If the rekeys are not received then GMs re-register before the IPsec SA expires, hence it's "AND".
With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Tue, Sep 4, 2012 at 10:54 AM, Eugene Pefti <[email protected]>wrote: > Quote: “So it all depends on the rekey life time and IPSec lifetime”**** > > ** ** > > Is it “AND” or “OR”, Kings, in your quoted statement?**** > > ** ** > > I set IPSec lifetime on KS to the minimum – 120 sec and have GM reregister > every 120 seconds accordingly even though I’m not receiving any rekeys > because they are sent via multicast and GM doesn’t have any multicast > configuration yet.**** > > What it’s not clear to me is why we four sets of IPSec SA with different > lifetime (see highlighted below)**** > > ** ** > > Output from GM:**** > > ** ** > > R3#sh cry gdoi group GETVPN-GR**** > > Group Name : GETVPN-GR**** > > Group Identity : 1**** > > Rekeys received : 0**** > > IPSec SA Direction : Both**** > > Active Group Server : 192.168.12.2**** > > Group Server list : 192.168.12.2**** > > **** > > GM Reregisters in : 46 secs**** > > Rekey Received : never**** > > ** ** > > Rekeys received **** > > Cumulative : 0**** > > After registration : 0**** > > ** ** > > ACL Downloaded From KS 192.168.12.2:**** > > access-list permit ip host 3.3.3.3 host 4.4.4.4**** > > access-list permit ip host 4.4.4.4 host 3.3.3.3**** > > ** ** > > KEK POLICY:**** > > Rekey Transport Type : Multicast**** > > Lifetime (secs) : 85797**** > > Encrypt Algorithm : 3DES**** > > Key Size : 192 **** > > Sig Hash Algorithm : HMAC_AUTH_SHA**** > > Sig Key Length (bits) : 768 **** > > ** ** > > TEK POLICY for the current KS-Policy ACEs Downloaded:**** > > FastEthernet0/0:**** > > IPsec SA:**** > > spi: 0x1E2D46BE(506283710)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (14)**** > > Anti-Replay : Disabled**** > > ** ** > > IPsec SA:**** > > spi: 0xFBD45414(4224996372)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (44)**** > > Anti-Replay : Disabled**** > > ** ** > > IPsec SA:**** > > spi: 0xCB9C005A(3415998554)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (74)**** > > Anti-Replay : Disabled**** > > **** > > IPsec SA:**** > > spi: 0x213A686E(557475950)**** > > transform: esp-aes esp-sha-hmac **** > > sa timing:remaining key lifetime (sec): (104)**** > > Anti-Replay : Disabled**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Sunday, September 02, 2012 11:01 PM > *To:* Jason Madsen > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS > Registration Timers**** > > ** ** > > The GM members can only detect the failures of KS during registration and > re-registrations when the KS has not sent the rekey. So it all depends on > the rekey life time and IPSec lifetime. > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)**** > > On Mon, Sep 3, 2012 at 1:47 AM, Jason Madsen <[email protected]> > wrote:**** > > Hi group, > > Is there a way to tweak some sort of timers so that Group Members can > detect that the primary KS failed and update the Server Active list with > COOP KS without setting the Rekey value to something really frequent? Not > sure that it really matters, but I've found that when I fail the Primary > KS, the GMs don't update their Group Server List and Active Server address > for a long time unless I manually clear GDOI. However, after a little > while I do see that the GMs build ISAKMP SAs wtih the secondary KS instead > of the Primary, but the Server Active and Server List still won't update > (see this info via "show crypto gdoi" on GMs). > > Key Servers: > > 1.1.1.1 (primary) > 5.5.5.5 (secondary) > > After failing 1.1.1.1, I continue to see it listed as the Active Server on > all Group Members in "show crypto gdoi" output unless I clear GDOI, then > 5.5.5.5 finally becomes Active in the list. > > I'm guessing that without clearing GDOI, the Active address info won't > update until the next Rekey period? If so, is there a way to make the > Active address update faster? > > Thanks, > Jason > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
