Ok,
I wish it is so simple. No way, not even like it was said here - enable PIM
sparse mode on both KS and GM tunnel and loopback interfaces.
This is my config that finally started working. Again, it's a bit different
from the scenario in Lab 17 where there's a central router and we don't have
DMVPN as an overlay.
This is just to explore all possible combinations and applications of multicast
based rekeying with GETVPN
Topology:
R1 (192.168.3.1 - KS) -----------ASA context ---------R2 (192.168.5.2
- GM)
(loopback 1.1.1.1)
(loopback 2.2.2.2)
GRE tunnels on R1 and R2 are sourced from loopbacks:
R1:
interface Tunnel126
ip address 10.10.10.1 255.255.255.0
ip pim sparse-mode
tunnel source Loopback0
tunnel destination 2.2.2.2
R2:
interface Tunnel126
ip address 10.10.10.2 255.255.255.0
ip pim sparse-mode
ip igmp join-group 239.0.0.1
tunnel source Loopback0
tunnel destination 1.1.1.1
Notice, I added "ip igmp join-group 239.0.0.1" under GM tunnel interface. This
is the only missing part that I needed, apparently.
And then I added static mroute on GM to 1.1.1.1 via Tunnel126 and error
messages are gone.
R2(config)#do sh run | inc mroute
ip mroute 1.1.1.1 255.255.255.255 Tunnel126
Still wish someone explains me why "show ip igmp group" shows this unknown
multicast address 224.0.1.40 and why the group address 239.0.0.1 is in the
stopped status
R2(config)#do sh ip igmp group
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
Group Accounted
239.0.0.1 Tunnel126 00:22:34 stopped 10.10.10.2
239.0.0.1 Serial0/0/0 01:05:32 stopped 192.168.23.2
224.0.1.40 Loopback0 01:05:43 00:02:05 2.2.2.2
I'm getting rekeys on R2 now:
R2(config)#do sh cry gdoi group GETVPN-GR
Group Name : GETVPN-GR
Group Identity : 126
Rekeys received : 1
IPSec SA Direction : Both
Active Group Server : 1.1.1.1
Group Server list : 1.1.1.1
5.5.5.5
GM Reregisters in : 0 secs
Rekey Received(hh:mm:ss) : 00:04:53
Rekeys received
Cumulative : 1
After registration : 1
Eugene
From: Marta Sokolowska [mailto:[email protected]]
Sent: Tuesday, August 07, 2012 11:54 AM
To: Eugene Pefti
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey through GRE tunnel
2012/8/7 Eugene Pefti <[email protected]<mailto:[email protected]>>
[...]
Ok, I removed this route and the error message is gone and then silence.
I don't see any joins on the GM and no mroutes
R2(config)#do sh ip igmp group
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
Group Accounted
239.1.1.254 Serial0/0/0 16:06:00 stopped 192.168.23.2
239.0.0.1 Serial0/0/0 13:34:58 stopped 192.168.23.6
224.0.1.40 Tunnel126 14:31:13 stopped 10.10.10.2
R2(config)#do sh ip mroute
(*, 224.0.1.40), 14:38:18/stopped, RP 1.1.1.1, flags: SJPCL
Incoming interface: Null, RPF nbr 0.0.0.0, Mroute
Outgoing interface list: Null
Eugene, can you post the configuration of physical interfaces also? I mean
those Serial0/0/0 interfaces. Did you turn "ip pim sparse mode" also on
physical interfaces? I'm asking because you only need this command on the
tunnel and loopback interfaces.
Marta Sokolowska.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
