DUAL HUB GETVPN/DMVPN IPV4 & IPV6 Implementation

Saurabh Sareen · ‎08-07-2013

DUAL HUB GETVPN

DUAL HUB DMVPN

IPV4 & IPV6 Implementation

Topology details are as below –

R2 is DMVPN Primary Hub – 10.249.200.1
R1 is DMVPN Spoke – 10.249.100.1
R3 is DMVPN Spoke – 10.249.10.1
R4 is DMVPN and GETVPN Secondary Hub – 10.249.1.7
HOME-SYD-RTR02 is GETVPN Primary Hub – 10.249.1.5
R3 is Certification Authority.
HOME-SYD-RTR01 is NTP Server – 10.249.1.1
R1/R2/R4 Authenticate / Enroll with CA Server 10.249.10.1

HOME-SYD-RTR02 GETVPN Primary Hub Configuration –

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

group 5

!

crypto isakmp policy 40

encr 3des

authentication pre-share

group 5

!

crypto ipsec transform-set GETVPN esp-3des esp-sha-hmac

!

crypto ipsec profile GETVPN

set security-association lifetime seconds 86400

set transform-set GETVPN

!

crypto gdoi group GETVPN

identity number 1

server local

rekey address ipv4 102

rekey retransmit 10 number 2

rekey authentication mypubkey rsa MYKEYSR1

sa ipsec 1

profile GETVPN

match address ipv4 101

replay counter window-size 64

address ipv4 10.249.1.5

redundancy

local priority 100

peer address ipv4 10.249.1.7

!

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255

access-list 101 permit gre any any

access-list 102 permit udp host 10.249.1.5 eq 848 host 239.0.1.2 eq 848

R4 GETVPN SECONDARY HUB Configuration –

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set GETVPN esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile GETVPN

set security-association lifetime seconds 86400

set transform-set GETVPN

!

crypto gdoi group GETVPN

identity number 1

server local

rekey address ipv4 102

rekey retransmit 10 number 2

rekey authentication mypubkey rsa R4KEYS

sa ipsec 1

profile GETVPN

match address ipv4 101

replay counter window-size 64

address ipv4 10.249.1.7

redundancy

local priority 200

peer address ipv4 10.249.1.5

!

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255

access-list 101 permit gre any any

access-list 102 permit udp host 10.249.1.5 eq 848 host 239.0.1.2 eq 848

R2 DMVPN PRIMARY HUB Configuration –

crypto keyring DMVPN

pre-shared-key address 10.249.10.1 key cisco

pre-shared-key address 10.249.1.7 key cisco

crypto keyring IPV6Kring

pre-shared-key address ipv6 2001:DB8:23::2/64 key cisco123

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

group 2

crypto isakmp key cisco address 0.0.0.0

crypto isakmp profile DMVPN

keyring DMVPN

match identity address 10.249.10.1 255.255.255.255

match identity address 10.249.1.7 255.255.255.255

crypto isakmp profile IPV6PROF

keyring IPV6Kring

match identity address ipv6 2001:DB8:23::2/64

!

crypto ipsec transform-set GETVPN esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile DMVPN

set security-association lifetime seconds 86400

set transform-set GETVPN

set isakmp-profile DMVPN

!

crypto ipsec profile IPV6IPSECProfile

set security-association lifetime seconds 86400

set transform-set GETVPN

set isakmp-profile IPV6PROF

!

crypto gdoi group GETVPN

identity number 1

server address ipv4 10.249.1.5

server address ipv4 10.249.1.7

!

crypto map GETVPN 10 gdoi

set group GETVPN

!

interface Loopback6

no ip address

ipv6 address 2001:DB8:6::1/64

ipv6 enable

ipv6 eigrp 100

ipv6 ospf 100 area 2

!

interface Tunnel0

ip address 172.18.0.1 255.255.255.0

no ip redirects

ip mtu 1436

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1234

ip nhrp shortcut

ip nhrp redirect

tunnel source Vlan200

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

!

interface Tunnel300

no ip address

ipv6 address 2001:DB8:20::1/64

ipv6 enable

ipv6 eigrp 100

no ipv6 split-horizon eigrp 100

ipv6 nhrp authentication cisco123

ipv6 nhrp map multicast dynamic

ipv6 nhrp map 2001:DB8:20::2/64 2001:DB8:23::1

ipv6 nhrp network-id 250417

ipv6 nhrp nhs 2001:DB8:20::2

ipv6 nhrp shortcut

ipv6 nhrp redirect

ipv6 ospf 100 area 0

ipv6 ospf network broadcast

tunnel source GigabitEthernet0/0.300

tunnel mode gre ipv6

tunnel destination 2001:DB8:23::2

tunnel key 123456

tunnel protection ipsec profile IPV6IPSECProfile

!

interface GigabitEthernet0/0

description "Trunk Connected to SW01"

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.300

encapsulation dot1Q 300

ipv6 address 2001:DB8:23::1/64

ipv6 enable

!

R4 DMVPN SECONDARY HUB Configuration –

crypto keyring DMVPN

pre-shared-key address 10.249.10.1 key cisco

pre-shared-key address 10.249.200.1 key cisco

!

crypto isakmp profile DMVPN

keyring DMVPN

match identity address 10.249.10.1 255.255.255.255

match identity address 10.249.200.1 255.255.255.255

!

crypto ipsec profile DMVPN

set security-association lifetime seconds 86400

set transform-set GETVPN

set isakmp-profile DMVPN

!

interface Tunnel0

ip address 172.18.0.3 255.255.255.0

no ip redirects

ip mtu 1436

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp map multicast 10.249.200.1

ip nhrp map 172.18.0.1 10.249.200.1

ip nhrp network-id 1234

ip nhrp nhs 172.18.0.1

ip nhrp shortcut

ip nhrp redirect

tunnel source Vlan1

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

!

R1 GETVPN AND DMVPN Configuration –

crypto keyring IPV6Kring

pre-shared-key address ipv6 2001:DB8:23::1/64 key cisco123

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0

crypto isakmp profile IPV6PROF

keyring IPV6Kring

match identity address ipv6 2001:DB8:23::1/64

!

crypto ipsec transform-set GETVPN esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile IPV6IPSECProfile

set security-association lifetime seconds 86400

set transform-set GETVPN

set isakmp-profile IPV6PROF

!

crypto gdoi group GETVPN

identity number 1

server address ipv4 10.249.1.5

!

crypto map GETVPN 10 gdoi

set group GETVPN

!

interface Loopback6

no ip address

ipv6 address 2001:DB8:66::2/64

ipv6 enable

ipv6 eigrp 100

ipv6 ospf 100 area 1

!

interface Loopback100

ip address 192.168.100.1 255.255.255.0

!

interface Tunnel0

no ip address

!

interface Tunnel300

no ip address

ipv6 address 2001:DB8:20::2/64

ipv6 enable

ipv6 eigrp 100

no ipv6 split-horizon eigrp 100

ipv6 nhrp authentication cisco123

ipv6 nhrp map multicast dynamic

ipv6 nhrp network-id 250417

ipv6 nhrp shortcut

ipv6 nhrp redirect

ipv6 ospf 100 area 0

ipv6 ospf network broadcast

tunnel source GigabitEthernet0/0.300

tunnel mode gre ipv6

tunnel destination 2001:DB8:23::1

tunnel key 123456

tunnel protection ipsec profile IPV6IPSECProfile

!

interface GigabitEthernet0/0

description "Connected to Trunk SW01"

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.300

encapsulation dot1Q 300

ipv6 address 2001:DB8:23::2/64

ipv6 enable

!

R3 DMVPN AND GETVPN Configuration –

crypto keyring DMVPN

pre-shared-key address 10.249.200.1 key cisco

pre-shared-key address 10.249.1.7 key cisco

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp profile DMVPN

keyring DMVPN

match identity address 10.249.200.1 255.255.255.255

match identity address 10.249.1.7 255.255.255.255

!

crypto ipsec transform-set GETVPN esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set security-association lifetime seconds 86400

set transform-set GETVPN

set isakmp-profile DMVPN

!

crypto gdoi group GETVPN

identity number 1

server address ipv4 10.249.1.5

server address ipv4 10.249.1.7

!

crypto map GETVPN 10 gdoi

set group GETVPN

!

interface Loopback170

ip address 192.168.170.1 255.255.255.0

!

interface Tunnel0

ip address 172.18.0.2 255.255.255.0

no ip redirects

ip mtu 1436

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp map multicast 10.249.1.7

ip nhrp map 172.18.0.3 10.249.1.7

ip nhrp map multicast 10.249.200.1

ip nhrp map 172.18.0.1 10.249.200.1

ip nhrp network-id 1234

ip nhrp nhs 172.18.0.1

ip nhrp nhs 172.18.0.3

ip nhrp shortcut

ip nhrp redirect

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel protection ipsec profile DMVPN

!

