10-23-2010 07:55 PM - edited 02-21-2020 04:55 PM
Hello
My GETVPN Key Server dosn't send rekeying messages any more and I don't know why - could somebody give me advise pls?.
I have had an working GETVPN System, then I added backup connection (now every GM has 2 GETVPN Interfaces) and now the Key Server dosn't send the rekeying messages out.
Compared to the working version I added only a few lines to the GM config file, KS config wasn't changed at all:
! GM uses this address as identity at KS
int lo 0
ip add 3.3.3.1 255.255.255.255
crypto map getvpn-map local-address lo0
int s0/0
ip unnumbered lo0
crypto map getvpn-map
int s0/1
ip unnumbered lo0
crypto map getvpn-map
I tryed also various IP Addresses for S0/0 and S0/1, also own addresses for both interfaces - GETVPN works all the time, but every time the IPsec SA expires, GMs start re-registration (obvious the don't get the rekeying Message).
What could be the reason for this behavior?
thx.
10-23-2010 09:00 PM
Hey,
Would you please paste the rekey configuration?
Cheers
Mike
10-24-2010 01:12 AM
Sure
trere is nothing espetial and I changed only something at GM configuration
crypto gdoi group getvpn
identity number 1234
server local
address ipv4 1.1.1.1
rekey lifetime seconds 900
rekey retransmit 40 number 3
rekey authentication mypubkey rsa COOP_KS
rekey transport unicast
sa ipsec 1
profile getvpn-profile
match address ipv4 199
replay time window-size 7
redundancy
local priority 10
peer address ipv4 2.2.2.1
crypto gdoi group getvpn
identity number 1234
server local
address ipv4 2.2.2.1
rekey lifetime seconds 900
rekey retransmit 40 number 3
rekey authentication mypubkey rsa COOP_KS
rekey transport unicast
sa ipsec 1
profile getvpn-profile
match address ipv4 199
replay time window-size 7
redundancy
local priority 5
peer address ipv4 1.1.1.1
crypto gdoi group getvpn
identity number 1234
server address ipv4 1.1.1.1
server address ipv4 2.2.2.1
crypto map getvpn-map 10 gdoi
set group getvpn
int lo 0
ip add 3.3.3.1 255.255.255.255
crypto map getvpn-map local-address lo0
10-25-2010 09:56 AM
Dmytro,
You like unnumbered interfaces :-)
What version IOS is it? KS and GM please.
I'd be also interested in topology diagram, I'm curious how second GET VPN cloud and KS integrate.
Marcin
10-26-2010 02:03 AM
Hello
the version is the same as bevor:
my verion: Cisco IOS Software, 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
Topology looks like this:
and as I said bevor - the KS configuration was working for the same topology, but between GM1, GM2 and GM3 was Router "Provider" - the GMs has had only one GETVPN interface and the GDOI crypto map was bounded to this (S0/0) interface.
Now has every GM the same GDOI crypto map, but boundet to S0/0 and S0/1; ISAKMP identity is now the address from loopback interface.
Since I changed the GM configuration, the KS doesn't sending the rekeying messages - every time the IPsec SA times out, GMs start Re-Registration. But the traffic is encrypted.
10-26-2010 03:40 AM
Dmytro,
Well there are some problems with KS behind GMs.
First of all we'd need to make sure that udp/848 (GDOI) is not subject to encryption. (this should be automatically excluded, but if possible let's make it explicit) - you didn't attach access-l 199 so I don't know what it contains.
In the configuration you edited in, both GMs are connecting to nearer KS. Except for GM3.
Can you please show me "show crypto isa sa" outputs on KSes and GMs?
Marcin
10-26-2010 04:16 AM
Now I do know the Problem!
this is the method how I share the Key for rekeying:
crypto key generate rsa general-keys label COOP_KS modulus 1024 exportable
crypto key export rsa COOP_KS pem terminal 3des S3cr3Tpa55
crypto key import rsa COOP_KS exportable terminal S3cr3Tpa55
but it seems to be not enough to start rekeying. Because only if I create own "COOP_KS" key (different from KS1), then sends KS2 rekying messages
What should be done additionaly to the key-import?
Or did I import the key wrong? I copy firtst the public key
from hier *------------------ PUBLIC ...------------- ...key ... ------------ END ... ----------* until another "*". then 2x "enter" and get the message, for private key.
*------------- PRIVATE .... ----------- encription ... key ... ----------END ... --------------* then "enter" and "strg+c". The message "key import successful" apperars.
Is something wrong?
access-list 199 deny udp any any eq 500
access-list 199 deny udp any any eq 848
access-list 199 deny ip any 224.0.0.0 31.255.255.255
access-list 199 permit ip any any
10-26-2010 05:27 AM
Dmytro,
As far as I remember the RSA keys on both KS can be completly different there is no reason to import/export them.
Is there a doc specyfing they need to be the same?
Marcin
10-26-2010 05:45 AM
Yes, seys the GETVPN design und implementation guide (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf) see 2.2.3 Configuring GDOI
Quote: "Note: RSA keys must be generated on any KS. All KSs must share the same keys, so these keys must be generated with an ―exportable‖ tag. The keys are then imported on the remaining KSs. These keys do not need to be imported on the GMs.Note: RSA keys must be generated on any KS. All KSs must share the same keys, so these keys must be generated with an ―exportable‖ tag. The keys are then imported on the remaining KSs. These keys do not need to be imported on the GMs."
10-26-2010 05:57 AM
Dmytro,
You learn something new every day ;-)
Can you open a TAC case for this? I'm pretty sure we'd get through this faster like this.
(You can reference this thread in the SR so TAC will not lose time asking qustions you already answered)
Marcin
10-26-2010 06:23 AM
I read a moment ago about TAC Case and I have either SMART.NET or OOC or my own cisco device to use the serial number and it seems to take really much time; time that I don't have. I will simply configure all GMs to use only the KS1 and then it's OK - it is only for a lab.
thank you for help.
10-26-2010 08:01 AM
Dmytro,
Well I can't promise we'll be on track soon, but let me try best effort.
Regarding export and import of RSA did you follow this?
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_key.html
Or anything similar?
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide