Quote: "So it all depends on the rekey life time and IPSec lifetime"
Is it "AND" or "OR", Kings, in your quoted statement?
I set IPSec lifetime on KS to the minimum - 120 sec and have GM reregister
every 120 seconds accordingly even though I'm not receiving any rekeys because
they are sent via multicast and GM doesn't have any multicast configuration yet.
What it's not clear to me is why we four sets of IPSec SA with different
lifetime (see highlighted below)
Output from GM:
R3#sh cry gdoi group GETVPN-GR
Group Name : GETVPN-GR
Group Identity : 1
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 192.168.12.2
Group Server list : 192.168.12.2
GM Reregisters in : 46 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 192.168.12.2:
access-list permit ip host 3.3.3.3 host 4.4.4.4
access-list permit ip host 4.4.4.4 host 3.3.3.3
KEK POLICY:
Rekey Transport Type : Multicast
Lifetime (secs) : 85797
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 768
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet0/0:
IPsec SA:
spi: 0x1E2D46BE(506283710)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (14)
Anti-Replay : Disabled
IPsec SA:
spi: 0xFBD45414(4224996372)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (44)
Anti-Replay : Disabled
IPsec SA:
spi: 0xCB9C005A(3415998554)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (74)
Anti-Replay : Disabled
IPsec SA:
spi: 0x213A686E(557475950)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (104)
Anti-Replay : Disabled
From: [email protected]
[mailto:[email protected]] On Behalf Of Kingsley Charles
Sent: Sunday, September 02, 2012 11:01 PM
To: Jason Madsen
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS Registration Timers
The GM members can only detect the failures of KS during registration and
re-registrations when the KS has not sent the rekey. So it all depends on the
rekey life time and IPSec lifetime.
With regards
Kings
CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)
On Mon, Sep 3, 2012 at 1:47 AM, Jason Madsen
<[email protected]<mailto:[email protected]>> wrote:
Hi group,
Is there a way to tweak some sort of timers so that Group Members can detect
that the primary KS failed and update the Server Active list with COOP KS
without setting the Rekey value to something really frequent? Not sure that
it really matters, but I've found that when I fail the Primary KS, the GMs
don't update their Group Server List and Active Server address for a long time
unless I manually clear GDOI. However, after a little while I do see that the
GMs build ISAKMP SAs wtih the secondary KS instead of the Primary, but the
Server Active and Server List still won't update (see this info via "show
crypto gdoi" on GMs).
Key Servers:
1.1.1.1 (primary)
5.5.5.5 (secondary)
After failing 1.1.1.1, I continue to see it listed as the Active Server on all
Group Members in "show crypto gdoi" output unless I clear GDOI, then 5.5.5.5
finally becomes Active in the list.
I'm guessing that without clearing GDOI, the Active address info won't update
until the next Rekey period? If so, is there a way to make the Active address
update faster?
Thanks,
Jason
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