DMVPN VERIFICATION –

R3#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 10.249.200.1 172.18.0.1 UP 04:21:31 S

1 10.249.1.7 172.18.0.3 UP 04:19:58 S

R1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel300, IPv6 NHRP Details

Type:Hub, Total NBMA Peers (v4/v6): 1

1.Peer NBMA Address: 2001:DB8:23::1

Tunnel IPv6 Address: 2001:DB8:20::1

IPv6 Target Network: 2001:DB8:20::1/128

# Ent: 1, Status: UP, UpDn Time: 12:20:57, Cache Attrib: D

R2#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 10.249.10.1 172.18.0.2 UP 04:22:06 D

1 10.249.1.7 172.18.0.3 UP 00:42:06 D

Interface: Tunnel300, IPv6 NHRP Details

Type:Spoke, Total NBMA Peers (v4/v6): 1

1.Peer NBMA Address: 2001:DB8:23::1

Tunnel IPv6 Address: 2001:DB8:20::2

IPv6 Target Network: 2001:DB8:20::/64

# Ent: 1, Status: IKE, UpDn Time: 12:21:20, Cache Attrib: S

R4#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub/Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 10.249.200.1 172.18.0.1 UP 00:42:34 S

1 10.249.10.1 172.18.0.2 UP 04:21:02 D

R4#show interfaces tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.18.0.3/24

MTU 17882 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 10.249.1.7 (Vlan1)

Tunnel Subblocks:

src-track:

Tunnel0 source tracking subblock associated with Vlan1

Set of tunnels with source Vlan1, 1 member (includes iterators), on interface <OK>

Tunnel protocol/transport multi-GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1442 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "DMVPN")

Last input 00:00:02, output 05:06:25, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

696 packets input, 58572 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

40 packets output, 5175 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

R3#show int tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.18.0.2/24

MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 10.249.10.1 (GigabitEthernet0/0)

Tunnel Subblocks:

src-track:

Tunnel0 source tracking subblock associated with GigabitEthernet0/0

Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>

Tunnel protocol/transport multi-GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "DMVPN")

Last input 00:00:00, output 04:25:03, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5640 packets input, 464477 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

1222 packets output, 157168 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

R2#show int tun 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.18.0.1/24

MTU 17882 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 10.249.200.1 (Vlan200)

Tunnel Subblocks:

src-track:

Tunnel0 source tracking subblock associated with Vlan200

Set of tunnels with source Vlan200, 1 member (includes iterators), on interface <OK>

Tunnel protocol/transport multi-GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1442 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "DMVPN")

Last input 00:28:01, output never, output hang never

Last clearing of "show interface" counters 12:26:25

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 32

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

39 packets input, 4786 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

4700 packets output, 388367 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

R2#show interfaces tunnel 300

Tunnel300 is up, line protocol is up

Hardware is Tunnel

MTU 1382 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 2001:DB8:23::1 (GigabitEthernet0/0.300), destination 2001:DB8:23::2

Tunnel Subblocks:

src-track:

Tunnel300 source tracking subblock associated with GigabitEthernet0/0.300

Set of tunnels with source GigabitEthernet0/0.300, 1 member (includes iterators), on interface <OK>

Tunnel protocol/transport GRE/IPv6

Key 0x1E240, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Tunnel transport MTU 1382 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "IPV6IPSECProfile")

Last input 00:00:00, output 00:00:03, output hang never

Last clearing of "show interface" counters 12:27:36

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

14441 packets input, 1858178 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

14464 packets output, 1858378 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

R2# show int tun 300

Tunnel300 is up, line protocol is up

Hardware is Tunnel

MTU 1382 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 2001:DB8:23::1 (GigabitEthernet0/0.300), destination 2001:DB8:23::2

