Hello, Mainly, static RP is used, no so no need to advertise...
This has to be some kind of sorcery of GNS, I can pass mcast traffic across the GRE: R4#ping 239.0.0.1 Reply to request 0 from 100.100.100.2, 156 ms However, it seems to be mainly ignoring it (when it comes to my multicast group) .... I took captures, the packet goes out of the ASA, however, the debug IP packet never actually process it... As per the first question, it doesnt need to know where to send it, it will send it over every available interface (even if not running PIM) *Mar 1 02:39:10.123: IP: s=192.10.1.4 (local), d=239.0.0.1 (FastEthernet0/0), len 632, sending broad/multicast *Mar 1 02:39:10.127: IP: s=100.10.10.1 (local), d=239.0.0.1 (Loopback1), len 632, sending broad/multicast *Mar 1 02:39:10.127: IP: s=100.100.100.1 (local), d=239.0.0.1 (Tunnel1), len 632, sending broad/multicast *Mar 1 02:39:10.131: %GDOI-5-KS_SEND_MCAST_REKEY: Sending Multicast Rekey for group GET from address 192.10.1.4 to 239.0.0.1 with seq # 1 Here is a working Config from Piotr that I found on an Old OSL... http://onlinestudylist.com/archives/ccie_security/2012-February/029155.html I'll rack it up tomorrow at Work Mike > Date: Tue, 7 Aug 2012 15:26:48 +0800 > Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected] > > Hi Eugene, > > I'm pretty sure the issue here is your not advertising 239.0.0.1 > outside of the R1 router. > > There are two ways you can do it: > > conf t > access-list 10 permit 239.0.0.1 > ip pim rp-address 1.1.1.1 10 > ! > > This goes along with how you have configured it currently. > > Or you could do it with: > > access-list 1 permit 239.0.0.1 > ip pim send-rp-announce Lo0 scope 16 group-list 1 > ip pim send-rp-discovery Lo0 scope 16 interval 30 > ! > > Then on R2 you can do "show ip mroute 239.0.0.1" and you should see > it's learnt by the tunnel. > > Cheers, > Warrick > On Tue, Aug 7, 2012 at 3:01 PM, Mike Rojas <[email protected]> wrote: > > Eugene, > > > > Im on it right now.... 1:00 AM.... > > > > Mike... > > > > ________________________________ > > From: [email protected] > > To: [email protected]; [email protected] > > CC: [email protected] > > > > Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel > > Date: Tue, 7 Aug 2012 06:23:40 +0000 > > > > > > Now, I’m totally confused, sorry for confusing you guys ;) > > > > Do I have to or not have to add mroute on GM ? > > > > > > > > On KS R1 GDOI relevant sections: > > > > > > > > interface Loopback0 > > > > ip address 1.1.1.1 255.255.255.0 > > > > ip pim sparse-mode > > > > interface Tunnel126 > > > > ip address 10.10.10.1 255.255.255.0 > > > > ip pim sparse-mode > > > > tunnel source FastEthernet0/0 > > > > tunnel destination 192.168.5.2 > > > > > > > > ip multicast-routing > > > > ip pim rp-address 1.1.1.1 > > > > > > > > crypto gdoi group GDOI-GROUP > > > > identity number 126 > > > > server local > > > > rekey address ipv4 REKEY-ACL > > > > rekey retransmit 10 number 2 > > > > rekey authentication mypubkey rsa GETVPN-KEYS > > > > sa ipsec 1 > > > > profile IPSEC-PROF > > > > match address ipv4 GETVPN-ENCR-TRAFF > > > > replay counter window-size 64 > > > > address ipv4 1.1.1.1 > > > > redundancy > > > > local priority 255 > > > > peer address ipv4 5.5.5.5 > > > > > > > > ip access-list extended GETVPN-ENCR-TRAFF > > > > permit ip host 2.2.2.2 host 6.6.6.6 > > > > permit ip host 6.6.6.6 host 2.2.2.2 > > > > ip access-list extended REKEY-ACL > > > > permit udp host 1.1.1.1 eq 848 host 239.0.0.1 eq 848 > > > > > > > > GM R2 > > > > > > > > crypto gdoi group GETVPN-GR > > > > identity number 126 > > > > server address ipv4 1.1.1.1 > > > > server address ipv4 5.5.5.5 > > > > interface Loopback0 > > > > ip address 2.2.2.2 255.255.255.0 > > > > ip pim sparse-mode > > > > interface Tunnel126 > > > > ip address 10.10.10.2 255.255.255.0 > > > > ip pim sparse-mode > > > > tunnel source FastEthernet0/0 > > > > tunnel destination 192.168.3.1 > > > > > > > > ip multicast-routing > > > > ip pim rp-address 1.1.1.1 > > > > > > > > What I don’t understand is what this 224.0.1.40 multicast address that I see > > both on KS and GM > > > > > > > > R1#sh ip pim rp > > > > Group: 239.0.0.1, RP: 1.1.1.1, next RP-reachable in 00:01:27 > > > > Group: 224.0.1.40, RP: 1.1.1.1, next RP-reachable in 00:00:29 > > > > > > > > R2#sh ip pim rp > > > > Group: 224.0.1.40, RP: 1.1.1.1, uptime 00:26:29, expires never > > > > > > > > > > > > > > > > From: Mike Rojas [mailto:[email protected]] > > Sent: Monday, August 06, 2012 8:47 PM > > To: Eugene Pefti; [email protected] > > Cc: [email protected] > > Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel > > > > > > > > If I am not mistaken, > > > > On the Router 1 (inside router if Im not too Costa Rican at 9:44 PM ), you > > need to point the RP-address to the loopback and then on router 2, create an > > static Mroute towards that tunnel interface... > > > > Try it out, if not, it will be a long long Night for me... > > > > Mike. > > > >> From: [email protected] > >> To: [email protected] > >> Date: Tue, 7 Aug 2012 03:21:28 +0000 > >> CC: [email protected] > >> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE > >> tunnel > >> > >> Argh... > >> Multicast routing has been my weakest point. Never understood the > >> subtleties in various pim modes ;) > >> Enabled it on both devices, still no luck. > >> > >> From GM: > >> > >> R2#sh cry gdoi group GETVPN-GR > >> Group Name : GETVPN-GR > >> Group Identity : 126 > >> Rekeys received : 0 > >> IPSec SA Direction : Both > >> Active Group Server : 1.1.1.1 > >> Group Server list : 1.1.1.1 > >> 5.5.5.5 > >> > >> GM Reregisters in : 3298 secs > >> Rekey Received : never > >> > >> > >> Rekeys received > >> Cumulative : 0 > >> After registration : 0 > >> > >> > >> > >> -----Original Message----- > >> From: Warrick Mitchell [mailto:[email protected]] > >> Sent: Monday, August 06, 2012 7:38 PM > >> To: Eugene Pefti > >> Cc: CCIE Security Maillist > >> Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE > >> tunnel > >> > >> Hi Eugene, > >> > >> You need to enable multicast on both devices "ip multicast-routing" > >> and then on the tunnel you will need "ip pim sparse-mode" > >> > >> Cheers, > >> Warrick > >> > >> On Tue, Aug 7, 2012 at 10:05 AM, Eugene Pefti <[email protected]> > >> wrote: > >> > Guys, > >> > > >> > I'm trying to recreate the scenario I ran into Lab 17 my own way and > >> > stumbled upon multicast rekeying. > >> > > >> > > >> > > >> > This is the rudimentary diagram: > >> > > >> > > >> > > >> > R1 (192.168.3.1 - KS) -----------ASA context ---------R2 > >> > (192.168.5.2 - GM) > >> > > >> > (loopback 1.1.1.1) > >> > (loopback 2.2.2.2) > >> > > >> > > >> > > >> > R1 sends key via multicasts: > >> > > >> > > >> > > >> > ip access-list extended REKEY-ACL > >> > > >> > permit udp host 1.1.1.1 eq 848 host 239.1.1.254 eq 848 > >> > > >> > > >> > > >> > I created GRE tunnel between R1 and R2 to overcome multicontext ASA > >> > limitation. > >> > > >> > > >> > > >> > R1: > >> > > >> > interface Tunnel126 > >> > > >> > ip address 10.10.10.1 255.255.255.0 > >> > > >> > tunnel source FastEthernet0/0 > >> > > >> > tunnel destination 192.168.5.2 > >> > > >> > > >> > > >> > R2: > >> > > >> > interface Tunnel126 > >> > > >> > ip address 10.10.10.2 255.255.255.0 > >> > > >> > tunnel source FastEthernet0/0 > >> > > >> > tunnel destination 192.168.3.1 > >> > > >> > > >> > > >> > Tunnel is up but how can I tell R1 to use this tunnel to send > >> > multicast rekeys ? > >> > > >> > > >> > > >> > Eugene > >> > > >> > > >> > > >> > > >> > > >> > > >> > _______________________________________________ > >> > For more information regarding industry leading CCIE Lab training, > >> > please visit www.ipexpert.com > >> > > >> > Are you a CCNP or CCIE and looking for a job? Check out > >> > www.PlatinumPlacement.com > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
