GetVPN difficulty

jonesl1 · ‎03-07-2011

Ok ran into a little problem with getting this to work. Only group members participate in the encryption process, correct?

I have numerous remotes all coming into one central location. I set up a KS and have currently only 2 of the remote routers set up as GM's, with the intention of the others coming into play as I move forward. Here is basically what I have in my KS and GM's:

KS

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key testkey address xx.xxx.xxx.10
crypto isakmp key testkey address xx.xxx.xxx.2
!
!
crypto ipsec transform-set hpgdoi-trans esp-aes esp-sha-hmac
!
crypto ipsec profile gdoi-profile-getvpn
set security-association lifetime seconds 7200
set transform-set hpgdoi-trans
!
crypto gdoi group getvpn
identity number 1234
server local
rekey retransmit 40 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
sa ipsec 1
   profile gdoi-profile-getvpn
   match address ipv4 100
   replay time window-size 5
address ipv4 xx.xxx.xxx.90

access-list 100 remark ACL policies pushed to authenticated GM's
access-list 100 permit icmp any any
access-list 100 permit ip any any

GM's

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto isakmp key testkey address xx.xxx.xxx.90
!
crypto gdoi group getvpn
identity number 1234
server address ipv4 xx.xxx.xxx.90
!
!
crypto map getvpn-map 10 gdoi
set group getvpn

Ok.....so I applied the crypto map to the serial interfaces on my routers on either side of the cloud (central-ASR1002 and remote-ISR1841). When I did this, ALL the remotes went down and i'm not sure why. Even the ones that didnt have anything to do with gdoi. Ya, it wasn't good. I thought that only the group members would be affected.

Is it the fact that my acl is encrypting any to any? Surely I don't have to reverse that and have two statements with the same syntax. I'm basically just trying to encrypt all traffic from specific remotes back to the central side. However, i'm trying to do it without taking down the rest of my network

Your help is greatly appreciated.

olpeleri · ‎03-20-2011

I can foreseen the following issue.

If your ACL is:

access-list 100 remark ACL policies pushed to authenticated GM's
access-list 100 permit icmp any any
access-list 100 permit ip any any

Then that means any traffic leaving the ASR / 1841 via the interface where the crypto-map is installed WILL be encrypted - what ever the destination will be. Remember GETVPN provides encryption without tunnel destination.

Without the logs, it's difficult to say what happen but this is my theory:

1- Since some remote router are not yet getvpn enabled - then you're breaking the communication with them

2- If you have a routing protocol - since you dont deny it, then you break it as well [ since we will encrypt it]

If all GM's are configured, your ACL should look like:

deny udp any eq 848 any eq 848 ![ to allow the TEK / KEK rekeys to happen]

deny eigrp any any ! [ If you're using eigrp]

permit ip any any

Now... In an intermediate time, if you want test from a Site A to a Site B. then your crypto ACL should look like [with mirrored entries when needed]

deny udp any eq 848 any eq 848 ![ to allow the TEK / KEK rekeys to happen]

deny eigrp any any ! [ If you're using eigrp]

permit ip

BTW ip icmp any any + ip any any might create some wierd behavior on an ASR1000 [ I've seen that a while back - duplicate entries should be avoided]

Let me know.