Tunnel Subblocks:

src-track:

Tunnel300 source tracking subblock associated with GigabitEthernet0/0.300

Set of tunnels with source GigabitEthernet0/0.300, 1 member (includes iterators), on interface <OK>

Tunnel protocol/transport GRE/IPv6

Key 0x1E240, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Tunnel transport MTU 1382 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "IPV6IPSECProfile")

Last input 00:00:02, output 00:00:01, output hang never

Last clearing of "show interface" counters 12:27:52

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

14445 packets input, 1858690 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

14470 packets output, 1859146 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

GETVPN VERIFICATION –

R1#show crypto gdoi group GETVPN

Group Name : GETVPN

Group Identity : 1

Crypto Path : ipv4

Key Management Path : ipv4

Rekeys received : 0

IPSec SA Direction : Both

Group Server list : 10.249.1.5

10.249.1.7

Group member : 10.249.100.1 vrf: None

Version : 1.0.6

Registration status : Registered

Registered with : 10.249.1.5

Re-registers in : 38592 sec

Succeeded registration: 1

Attempted registration: 1

Last rekey from : 0.0.0.0

Last rekey seq num : 0

Multicast rekey rcvd : 0

allowable rekey cipher: any

allowable rekey hash : any

allowable transformtag: any ESP

Rekeys cumulative

Total received : 0

After latest register : 0

Rekey Received : never

ACL Downloaded From KS 10.249.1.5:

access-list permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255

access-list permit gre any any

KEK POLICY:

Rekey Transport Type : Multicast

Lifetime (secs) : 41533

Encrypt Algorithm : 3DES

Key Size : 192

Sig Hash Algorithm : HMAC_AUTH_SHA

Sig Key Length (bits) : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:

Vlan100:

IPsec SA:

spi: 0xD1199491(3508114577)

transform: esp-3des esp-sha-hmac

sa timing:remaining key lifetime (sec): (41534)

Anti-Replay(Counter Based) : 64

tag method : disabled

alg key size: 24 (bytes)

sig key size: 20 (bytes)

encaps: ENCAPS_TUNNEL

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

239.0.1.2 10.249.1.5 GDOI_REKEY 1002 ACTIVE

10.249.1.5 10.249.100.1 GDOI_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

dst: 2001:DB8:23::1

src: 2001:DB8:23::2

state: QM_IDLE conn-id: 1004 status: ACTIVE

dst: 2001:DB8:23::2

src: 2001:DB8:23::1

state: QM_IDLE conn-id: 1003 status: ACTIVE

R2# show crypto gdoi group GETVPN

Group Name : GETVPN

Group Identity : 1

Crypto Path : ipv4

Key Management Path : ipv4

Rekeys received : 0

IPSec SA Direction : Both

Group Server list : 10.249.1.5

10.249.1.7

Group member : 10.249.200.1 vrf: None

Version : 1.0.6

Registration status : Registered

Registered with : 10.249.1.5

Re-registers in : 38457 sec

Succeeded registration: 1

Attempted registration: 1

Last rekey from : 0.0.0.0

Last rekey seq num : 0

Multicast rekey rcvd : 0

allowable rekey cipher: any

allowable rekey hash : any

allowable transformtag: any ESP

Rekeys cumulative

Total received : 0

After latest register : 0

Rekey Received : never

ACL Downloaded From KS 10.249.1.5:

access-list permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255

access-list permit gre any any

KEK POLICY:

Rekey Transport Type : Multicast

Lifetime (secs) : 41468

Encrypt Algorithm : 3DES

Key Size : 192

Sig Hash Algorithm : HMAC_AUTH_SHA

Sig Key Length (bits) : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:

Vlan200:

IPsec SA:

spi: 0xD1199491(3508114577)

transform: esp-3des esp-sha-hmac

sa timing:remaining key lifetime (sec): (41470)

Anti-Replay(Counter Based) : 64

tag method : disabled

alg key size: 24 (bytes)

sig key size: 20 (bytes)

encaps: ENCAPS_TUNNEL

R2# show crypto isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.249.1.5 10.249.200.1 GDOI_IDLE 1003 ACTIVE

