02-09-2017 08:16 PM - edited 03-05-2019 08:00 AM
I have 2 sites connected over MPLS.
R1 is the CE router (Network: 10.0.0.0/8)
R2 is the PE router in SITE-1 (Using network: 192.168.0.0/16 and 172.16.0.0/16
R7 is PE the router in SITE-2 (Using network: 192.168.0.0/16 and 172.16.0.0/16)
R9 is the CE router in SITE-2 (Using network: 10.0.0.0/8)
Key Server and Certificate Server are using network 172.16.0.0/16
I enabled GETVPN on R7 only.
I configured an access-list on the Key Server (KS) to:
1) Not to encrypt BGP between the PEs (R2 and R7)
2) Not to encrypt OSPF traffic between the PEs (R2 and R7)
3) Not to Encrypt LDP traffic between the PEs (R2 and R7)
Since I enabled GETVON on only SITE-2, I should not be able to ping between the CE routers.
- The problem is that I am able to ping between the CE's.
- The only time that I am unable to ping between the CE is when I modify the ACL on the Key server encrypt (BGP or OSPF or LDP).
- Observation: GETVPN is encrypting the BGP, OSPF, and the LDP (on the 192.168.0.0/16 and 172.16.0.0/16) but not traffic on the (10.0.0.0/8)
Please let me know I am doing wrong here. I will send config and show output upon request.
R7#sh crypto gdoi
GROUP INFORMATION
Group Name : LEVEL3-VPLS-GROUP
Group Identity : 1234
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 19
IPSec SA Direction : Both
Group Server list : 172.16.50.12
Group member : 192.168.200.7 vrf: None
Version : 1.0.4
Registration status : Registered
Registered with : 172.16.50.12
Re-registers in : 140 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 172.16.50.12
Last rekey seq num : 0
Unicast rekey received: 19
Rekey ACKs sent : 19
Rekey Rcvd(hh:mm:ss) : 00:00:46
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 19
After latest register : 19
Rekey Acks sents : 19
ACL Downloaded From KS 172.16.50.12:
access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.2
access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.3
access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.4
access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.5
access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.6
access-list deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list permit ip any any
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 252
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 512
TEK POLICY for the current KS-Policy ACEs Downloaded:
Ethernet1/2:
IPsec SA:
spi: 0xA36FCACE(2742012622)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (780)
Anti-Replay(Time Based) : 5 sec interval
Solved! Go to Solution.
02-13-2017 07:19 AM
I only see the issue when I add GETVPN on top of MPLS (I am not sure whether this is a GNS limitation).
I have a similar setup as yours - It works.
02-15-2017 07:40 AM
The issue was with GNS - It runs on VIRL
02-15-2017 07:45 AM
Hello,
good to know, thanks for the info !
06-06-2019 12:55 PM
I'm running Cisco CML and I'm not able to run GETVPN over MPLS either but if I have routers connected to a switch GETVPN works fine. I'm trying to configure this w/o our ISP having to configure anything on their side that's why we're using unicast vs multicast keys. I'm deploying this in production next week I'll see if it's CML causing the issue or my configuration.
06-06-2019 02:18 PM
Hello,
post the configuration you have...
06-07-2019 08:44 AM - edited 11-01-2019 09:02 AM
When I attach the crypto map to the GM's MPLS internet it does not receive the key from the KS but if I apply the crypto map to the loopback interface the keys are received. From a host PC (a switch) at the GM I'm able to ping the KS and other branches but I don't see encypts or decrypts on the GM. Below are my configs MPLS-PE1, KS1, MPLS-PE5, GM1, MPLS-PE6, GM2:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide