Solved: GETVPN

daniel-roach · ‎12-18-2024

Hello, Getvpn is working ok and with primary and secondary KS and GM's and i am able to connect between Lan sides of GM's but cannot ping or monitor the WAN side of the Network is there a default acl which prevents this, the NTP server which synchronises the routers is on the WAN part of the network, any help appreciated.

Thanks Danny

daniel-roach · ‎12-23-2024

Morning Paul,

Attached sketch of network topology some of the GM's are connected via a radio links so it would be nice to be able to monitor the status of these links. thanks for any help.

Danny.

View solution in original post

MHM Cisco World · ‎12-18-2024

Sure there ACL that decided which traffic pass through GETVPN and other not, this include icmp and NTP

""Define the security policy on the KS by using an extended IP ACL. You should only use the 5-tuple in the ACL
(that is, source_ip_address, destination_ip_address, protocol, source_port, destination_port) to determine
what to encrypt. The permit entries in the ACL define the traffic that should be encrypted, and the deny entries
define the traffic that should be excluded from the GET VPN encryption. The deny entries in the ACL should be
configured to exclude routing protocols and the traffic that is encrypted already, such as SSH, TACACS+, GDOI,
ISAKMP, etc. The ACL is applied to the GET VPN configuration.
ip access-list extended GETVPN-POLICY-ACL
remark >> exclude transient encrypted traffic (ESP, ISAKMP, GDOI)
deny esp any any
deny udp any eq isakmp any eq isakmp
deny udp any eq 848 any eq 848""

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-GETVPNDesignGuide-AUG14.pdf

MHM

paul driver · ‎12-18-2024

Hello
All GM traffic that is passed through the vpn by default is subject to a download traffic classification acl it receives from the key servers, its this manually cfg acl on the key servers that permits(encrypts) or denies (no encryption) specific traffic, usually there is, well on our keys servers there is an implicit permit any at the end of this traffic acl and above that are our mgt/ctrl plane traffic that isn’t encrypted

TBH its not clear when you state pinging/monitoring the wan, and without knowing your topology setup it’s unclear what other devices this traffic traverses to reach the wan

Can you elaborate further?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

daniel-roach · ‎12-23-2024

Morning Paul,

Attached sketch of network topology some of the GM's are connected via a radio links so it would be nice to be able to monitor the status of these links. thanks for any help.

Danny.

daniel-roach · ‎12-23-2024

Thanks all,

Problem fixed, Had permit any any at end of acl so all traffic encrypted.

Regards Danny

MHM Cisco World · ‎12-23-2024

but permit any any meaning all traffic encrypt

MHM

paul driver · ‎12-24-2024

Hello @MHM Cisco World
I guess what the OP is stating is that they did find to have have a implicit permit any any on their classification acl and they have now appended specific deny aces to supersede it.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎12-24-2024

I will explain my point with topolgy here

Wish me luck to get some free time

Thanks friend

MHM