Solved: Cisco GETVPN over MPLS Issue

mediaos718 · ‎02-09-2017

I have 2 sites connected over MPLS.

R1 is the CE router (Network: 10.0.0.0/8)

R2 is the PE router in SITE-1 (Using network: 192.168.0.0/16 and 172.16.0.0/16

R7 is PE the router in SITE-2 (Using network: 192.168.0.0/16 and 172.16.0.0/16)

R9 is the CE router in SITE-2 (Using network: 10.0.0.0/8)

Key Server and Certificate Server are using network 172.16.0.0/16

I enabled GETVPN on R7 only.

I configured an access-list on the Key Server (KS) to:

1) Not to encrypt BGP between the PEs (R2 and R7)

2) Not to encrypt OSPF traffic between the PEs (R2 and R7)

3) Not to Encrypt LDP traffic between the PEs (R2 and R7)

Since I enabled GETVON on only SITE-2, I should not be able to ping between the CE routers.

- The problem is that I am able to ping between the CE's.

- The only time that I am unable to ping between the CE is when I modify the ACL on the Key server encrypt (BGP or OSPF or LDP).

- Observation: GETVPN is encrypting the BGP, OSPF, and the LDP (on the 192.168.0.0/16 and 172.16.0.0/16) but not traffic on the (10.0.0.0/8)

Please let me know I am doing wrong here. I will send config and show output upon request.

R7#sh crypto gdoi

GROUP INFORMATION

Group Name : LEVEL3-VPLS-GROUP

Group Identity : 1234

Crypto Path : ipv4

Key Management Path : ipv4

Rekeys received : 19

IPSec SA Direction : Both

Group Server list : 172.16.50.12

Group member : 192.168.200.7 vrf: None

Version : 1.0.4

Registration status : Registered

Registered with : 172.16.50.12

Re-registers in : 140 sec

Succeeded registration: 1

Attempted registration: 1

Last rekey from : 172.16.50.12

Last rekey seq num : 0

Unicast rekey received: 19

Rekey ACKs sent : 19

Rekey Rcvd(hh:mm:ss) : 00:00:46

allowable rekey cipher: any

allowable rekey hash : any

allowable transformtag: any ESP

Rekeys cumulative

Total received : 19

After latest register : 19

Rekey Acks sents : 19

ACL Downloaded From KS 172.16.50.12:

access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.2

access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.3

access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.4

access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.5

access-list deny ip 192.168.0.0 0.0.255.255 host 224.0.0.6

access-list deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list permit ip any any

KEK POLICY:

Rekey Transport Type : Unicast

Lifetime (secs) : 252

Encrypt Algorithm : 3DES

Key Size : 192

Sig Hash Algorithm : HMAC_AUTH_SHA

Sig Key Length (bits) : 512

TEK POLICY for the current KS-Policy ACEs Downloaded:

Ethernet1/2:

IPsec SA:

spi: 0xA36FCACE(2742012622)

transform: esp-3des esp-md5-hmac

sa timing:remaining key lifetime (sec): (780)

Anti-Replay(Time Based) : 5 sec interval

Georg Pauwen · ‎02-13-2017

Hello,

I could not replicate your exact setup, but for the sake of simplicity, I created a network of 4 routers, with R3 being the Key Server, and R1 and R4 being the GMs.

The access list configured on the KS works as designed, check if that (working) config helps you. (Notice that I disabled the replay window on the KS, for some reason, it did not work in GNS3).

All routers run EIGRP, BGP, and OSPF. I have included a picture of the setup.

R1

Current configuration : 1954 bytes
!
! Last configuration change at 01:06:51 UTC Mon Feb 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 300
crypto isakmp key tempkey1 address 10.0.0.1
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server address ipv4 3.3.3.3
!
crypto map gdoimap 1 gdoi
set group GDOI-GROUP1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
crypto map gdoimap
!
router eigrp 1
network 1.1.1.1 0.0.0.0
network 192.168.1.0
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
!
router bgp 1
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
network 192.168.1.0
neighbor 192.168.1.2 remote-as 2
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login

!
end

R2

Current configuration : 1915 bytes
!
! Last configuration change at 22:37:30 UTC Sun Feb 12 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1/0
ip address 192.168.1.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet3/0
ip address 192.168.3.1 255.255.255.0
negotiation auto
!
router eigrp 1
network 2.2.2.2 0.0.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!
router bgp 2
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
neighbor 192.168.1.1 remote-as 1
neighbor 192.168.2.2 remote-as 4
neighbor 192.168.3.2 remote-as 3
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R3

Current configuration : 2480 bytes
!
! Last configuration change at 02:08:09 UTC Mon Feb 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key tempkey1 address 0.0.0.0
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile profile1
set transform-set aes128
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server local
rekey algorithm aes 128
rekey retransmit 10 number 3
rekey authentication mypubkey rsa REKEYRSA
rekey transport unicast
sa ipsec 1
profile profile1
match address ipv4 getvpn-acl
no replay
address ipv4 3.3.3.3
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet3/0
ip address 192.168.3.2 255.255.255.0
negotiation auto
!
router eigrp 1
network 3.3.3.3 0.0.0.0
network 192.168.3.0
!
router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 192.168.3.0 0.0.0.255 area 0
!
router bgp 3
bgp log-neighbor-changes
network 3.3.3.3 mask 255.255.255.255
network 192.168.3.0
neighbor 192.168.3.1 remote-as 2
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip access-list extended getvpn-acl
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any any eq bgp
deny tcp any eq bgp any
deny ospf any any
deny udp any eq 848 any eq 848
deny tcp any any eq 22
deny tcp any eq 22 any
permit ip any any
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R4

Current configuration : 1954 bytes
!
! Last configuration change at 01:11:48 UTC Mon Feb 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 300
crypto isakmp key tempkey1 address 3.3.3.3
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server address ipv4 3.3.3.3
!
crypto map gdoimap 1 gdoi
set group GDOI-GROUP1
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet2/0
ip address 192.168.2.2 255.255.255.0
negotiation auto
crypto map gdoimap
!
router eigrp 1
network 4.4.4.4 0.0.0.0
network 192.168.2.0
!
router ospf 1
network 4.4.4.4 0.0.0.0 area 0
network 192.168.2.0 0.0.0.255 area 0
!
router bgp 4
bgp log-neighbor-changes
network 4.4.4.4 mask 255.255.255.255
network 192.168.2.0
neighbor 192.168.2.1 remote-as 2
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

View solution in original post

Georg Pauwen · ‎02-09-2017

Hello,

post the full configs of the routers.

mediaos718 · ‎02-10-2017

Georg (There is a third site - but for the sake of troubleshooting I include 2 sites)

R1

——

interface Loopback0

ip address 10.1.255.1 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex full

!

interface Ethernet1/0

no ip address

duplex full

!

interface Ethernet1/0.1000

encapsulation dot1Q 1000

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1/1

no ip address

duplex full

!

interface Ethernet1/1.900

encapsulation dot1Q 900

ip address 10.0.1.1 255.255.255.0

!

interface Ethernet1/2

no ip address

shutdown

duplex full

!

interface Ethernet1/3

no ip address

shutdown

duplex full

!

router eigrp 1

network 10.0.0.0

!

router bgp 1000

bgp log-neighbor-changes

network 10.0.0.0 mask 255.255.255.0

network 10.0.1.0 mask 255.255.255.0

network 10.1.255.1 mask 255.255.255.255

neighbor 10.0.0.2 remote-as 100

neighbor 10.0.1.3 remote-as 200

R2

——

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

ip vrf DC-1

rd 100:1

route-target export 100:1

route-target import 100:1

!

ip vrf SITE-1

rd 101:1

route-target export 101:1

route-target import 101:1

route-target import 100:1

route-target import 102:1

!

ip vrf SITE-2

rd 102:1

route-target export 102:1

route-target import 102:1

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint DPCert

enrollment url http://192.168.50.10:80

revocation-check none

!

ip ssh version 1

!

crypto isakmp policy 50

encr 3des

hash md5

group 2

!

crypto gdoi group LEVEL3-VPLS-GROUP

identity number 1234

server address ipv4 172.16.50.12

!

crypto map LEVEL3-VPLS-MAP local-address Loopback0

crypto map LEVEL3-VPLS-MAP 10 gdoi

set group LEVEL3-VPLS-GROUP

!

interface Loopback0

ip address 192.168.200.2 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex full

!

interface Ethernet1/0

no ip address

duplex full

!

interface Ethernet1/0.1000

encapsulation dot1Q 1000

ip vrf forwarding SITE-1

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet1/1

ip address 192.168.100.2 255.255.255.0

shutdown

duplex full

mpls ip

mpls bgp forwarding

!

interface Ethernet1/2

ip address 192.168.1.2 255.255.255.0

duplex full

mpls ip

mpls bgp forwarding

!

interface Ethernet1/2.100

shutdown

!

interface Ethernet1/3

no ip address

shutdown

duplex full

!

router eigrp 1

network 10.0.0.0

!

router ospf 1

network 192.168.1.0 0.0.0.255 area 0

network 192.168.100.0 0.0.0.255 area 0

network 192.168.200.2 0.0.0.0 area 0

!

router bgp 100

bgp log-neighbor-changes

neighbor 192.168.200.7 remote-as 100

neighbor 192.168.200.7 update-source Loopback0

!

address-family vpnv4

neighbor 192.168.200.7 activate

neighbor 192.168.200.7 send-community both

exit-address-family

!

address-family ipv4 vrf SITE-1

network 10.0.0.0 mask 255.255.255.0

neighbor 10.0.0.1 remote-as 1000

neighbor 10.0.0.1 activate

exit-address-family

R7

——

hostname R7

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

ip vrf DC-1

rd 100:1

route-target export 100:1

route-target import 100:1

route-target import 101:1

route-target import 102:1

!

ip vrf SITE-1

rd 101:1

route-target export 101:1

route-target import 101:1

!

ip vrf SITE-2

rd 102:1

route-target export 102:1

route-target import 102:1

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint DPCert

enrollment url http://192.168.50.10:80

revocation-check none

!

ip ssh version 1

!

crypto isakmp policy 50

encr 3des

hash md5

group 2

!

crypto gdoi group LEVEL3-VPLS-GROUP

identity number 1234

server address ipv4 172.16.50.12

!

crypto map LEVEL3-VPLS-MAP local-address Loopback0

crypto map LEVEL3-VPLS-MAP 10 gdoi

set group LEVEL3-VPLS-GROUP

!

interface Loopback0

ip address 192.168.200.7 255.255.255.255

!

interface Loopback1000

ip vrf forwarding DC-1

ip address 10.100.100.100 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.3.7 255.255.255.0

duplex half

!

interface Ethernet1/0

no ip address

duplex full

!

interface Ethernet1/0.900

encapsulation dot1Q 900

ip vrf forwarding DC-1

ip address 10.0.5.7 255.255.255.0

!

interface Ethernet1/1

ip address 192.168.102.7 255.255.255.0

duplex full

mpls ip

!

interface Ethernet1/2

ip address 192.168.1.7 255.255.255.0

duplex full

mpls ip

mpls bgp forwarding

crypto map LEVEL3-VPLS-MAP

!

interface Ethernet1/2.100

shutdown

!

interface Ethernet1/3

no ip address

shutdown

duplex full

!

interface Ethernet2/0

ip address 192.168.2.7 255.255.255.0

duplex full

!

interface Ethernet2/1

ip address 192.168.60.7 255.255.255.0

duplex full

!

interface Ethernet2/2

no ip address

shutdown

duplex full

!

