08-26-2012 04:26 AM
Hi There
I'm trying to configure GETVPN and it's not working. Can someone advice me, if I have made a configuraiton error
I did refer to https://supportforums.cisco.com/message/3109605
but I still don't understand. Please help
The loopback interfaces are acting as my LAN
R1 - Loopback 1 = 1.1.1.0/24 is LAN in R1
R2 - Loopback 1 = 2.2.2.0/24 is LAN in R2
08-26-2012 04:42 AM
I see a couple of problems with your config:
1) You KS is probybly also a member of the Encryption-domain, so this router also needs the crypto-map, applied to the public interface.
2) The crypto ACL also needs the traffic for the traffic R1 to R2. A good summarisable IP-design is helpful there.
3) Not a problem but a "no go": 3DES should never be used with GETVPN as with many peers there could be IV-collisions.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-26-2012 07:40 AM
Hi Karsten
I did as per your suggestion, this doesn't work. I can't ping from 2.2.2.1 (R2 LAN IP) to 1.1.1.1 (KS LAN IP)
08-26-2012 07:41 AM
R1-KS#show run
Building configuration...
Current configuration : 1873 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 136.1.23.2
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-md5-hmac
!
crypto ipsec profile VPN
set transform-set VPN
!
crypto gdoi group VPN
identity number 1234
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa VPN
rekey transport unicast
sa ipsec 1
profile VPN
match address ipv4 100
replay time window-size 5
address ipv4 136.1.121.1
!
!
crypto map VPN 10 gdoi
set group VPN
!
!
!
!
!
!
!
interface Loopback1
description LAN
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description WAN
ip address 136.1.121.1 255.255.255.0
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
no fair-queue
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 136.1.121.254
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password cisco
login local
transport input telnet ssh
!
!
end
R1#show cry
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
136.1.121.1 136.1.23.2 GDOI_IDLE 1002 0 ACTIVE
0.0.0.0 136.1.121.1 GDOI_REKEY 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
R1#
=======================================================================
R2#show run
Building configuration...
Current configuration : 1482 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 136.1.121.1
!
crypto gdoi group VPN
identity number 1234
server address ipv4 136.1.121.1
!
!
crypto map VPN local-address FastEthernet0/0
crypto map VPN 10 gdoi
set group VPN
!
!
!
!
!
!
!
interface Loopback1
description LAN
ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
description WAN
ip address 136.1.23.2 255.255.255.0
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 136.1.23.3
!
!
ip http server
no ip http secure-server
ip dns server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password cisco
login
transport input telnet
!
!
end
R2#show cry
R2#show crypto isa
R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
136.1.23.2 136.1.121.1 GDOI_REKEY 1034 0 ACTIVE
136.1.121.1 136.1.23.2 GDOI_IDLE 1033 0 ACTIVE
136.1.23.2 136.1.121.1 GDOI_REKEY 1035 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 136.1.23.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 136.1.23.2, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4204E717(1107617559)
inbound esp sas:
spi: 0x4204E717(1107617559)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 69, flow_id: SW:69, crypto map: VPN
sa timing: remaining key lifetime (sec): (1694)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
spi: 0xEB4EB2F0(3947803376)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 75, flow_id: SW:75, crypto map: VPN
sa timing: remaining key lifetime (sec): (1883)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4204E717(1107617559)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 70, flow_id: SW:70, crypto map: VPN
sa timing: remaining key lifetime (sec): (1694)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
spi: 0xEB4EB2F0(3947803376)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 76, flow_id: SW:76, crypto map: VPN
sa timing: remaining key lifetime (sec): (1883)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (136.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (136.1.0.0/255.255.0.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 136.1.23.2, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4204E717(1107617559)
inbound esp sas:
spi: 0x4204E717(1107617559)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 73, flow_id: SW:73, crypto map: VPN
sa timing: remaining key lifetime (sec): (1695)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
spi: 0xEB4EB2F0(3947803376)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 77, flow_id: SW:77, crypto map: VPN
sa timing: remaining key lifetime (sec): (1883)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4204E717(1107617559)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 74, flow_id: SW:74, crypto map: VPN
sa timing: remaining key lifetime (sec): (1695)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
spi: 0xEB4EB2F0(3947803376)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 78, flow_id: SW:78, crypto map: VPN
sa timing: remaining key lifetime (sec): (1883)
IV size: 8 bytes
replay detection support: Y replay window size: 5
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#ping 1.1.1.1 source 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.1
.....
Success rate is 0 percent (0/5)
R2#
08-26-2012 09:34 AM
crypto isakmp policy 1
encr aes 256
hash md5
...
!
crypto ipsec transform-set VPN esp-aes 256 esp-md5-hmac
you just missed the chance to also get rid off MD5 ... Doesn't that hurt in the fingers to configure that?
You don't speak a routing-protocol with your backbone-router. Is that router aware of your Loopback-Networks? It has to as GET relies on end-to-end routing.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide