Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2150
Views
0
Helpful
20
Replies

Cisco GETVPN over MPLS Issue

Go to solution
mediaos718
Level 1
Level 1

‎02-09-2017 08:16 PM - edited ‎03-05-2019 08:00 AM

I have 2 sites connected over MPLS.

R1 is the CE router (Network: 10.0.0.0/8)

R2 is the PE router in SITE-1 (Using network: 192.168.0.0/16 and 172.16.0.0/16

R7 is PE the router in SITE-2 (Using network: 192.168.0.0/16 and 172.16.0.0/16)

R9 is the CE router in SITE-2 (Using network: 10.0.0.0/8)

Key Server and Certificate Server are using network 172.16.0.0/16

I enabled GETVPN on R7 only.

I configured an access-list on the Key Server (KS) to:

1) Not to encrypt BGP between the PEs (R2 and R7)

2) Not to encrypt OSPF traffic between the PEs (R2 and R7)

3) Not to Encrypt LDP traffic between the PEs (R2 and R7)

Since I enabled GETVON on only SITE-2, I should not be able to ping between the CE routers.

- The problem is that I am able to ping between the CE's.

- The only time that I am unable to ping between the CE is when I modify the ACL on the Key server encrypt (BGP or OSPF or LDP).

- Observation: GETVPN is encrypting the BGP, OSPF, and the LDP (on the 192.168.0.0/16 and 172.16.0.0/16) but not traffic on the (10.0.0.0/8)

Please let me know I am doing wrong here. I will send config and show output upon request.

R7#sh crypto gdoi

GROUP INFORMATION

    Group Name               : LEVEL3-VPLS-GROUP

    Group Identity           : 1234

    Crypto Path              : ipv4

    Key Management Path      : ipv4

    Rekeys received          : 19

    IPSec SA Direction       : Both

     Group Server list       : 172.16.50.12

                               

    Group member             : 192.168.200.7    vrf: None

       Version               : 1.0.4

       Registration status   : Registered

       Registered with       : 172.16.50.12

       Re-registers in       : 140 sec

       Succeeded registration: 1

       Attempted registration: 1

       Last rekey from       : 172.16.50.12

       Last rekey seq num    : 0

       Unicast rekey received: 19

       Rekey ACKs sent       : 19

       Rekey Rcvd(hh:mm:ss)  : 00:00:46

       allowable rekey cipher: any

       allowable rekey hash  : any

       allowable transformtag: any ESP

          

    Rekeys cumulative

       Total received        : 19

       After latest register : 19

       Rekey Acks sents      : 19

          

ACL Downloaded From KS 172.16.50.12:

   access-list   deny ip 192.168.0.0 0.0.255.255 host 224.0.0.2

   access-list   deny ip 192.168.0.0 0.0.255.255 host 224.0.0.3

   access-list   deny ip 192.168.0.0 0.0.255.255 host 224.0.0.4

   access-list   deny ip 192.168.0.0 0.0.255.255 host 224.0.0.5

   access-list   deny ip 192.168.0.0 0.0.255.255 host 224.0.0.6

   access-list   deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

   access-list   deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

   access-list   permit ip any any

          

KEK POLICY:

    Rekey Transport Type     : Unicast

    Lifetime (secs)          : 252

    Encrypt Algorithm        : 3DES

    Key Size                 : 192     

    Sig Hash Algorithm       : HMAC_AUTH_SHA

    Sig Key Length (bits)    : 512     

          

TEK POLICY for the current KS-Policy ACEs Downloaded:

  Ethernet1/2:

    IPsec SA:

        spi: 0xA36FCACE(2742012622)

        transform: esp-3des esp-md5-hmac

        sa timing:remaining key lifetime (sec): (780)

        Anti-Replay(Time Based) : 5 sec interval

Labels:
0 Helpful
20 Replies 20

Go to solution
mediaos718
Level 1
Level 1
In response to Georg Pauwen

‎02-13-2017 07:19 AM

I only see the issue when I add GETVPN on top of MPLS (I am not sure whether this is a GNS limitation).

I have a similar setup as yours - It works.

0 Helpful

Go to solution
mediaos718
Level 1
Level 1
In response to mediaos718

‎02-15-2017 07:40 AM

The issue was with GNS - It runs on VIRL

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to mediaos718

‎02-15-2017 07:45 AM

Hello,

good to know, thanks for the info !

0 Helpful

Go to solution
CorwynJohnson
Level 1
Level 1
In response to mediaos718

‎06-06-2019 12:55 PM

I'm running Cisco CML and I'm not able to run GETVPN over MPLS either but if I have routers connected to a switch GETVPN works fine. I'm trying to configure this w/o our ISP having to configure anything on their side that's why we're using unicast vs multicast keys. I'm deploying this in production next week I'll see if it's CML causing the issue or my configuration. 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to CorwynJohnson

‎06-06-2019 02:18 PM

Hello,

 

post the configuration you have...

0 Helpful

Go to solution
CorwynJohnson
Level 1
Level 1
In response to Georg Pauwen

‎06-07-2019 08:44 AM - edited ‎11-01-2019 09:02 AM

When I attach the crypto map to the GM's MPLS internet it does not receive the key from the KS but if I apply the crypto map to the loopback interface the keys are received. From a host PC (a switch) at the GM I'm able to ping the KS and other branches but I don't see encypts or decrypts on the GM. Below are my configs MPLS-PE1, KS1, MPLS-PE5, GM1, MPLS-PE6, GM2:

 

Preview file
35 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card