interface Ethernet2/3

no ip address

shutdown

duplex full

!

router eigrp 1

network 10.0.0.0

!

router ospf 1

network 192.168.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

network 192.168.3.0 0.0.0.255 area 0

network 192.168.60.0 0.0.0.255 area 0

network 192.168.102.0 0.0.0.255 area 0

network 192.168.200.7 0.0.0.0 area 0

!

router bgp 100

bgp log-neighbor-changes

neighbor 192.168.200.2 remote-as 100

neighbor 192.168.200.2 update-source Loopback0

neighbor 192.168.200.5 remote-as 100

neighbor 192.168.200.5 update-source Loopback0

!

address-family vpnv4

neighbor 192.168.200.2 activate

neighbor 192.168.200.2 send-community both

neighbor 192.168.200.2 route-reflector-client

neighbor 192.168.200.5 activate

neighbor 192.168.200.5 send-community both

neighbor 192.168.200.5 route-reflector-client

exit-address-family

!

address-family ipv4 vrf DC-1

network 10.0.5.0 mask 255.255.255.0

neighbor 10.0.5.9 remote-as 9000

neighbor 10.0.5.9 activate

neighbor 10.0.5.9 next-hop-self

exit-address-family

R9

——

hostname R9

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

interface Loopback0

ip address 10.9.255.9 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex full

!

interface Ethernet1/0

no ip address

duplex full

!

interface Ethernet1/0.900

encapsulation dot1Q 900

ip address 10.0.5.9 255.255.255.0

!

interface Ethernet1/1

no ip address

duplex full

!

interface Ethernet1/1.200

encapsulation dot1Q 900

ip address 10.0.6.9 255.255.255.0

shutdown

!

interface Ethernet1/2

no ip address

shutdown

duplex full

!

interface Ethernet1/3

no ip address

shutdown

duplex full

!

router eigrp 1

network 10.0.0.0

!

router bgp 9000

bgp log-neighbor-changes

network 10.0.5.0 mask 255.255.255.0

network 10.0.6.0 mask 255.255.255.0

network 10.9.255.9 mask 255.255.255.255

neighbor 10.0.5.7 remote-as 100

neighbor 10.0.6.8 remote-as 200

KS

———

hostname R12

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint DPCert

enrollment url http://192.168.50.10:80

revocation-check none

!

ip ssh version 1

!

crypto isakmp policy 50

encr 3des

hash md5

group 2

crypto isakmp keepalive 10 periodic

!

crypto ipsec transform-set LEVEL3-VPLS-TRANSFORM esp-3des esp-md5-hmac

mode transport

!

crypto ipsec profile LEVEL3-VPLS-PROFILE

set transform-set LEVEL3-VPLS-TRANSFORM

!

crypto gdoi group LEVEL3-VPLS-GROUP

identity number 1234

server local

rekey lifetime seconds 300

rekey retransmit 10 number 2

rekey authentication mypubkey rsa MYKEY

rekey transport unicast

sa ipsec 1

profile LEVEL3-VPLS-PROFILE

match address ipv4 private-traffic

replay time window-size 5

address ipv4 172.16.50.12

!

interface Loopback0

ip address 172.16.50.12 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex full

!

interface Ethernet1/0

ip address 172.16.6.12 255.255.255.0

duplex full

Georg Pauwen · ‎02-10-2017

Hello,

there are five different router configurations in your post. Can you make a simple schematic drawing to indicate which router is connected to which router ?

mediaos718 · ‎02-10-2017

See attached diagram

Georg Pauwen · ‎02-10-2017

Hello,

thanks for the diagram. I am labbing this in GNS3, will get back with you...

