR
>> Group Name : GETVPN-GR
>> Group Identity : 126
>> Rekeys received : 0
>> IPSec SA Direction : Both
>> Active Group Server : 1.1.1.1
>> Group Server list : 1.1.1.1
>> 5.5.5.5
>>
>> GM Reregisters in : 3298 secs
>> Rekey Received : never
>>
>>
>> Rekeys received
>> Cumulative : 0
>> After registration : 0
>>
>>
>>
>> -----Original Message-----
>> From: Warrick Mitchell [mailto:[email protected]]
>> Sent: Monday, August 06, 2012 7:38 PM
>> To: Eugene Pefti
>> Cc: CCIE Security Maillist
>> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE
>> tunnel
>>
>> Hi Eugene,
>>
>> You need to enable multicast on both devices "ip multicast-routing"
>> and then on the tunnel you will need "ip pim sparse-mode"
>>
>> Cheers,
>> Warrick
>>
>> On Tue, Aug 7, 2012 at 10:05 AM, Eugene Pefti <[email protected]>
>> wrote:
>> > Guys,
>> >
>> > I'm trying to recreate the scenario I ran into Lab 17 my own way and
>> > stumbled upon multicast rekeying.
>> >
>> >
>> >
>> > This is the rudimentary diagram:
>> >
>> >
>> >
>> > R1 (192.168.3.1 - KS) -----------ASA context ---------R2
>> > (192.168.5.2 - GM)
>> >
>> > (loopback 1.1.1.1)
>> > (loopback 2.2.2.2)
>> >
>> >
>> >
>> > R1 sends key via multicasts:
>> >
>> >
>> >
>> > ip access-list extended REKEY-ACL
>> >
>> > permit udp host 1.1.1.1 eq 848 host 239.1.1.254 eq 848
>> >
>> >
>> >
>> > I created GRE tunnel between R1 and R2 to overcome multicontext ASA
>> > limitation.
>> >
>> >
>> >
>> > R1:
>> >
>> > interface Tunnel126
>> >
>> > ip address 10.10.10.1 255.255.255.0
>> >
>> > tunnel source FastEthernet0/0
>> >
>> > tunnel destination 192.168.5.2
>> >
>> >
>> >
>> > R2:
>> >
>> > interface Tunnel126
>> >
>> > ip address 10.10.10.2 255.255.255.0
>> >
>> > tunnel source FastEthernet0/0
>> >
>> > tunnel destination 192.168.3.1
>> >
>> >
>> >
>> > Tunnel is up but how can I tell R1 to use this tunnel to send
>> > multicast rekeys ?
>> >
>> >
>> >
>> > Eugene
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > For more information regarding industry leading CCIE Lab training,
>> > please visit www.ipexpert.com
>> >
>> > Are you a CCNP or CCIE and looking for a job? Check out
>> > www.PlatinumPlacement.com
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to