GETVPN over MPLS - Loss of routing between CE and PE

Dennis Topo Jr · ‎10-08-2014

Hello all...

Trying to wrap my head around the design and config for GETVPN to facilitate secure links between sites via a MPLS network. I labbed everything up , and all is working as far as MPLS and the routes redistributed between BGP and the CE IGPS etc. All sites have full connectivity and see the routes that they should. The problem comes when I add in a Key Server and begin to activate GDOI members. Of course the connectivity to the KS is fine initially- it sits behind one of the dtech CEs and it's network is advertised. The members register, but once the IPSEC SAs are established at the CEs, I lose my IGP neighbor-ships between the CE and PE routers understandably- which of course drops all the customer routes and connectivity. I'm obviously missing something in the design concept to say the least!

What needs to be done to encrypt the traffic between the CE site routers, and also maintain the peering with the PE VRF interfaces?? What's the best real world practice here?

Attached is a GNS 3 screen shot diagram of the lab. Only concerned with the dtech sites in green. Any help with this would be great, and certainly a solid learning experience for me! thanks in advance....Dennis

Harish Balakrishnan · ‎10-08-2014

Hello,

Can you paste the config for CE and KS ?

regards

Harish

Dennis Topo Jr · ‎10-09-2014

Hi Harish....thanks for the reply. Not being familiar with GETVPN, I realized what was wrong. I totally spaced on preventing the routing traffic from being encrypted! Added the necessary deny statements to my GDIO KS ACL to deny the routing protocols in use (RIPv2, OSPF, EIGRP in my case)...and all is good now!! Lesson learned!

KS-R13#show crypto gdoi ks acl
Group Name: DTECHGDOI
Configured ACL:
access-list GETVPN-ACL deny eigrp any any
access-list GETVPN-ACL deny ospf any any
access-list GETVPN-ACL deny udp any any port = 520
access-list GETVPN-ACL deny tcp any any port = 179
access-list GETVPN-ACL deny tcp any any port = 22
access-list GETVPN-ACL deny tcp any port = 22 any
access-list GETVPN-ACL deny udp any any port = 161
access-list GETVPN-ACL deny udp any any port = 162
access-list GETVPN-ACL deny udp any port = 161 any
access-list GETVPN-ACL deny udp any port = 514 any
access-list GETVPN-ACL deny udp any any port = 514
access-list GETVPN-ACL deny udp any any port = 123
access-list GETVPN-ACL deny udp any port = 123 any
access-list GETVPN-ACL deny tcp any any port = 49
access-list GETVPN-ACL deny tcp any port = 49 any
access-list GETVPN-ACL permit ip any any

mediaos718 · ‎02-11-2017

Did you ever fix your GETVPN issue across the MPLS. I am having some issue - Maybe you can help me.

Dennis Topo Jr · ‎02-16-2017

Hello mediaos...

yeah - that was quite some time ago. I put that up on my blog if you want to take a look- hopefully it will help you. I kind of worked through the config, making notes along that way

Here's the link - http://techjuice.blogspot.com/2015/03/dmvpn-w-getvpn-for-encryption.html

And actually...my issue was what I realized and mentioned in this post- I didn't have the routing traffic exempted via an acl on the KS server - see above

mediaos718 · ‎02-16-2017

I look over your config....My issue is when run GETVPN over MPLS.....I enable GETVPN on the outgoing interface of the PE. The PE's are connected via VPLS.

Have you tried it over MPLS?

Dennis Topo Jr · ‎02-16-2017

Yeah...I did add GETVPN to another lab also with MPLS -- that one is here:

http://techjuice.blogspot.com/2014/10/mpls3-with-getvpn.html

Different than what you're trying to do though. I have my KS server on the customer private network. And I'm using what would be a traditional MPLS ISP scenario..with BGP and route exchanging etc....not connecting sites via layer 2 | VLPS.

I would think you'd want the KS server on the private network right ? Not on the PE...I'd have to research that to see if that's possible\feasible

mediaos718 · ‎02-16-2017

Hi Dennis, did you enable GETVPN on the PE or the CE?