Hm... Quite an interesting explanation on differences in timers, Jason. I didn't think about it this way ;) Perhaps it makes sense. As for the number of IPSec SA I have only one GM. Just set it up to verify your theory. My traffic encryption ACL looks like this (it is supposed to encrypt traffic between GM loopbacks).
ip access-list extended R4-R3-LOOP permit ip host 3.3.3.3 host 4.4.4.4 permit ip host 4.4.4.4 host 3.3.3.3 From: Jason Madsen [mailto:[email protected]] Sent: Monday, September 03, 2012 10:40 PM To: Eugene Pefti Cc: Kingsley Charles; [email protected] Subject: Re: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS Registration Timers Hi Eugene, I'll let Kings address the question to him, but here's a question and my .02: Do you have 3 GMs total? You have 4 IPsec SAs listed below...if your local GM has 1 in each direction with each other GM that would give us 4. Weird thing is I thought SPIs were supposed to have the same value for inbound and outbound SAs on GMs in GetVPN, and your values all look different. This is something I've read somewhere once upon a time, and don't think I ever verified it though. As for the differences in timers, I believe that's by design in GDOI. I believe the rekey algorithm is purposefully set a little "loose" to help prevent the KS from being bombarded by all (potentially hundreds or thousands) of GMs at once. Jason On Mon, Sep 3, 2012 at 11:24 PM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Quote: "So it all depends on the rekey life time and IPSec lifetime" Is it "AND" or "OR", Kings, in your quoted statement? I set IPSec lifetime on KS to the minimum - 120 sec and have GM reregister every 120 seconds accordingly even though I'm not receiving any rekeys because they are sent via multicast and GM doesn't have any multicast configuration yet. What it's not clear to me is why we four sets of IPSec SA with different lifetime (see highlighted below) Output from GM: R3#sh cry gdoi group GETVPN-GR Group Name : GETVPN-GR Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 192.168.12.2 Group Server list : 192.168.12.2 GM Reregisters in : 46 secs Rekey Received : never Rekeys received Cumulative : 0 After registration : 0 ACL Downloaded From KS 192.168.12.2<http://192.168.12.2>: access-list permit ip host 3.3.3.3 host 4.4.4.4 access-list permit ip host 4.4.4.4 host 3.3.3.3 KEK POLICY: Rekey Transport Type : Multicast Lifetime (secs) : 85797 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 768 TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0/0: IPsec SA: spi: 0x1E2D46BE(506283710) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (14) Anti-Replay : Disabled IPsec SA: spi: 0xFBD45414(4224996372) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (44) Anti-Replay : Disabled IPsec SA: spi: 0xCB9C005A(3415998554) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (74) Anti-Replay : Disabled IPsec SA: spi: 0x213A686E(557475950) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (104) Anti-Replay : Disabled From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kingsley Charles Sent: Sunday, September 02, 2012 11:01 PM To: Jason Madsen Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS Registration Timers The GM members can only detect the failures of KS during registration and re-registrations when the KS has not sent the rekey. So it all depends on the rekey life time and IPSec lifetime. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Sep 3, 2012 at 1:47 AM, Jason Madsen <[email protected]<mailto:[email protected]>> wrote: Hi group, Is there a way to tweak some sort of timers so that Group Members can detect that the primary KS failed and update the Server Active list with COOP KS without setting the Rekey value to something really frequent? Not sure that it really matters, but I've found that when I fail the Primary KS, the GMs don't update their Group Server List and Active Server address for a long time unless I manually clear GDOI. However, after a little while I do see that the GMs build ISAKMP SAs wtih the secondary KS instead of the Primary, but the Server Active and Server List still won't update (see this info via "show crypto gdoi" on GMs). Key Servers: 1.1.1.1 (primary) 5.5.5.5 (secondary) After failing 1.1.1.1, I continue to see it listed as the Active Server on all Group Members in "show crypto gdoi" output unless I clear GDOI, then 5.5.5.5 finally becomes Active in the list. I'm guessing that without clearing GDOI, the Active address info won't update until the next Rekey period? If so, is there a way to make the Active address update faster? Thanks, Jason _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