239.0.1.2 10.249.1.5 GDOI_REKEY 1004 ACTIVE

10.249.200.1 10.249.10.1 QM_IDLE 1005 ACTIVE

10.249.200.1 10.249.1.7 QM_IDLE 1006 ACTIVE

IPv6 Crypto ISAKMP SA

dst: 2001:DB8:23::1

src: 2001:DB8:23::2

state: QM_IDLE conn-id: 1002 status: ACTIVE

dst: 2001:DB8:23::2

src: 2001:DB8:23::1

state: QM_IDLE conn-id: 1001 status: ACTIVE

R3#show crypto gdoi group GETVPN

Group Name : GETVPN

Group Identity : 1

Rekeys received : 0

IPSec SA Direction : Both

Group Server list : 10.249.1.5

10.249.1.7

Group member : 10.249.10.1 vrf: None

Registration status : Registered

Registered with : 10.249.1.5

Re-registers in : 2053 sec

Succeeded registration: 1

Attempted registration: 9

Last rekey from : 0.0.0.0

Last rekey seq num : 0

Multicast rekey rcvd : 0

Rekeys cumulative

Total received : 0

After latest register : 0

Rekey Received : never

ACL Downloaded From KS 10.249.1.5:

access-list permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255

access-list permit gre any any

KEK POLICY:

Rekey Transport Type : Multicast

Lifetime (secs) : 86273

Encrypt Algorithm : 3DES

Key Size : 192

Sig Hash Algorithm : HMAC_AUTH_SHA

Sig Key Length (bits) : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:

GigabitEthernet0/0:

IPsec SA:

spi: 0x2B059AB(45111723)

transform: esp-3des esp-sha-hmac

sa timing:remaining key lifetime (sec): (5322)

Anti-Replay : Disabled

R3# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.249.1.5 10.249.10.1 GDOI_IDLE 1001 ACTIVE

10.249.1.7 10.249.10.1 QM_IDLE 1004 ACTIVE

10.249.200.1 10.249.10.1 QM_IDLE 1003 ACTIVE

239.0.1.2 10.249.1.5 GDOI_REKEY 1002 ACTIVE

IPv6 Crypto ISAKMP SA

R4#show crypto gdoi group GETVPN

Group Name : GETVPN (Multicast)

Group Identity : 1

Group Members : 2

IPSec SA Direction : Both

Redundancy : Configured

Local Address : 10.249.1.7

Local Priority : 200

Local KS Status : Alive

Local KS Role : Secondary

Group Rekey Lifetime : 86400 secs

Group Rekey

Remaining Lifetime : 41384 secs

Rekey Retransmit Period : 10 secs

Rekey Retransmit Attempts: 2

Group Retransmit

Remaining Lifetime : 0 secs

IPSec SA Number : 1

IPSec SA Rekey Lifetime: 86400 secs

Profile Name : GETVPN

Replay method : Count Based

Replay Window Size : 64

SA Rekey

Remaining Lifetime : 41386 secs

ACL Configured : access-list 101

Group Server list : Local

HOME-SYD-RTR02#show crypto gdoi group GETVPN

Group Name : GETVPN (Multicast)

Group Identity : 1

Group Members : 2

IPSec SA Direction : Both

Redundancy : Configured

Local Address : 10.249.1.5

Local Priority : 100

Local KS Status : Alive

Local KS Role : Primary

Group Rekey Lifetime : 86400 secs

Group Rekey

Remaining Lifetime : 41357 secs

Rekey Retransmit Period : 10 secs

Rekey Retransmit Attempts: 2

Group Retransmit

Remaining Lifetime : 0 secs

IPSec SA Number : 1

IPSec SA Rekey Lifetime: 86400 secs

Profile Name : GETVPN

Replay method : Count Based

Replay Window Size : 64

SA Rekey

Remaining Lifetime : 41358 secs

ACL Configured : access-list 101

Group Server list : Local

HOME-SYD-RTR02#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.249.1.5 10.249.100.1 GDOI_IDLE 2001 ACTIVE

10.249.1.5 10.249.200.1 GDOI_IDLE 2002 ACTIVE

10.249.1.5 10.249.1.7 GDOI_IDLE 2003 ACTIVE

IPv6 Crypto ISAKMP SA