Georg Pauwen · ‎02-10-2017

Where is R12 ? You posted the config, but it is not on your diagram...

mediaos718 · ‎02-10-2017

R12 is the Key Server - Lo IP: 172.16.50.12/32

Thanks for looking into this for me

Georg Pauwen · ‎02-10-2017

Hello,

I labbed this in GNS3, and I am not sure if the access list you have configured is correct.. If you want to exclude LDP, BGP, and OSPF, and encrypt everything else, your access list should look like this:

deny udp any any eq 646
deny tcp any any eq 646
deny tcp any any eq bgp
deny tcp any eq bgp any
deny ospf any any
permit ip any any

Obviously you might want to replace the 'any' with the ranges you have configured.

Can you give this a try ?

mediaos718 · ‎02-10-2017

Hi Georg,

- I updated the ACL to looks like yours (See show crypto gdoi output on R7)

- I applied the Crypto MAP only on R7 - I did not applied it on R2 (LDP/MPLS/BGP are working - Which is the expected result). But I am still able to ping from R9 to R1 (Not expected) (See trace below - It traverses the MPLS)

In your LAB are you able to ping from R9 to R1 when you turn off GETVPN on R2?

R9#traceroute 10.1.255.1 source loopback 0

Type escape sequence to abort.

Tracing the route to 10.1.255.1

VRF info: (vrf in name/id, vrf out name/id)

1 10.0.5.7 60 msec 60 msec 56 msec

2 10.0.0.2 [AS 100] [MPLS: Label 26 Exp 0] 52 msec 56 msec 56 msec

3 10.0.0.1 [AS 100] 76 msec 72 msec *

------------------------------------------------------------------------------------

R7#sh crypto gdoi

GROUP INFORMATION

Group Name : LEVEL3-VPLS-GROUP

Group Identity : 1234

Crypto Path : ipv4

Key Management Path : ipv4

Rekeys received : 46

IPSec SA Direction : Both

Group Server list : 172.16.50.12

Group member : 192.168.200.7 vrf: None

Version : 1.0.4

Registration status : Registered

Registered with : 172.16.50.12

Re-registers in : 101 sec

Succeeded registration: 1

Attempted registration: 1

Last rekey from : 172.16.50.12

Last rekey seq num : 0

Unicast rekey received: 46

Rekey ACKs sent : 46

Rekey Rcvd(hh:mm:ss) : 00:01:07

allowable rekey cipher: any

allowable rekey hash : any

allowable transformtag: any ESP

Rekeys cumulative

Total received : 46

After latest register : 46

Rekey Acks sents : 46

ACL Downloaded From KS 172.16.50.12:

access-list deny udp any any port = 646

access-list deny tcp any any port = 646

access-list deny tcp any any port = 179

access-list deny tcp any port = 179 any

access-list deny ospf any any

access-list permit ip any any

R9#traceroute 10.1.255.1 source loopback 0

Type escape sequence to abort.

Tracing the route to 10.1.255.1

VRF info: (vrf in name/id, vrf out name/id)

1 10.0.5.7 60 msec 60 msec 56 msec

2 10.0.0.2 [AS 100] [MPLS: Label 26 Exp 0] 52 msec 56 msec 56 msec

3 10.0.0.1 [AS 100] 76 msec 72 msec *

=======================================================

R2#sh crypto gdoi

GROUP INFORMATION

Group Name : LEVEL3-VPLS-GROUP

Group Identity : 1234

Crypto Path : ipv4

Key Management Path : ipv4

Rekeys received : 0

IPSec SA Direction : Both

Group Server list : 172.16.50.12

allowable rekey cipher: any

allowable rekey hash : any

allowable transformtag: any ESP

Rekeys cumulative

Total received : 0

After latest register : 0

Rekey Received : never

ACL Downloaded From KS 172.16.50.12:

TEK POLICY for the current KS-Policy ACEs Downloaded:

Georg Pauwen · ‎02-10-2017

Hello,

I'll check again, will get back with you...

Georg Pauwen · ‎02-11-2017

Hello,

how is the key server connected to the rest of your network? The only interface on R12 is:

interface Ethernet1/0
ip address 172.16.6.12 255.255.255.0
duplex full

What is the corresponding connected interface on (what) other device ?

The easiest would be if you post the configuration of the routers at the other site as well, R4, R5, R6, and R8, that way, I can lab this end to end and also check the GM at the other site.

mediaos718 · ‎02-11-2017

Hi,

I attached the full diagram and the configuration file for each device (Except for R4). In your current lab, are you able to ping from one VRF to another VRF (CE to CE) crossing the MPLS while GETVPN is enabled on only one PE?

Thanks,

Georg Pauwen · ‎02-11-2017

Great, I'll look into it further...

Georg Pauwen · ‎02-13-2017

Hello,

I could not replicate your exact setup, but for the sake of simplicity, I created a network of 4 routers, with R3 being the Key Server, and R1 and R4 being the GMs.

The access list configured on the KS works as designed, check if that (working) config helps you. (Notice that I disabled the replay window on the KS, for some reason, it did not work in GNS3).

All routers run EIGRP, BGP, and OSPF. I have included a picture of the setup.

R1

Current configuration : 1954 bytes
!
! Last configuration change at 01:06:51 UTC Mon Feb 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 300
crypto isakmp key tempkey1 address 10.0.0.1
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server address ipv4 3.3.3.3
!
crypto map gdoimap 1 gdoi
set group GDOI-GROUP1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
crypto map gdoimap
!
router eigrp 1
network 1.1.1.1 0.0.0.0
network 192.168.1.0
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
!
router bgp 1
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
network 192.168.1.0
neighbor 192.168.1.2 remote-as 2
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login

!
end

R2

Current configuration : 1915 bytes
!
! Last configuration change at 22:37:30 UTC Sun Feb 12 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1/0
ip address 192.168.1.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet3/0
ip address 192.168.3.1 255.255.255.0
negotiation auto
!
router eigrp 1
network 2.2.2.2 0.0.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!
router bgp 2
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
neighbor 192.168.1.1 remote-as 1
neighbor 192.168.2.2 remote-as 4
neighbor 192.168.3.2 remote-as 3
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R3

Current configuration : 2480 bytes
!
! Last configuration change at 02:08:09 UTC Mon Feb 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key tempkey1 address 0.0.0.0
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile profile1
set transform-set aes128
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server local
rekey algorithm aes 128
rekey retransmit 10 number 3
rekey authentication mypubkey rsa REKEYRSA
rekey transport unicast
sa ipsec 1
profile profile1
match address ipv4 getvpn-acl
no replay
address ipv4 3.3.3.3
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet3/0
ip address 192.168.3.2 255.255.255.0
negotiation auto
!
router eigrp 1
network 3.3.3.3 0.0.0.0
network 192.168.3.0
!
router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 192.168.3.0 0.0.0.255 area 0
!
router bgp 3
bgp log-neighbor-changes
network 3.3.3.3 mask 255.255.255.255
network 192.168.3.0
neighbor 192.168.3.1 remote-as 2
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip access-list extended getvpn-acl
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any any eq bgp
deny tcp any eq bgp any
deny ospf any any
deny udp any eq 848 any eq 848
deny tcp any any eq 22
deny tcp any eq 22 any
permit ip any any
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R4

Current configuration : 1954 bytes
!
! Last configuration change at 01:11:48 UTC Mon Feb 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 300
crypto isakmp key tempkey1 address 3.3.3.3
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server address ipv4 3.3.3.3
!
crypto map gdoimap 1 gdoi
set group GDOI-GROUP1
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet2/0
ip address 192.168.2.2 255.255.255.0
negotiation auto
crypto map gdoimap
!
router eigrp 1
network 4.4.4.4 0.0.0.0
network 192.168.2.0
!
router ospf 1
network 4.4.4.4 0.0.0.0 area 0
network 192.168.2.0 0.0.0.255 area 0
!
router bgp 4
bgp log-neighbor-changes
network 4.4.4.4 mask 255.255.255.255
network 192.168.2.0
neighbor 192.168.2.1 remote-as 2
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end