not sure if it's true...something else I read once somewhere and I don't think i've tested it. doesn't seem to be though based on your previous output.
wow, that's pretty cool that your GM build IPSec SAs with itself! Jason On Mon, Sep 3, 2012 at 11:44 PM, Eugene Pefti <[email protected]>wrote: > Hm…**** > > Quite an interesting explanation on differences in timers, Jason. I didn’t > think about it this way ;)**** > > Perhaps it makes sense.**** > > As for the number of IPSec SA I have only one GM. Just set it up to verify > your theory. My traffic encryption ACL looks like this (it is supposed to > encrypt traffic between GM loopbacks).**** > > ** ** > > ip access-list extended R4-R3-LOOP**** > > permit ip host 3.3.3.3 host 4.4.4.4**** > > permit ip host 4.4.4.4 host 3.3.3.3**** > > ** ** > > ** ** > > ** ** > > *From:* Jason Madsen [mailto:[email protected]] > *Sent:* Monday, September 03, 2012 10:40 PM > *To:* Eugene Pefti > *Cc:* Kingsley Charles; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS > Registration Timers**** > > ** ** > > Hi Eugene, > > I'll let Kings address the question to him, but here's a question and my > .02: > > Do you have 3 GMs total? You have 4 IPsec SAs listed below...if your > local GM has 1 in each direction with each other GM that would give us 4. > Weird thing is I thought SPIs were supposed to have the same value for > inbound and outbound SAs on GMs in GetVPN, and your values all look > different. This is something I've read somewhere once upon a time, and > don't think I ever verified it though. > > As for the differences in timers, I believe that's by design in GDOI. I > believe the rekey algorithm is purposefully set a little "loose" to help > prevent the KS from being bombarded by all (potentially hundreds or > thousands) of GMs at once. > > Jason > > > > **** > > On Mon, Sep 3, 2012 at 11:24 PM, Eugene Pefti <[email protected]> > wrote:**** > > Quote: “So it all depends on the rekey life time and IPSec lifetime”**** > > **** > > Is it “AND” or “OR”, Kings, in your quoted statement?**** > > **** > > I set IPSec lifetime on KS to the minimum – 120 sec and have GM reregister > every 120 seconds accordingly even though I’m not receiving any rekeys > because they are sent via multicast and GM doesn’t have any multicast > configuration yet.**** > > What it’s not clear to me is why we four sets of IPSec SA with different > lifetime (see highlighted below)**** > > **** > > Output from GM:**** > > **** > > R3#sh cry gdoi group GETVPN-GR**** > > Group Name : GETVPN-GR**** > > Group Identity : 1**** > > Rekeys received : 0**** > > IPSec SA Direction : Both**** > > Active Group Server : 192.168.12.2**** > > Group Server list : 192.168.12.2**** > > **** > > GM Reregisters in : 46 secs**** > > Rekey Received : never**** > > **** > > Rekeys received **** > > Cumulative : 0**** > > After registration : 0**** > > **** > > ACL Downloaded From KS 192.168.12.2:**** > > access-list permit ip host 3.3.3.3 host 4.4.4.4**** > > access-list permit ip host 4.4.4.4 host 3.3.3.3**** > > **** > > KEK POLICY:**** > > Rekey Transport Type : Multicast**** > > Lifetime (secs) : 85797**** > > Encrypt Algorithm : 3DES**** > > Key Size : 192 **** > > Sig Hash Algorithm : HMAC_AUTH_SHA**** > > Sig Key Length (bits) : 768 **** > > **** > > TEK POLICY for the current KS-Policy ACEs Downloaded:**** > > FastEthernet0/0:**** > > IPsec SA:**** > > spi: 0x1E2D46BE(506283710)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (14)**** > > Anti-Replay : Disabled**** > > **** > > IPsec SA:**** > > spi: 0xFBD45414(4224996372)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (44)**** > > Anti-Replay : Disabled**** > > **** > > IPsec SA:**** > > spi: 0xCB9C005A(3415998554)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (74)**** > > Anti-Replay : Disabled**** > > **** > > IPsec SA:**** > > spi: 0x213A686E(557475950)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (104)**** > > Anti-Replay : Disabled**** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Sunday, September 02, 2012 11:01 PM > *To:* Jason Madsen > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS > Registration Timers**** > > **** > > The GM members can only detect the failures of KS during registration and > re-registrations when the KS has not sent the rekey. So it all depends on > the rekey life time and IPSec lifetime. > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)**** > > On Mon, Sep 3, 2012 at 1:47 AM, Jason Madsen <[email protected]> > wrote:**** > > Hi group, > > Is there a way to tweak some sort of timers so that Group Members can > detect that the primary KS failed and update the Server Active list with > COOP KS without setting the Rekey value to something really frequent? Not > sure that it really matters, but I've found that when I fail the Primary > KS, the GMs don't update their Group Server List and Active Server address > for a long time unless I manually clear GDOI. However, after a little > while I do see that the GMs build ISAKMP SAs wtih the secondary KS instead > of the Primary, but the Server Active and Server List still won't update > (see this info via "show crypto gdoi" on GMs). > > Key Servers: > > 1.1.1.1 (primary) > 5.5.5.5 (secondary) > > After failing 1.1.1.1, I continue to see it listed as the Active Server on > all Group Members in "show crypto gdoi" output unless I clear GDOI, then > 5.5.5.5 finally becomes Active in the list. > > I'm guessing that without clearing GDOI, the Active address info won't > update until the next Rekey period? If so, is there a way to make the > Active address update faster? > > Thanks, > Jason > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > **** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
