Solved: GETVPN - problem

Hubert Wisniewski · ‎04-16-2012

Hi,

I'm trying to run GETVPN on small test network. I have three routers:

R1 - as KS

R3 & R4 as a members

R1 config:

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set GET esp-aes esp-sha-hmac

!

crypto ipsec profile GET

set transform-set GET

!

crypto gdoi group GET

identity number 1

server local

rekey lifetime seconds 300

rekey retransmit 10 number 2

rekey authentication mypubkey rsa R1.test.com

rekey transport unicast

sa ipsec 1

profile GET

match address ipv4 150

replay counter window-size 64

address ipv4 10.0.0.1

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

duplex half

R3 config:

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto gdoi group GET

identity number 1

server address ipv4 10.0.0.1

!

crypto map GET 10 gdoi

set group GET

interface FastEthernet0/0

ip address 10.0.0.3 255.255.255.0

duplex half

crypto map GET

show commands:

R1#sh crypto gdoi

Group Information

Group Name : GET

Group Identity : 1

Group Members : 2

IPSec SA Direction : Both

Active Group Server : Local

Group Rekey Lifetime : 300 secs

Group Rekey

Remaining Lifetime : 189 secs

Rekey Retransmit Period : 10 secs

Rekey Retransmit Attempts: 2

Group Retransmit

Remaining Lifetime : 0 secs

IPSec SA Number : 1

IPSec SA Rekey Lifetime: 3600 secs

Profile Name : GET

Replay method : Count Based

Replay Window Size : 64

SA Rekey

Remaining Lifetime : 1390 secs

ACL Configured : access-list 150

Group Server list : Local

and

R4#sh crypto gdoi

Group Information

Group Name : GET

Group Identity : 1

Rekeys received : 0

IPSec SA Direction : Both

ACL Received From KS : gdoi_group_GET_temp_acl

Active Group Server : 10.0.0.1

Group Server list : 10.0.0.1

R4#

I got an error message:

*Apr 16 19:05:17.691: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /10.0.0.4, src_addr= 10.0.0.1, prot= 17

R4(config-if)#

Have you got any idea what is wrong ?

olpeleri · ‎04-22-2012

Hello Hubert,

The reason is the following.

Rekeys are sent via udp on port 848. Since they are encrypted by the KEK [ but not by the TEK ], the router can't decrypt when IPSEC is looking at them.

Your KS policy should in fact look like:

Access-list 150 deny udp any any eq 848

access-list 150 permit ip any any

View solution in original post

Hubert Wisniewski · ‎04-16-2012

Hi,

I found the problem: access-list 150 permit any any

When I changed it to match only LAN networks behind routers it started to work fine.

olpeleri · ‎04-22-2012