Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3844
Views
5
Helpful
5
Replies

VRF aware GET-VPN Group-member

HUBERT RESCH
Level 3
Level 3

‎12-06-2010 08:45 AM

Hi,

we want to configure following on some of our routers.

3 VRF-lite (before it has been 3 seperate routers)

For each VRF we have to use  a seperate GDOI-Group , different PSKs.

The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).

I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.

to configure the same KS-address for different GDOI-groups seems to be not possible

crypto gdoi group GROUP-1
identity number 1111111
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33

crypto gdoi group GROUP-2
identity number 2222222
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33

As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.

We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.

Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.

Thx

Hubert

Labels:
0 Helpful
5 Replies 5

mulatif
Cisco Employee
Cisco Employee

‎12-08-2010 09:20 AM

Hi Hubert,

The KS is not VRF-Aware. A normal deployment scenario will be to separate Control Plane and Data traffic. Control Plane traffic refers to the communication between GM and KS, this traffic can be part of different VRF then the VRF for Data Plane traffic.

Data Plane traffic is the actual User traffic and you can have multiple VRFs to spearate Data Traffic.

See below which can explain this further

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps6525/ps9370/ps7180/deployment_guide_c07-624088.html

So in your case, you have move the KS to a separate VRF, while keeping GROUP-1 and GROUP-2 in their specific VRFs.

Thanks,

Naman

HUBERT RESCH
Level 3
Level 3
In response to mulatif

‎12-08-2010 11:39 PM

Hi Naman, I think there is a misunderstanding of my problem.

On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.

The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)

Configuration is like following

ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only

ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only

the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible

crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45

crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45


crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
!
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
!
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
!
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
!
crypto map MAP-12-SECURE-WAN local-address Loopback0
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
!
interface Loopback1
ip vrf forwarding VRF_10
ip address 10.10.10.45 255.255.255.252


interface Loopback1
ip vrf forwarding VRF_12
ip address 12.12.12.45 255.255.255.252
!

interface gig0/1.10
ip vrf forwarding VRF_10
crypto map MAP-10-SECURE-WAN

!

interface gig0/1.12
ip vrf forwarding VRF_12
crypto map MAP-12-SECURE-WAN

So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)

ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only

ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only


crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
!
crypto keyring ISAKMP_KEY_GETVPN_10
  local-address Loopback0
  pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
  pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010

crypto keyring ISAKMP_KEY_GETVPN_12
  local-address Loopback1
  pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
  pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212

crypto isakmp profile ISAKMP_PROFILE_GETVPN_10

   vrf VRF_10
   keyring ISAKMP_KEY_GETVPN_10
   self-identity address
   match identity address 22.161.255.33 255.255.255.255
   match identity address 22.109.255.45 255.255.255.255
   keepalive 20 retry 2
   local-address Loopback0

crypto isakmp profile ISAKMP_PROFILE_GETVPN_12

   vrf VRF_12
   keyring ISAKMP_KEY_GETVPN_12
   self-identity address
   match identity address 22.161.255.33 255.255.255.255
   match identity address 22.109.255.45 255.255.255.255
   keepalive 20 retry 2
   local-address Loopback1

crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
!
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
!

crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10

!

crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12

!

But it seems it does not work !!!

Any idea ?

Thx in Advance

Hubert

0 Helpful

HUBERT RESCH
Level 3
Level 3
In response to HUBERT RESCH

‎12-09-2010 02:58 AM

Hi , found out whats the reason was!!

See below !

Hubert

ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only

ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 1200

!

crypto keyring ISAKMP_KEY_GETVPN_10 vrf VRF_10

  local-address Loopback0

  pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010

  pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010

crypto keyring ISAKMP_KEY_GETVPN_12 vrf VRF_12
  local-address Loopback1
  pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
  pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212

crypto isakmp profile ISAKMP_PROFILE_GETVPN_10

   vrf VRF_10
   keyring ISAKMP_KEY_GETVPN_10
   self-identity address
   match identity address 22.161.255.33 255.255.255.255 VRF_10
   match identity address 22.109.255.45 255.255.255.255 VRF_10
   keepalive 20 retry 2
   local-address Loopback0

crypto isakmp profile ISAKMP_PROFILE_GETVPN_12

   vrf VRF_12
   keyring ISAKMP_KEY_GETVPN_12
   self-identity address
   match identity address 22.161.255.33 255.255.255.255 VRF_12
   match identity address 22.109.255.45 255.255.255.255 VRF_12
   keepalive 20 retry 2
   local-address Loopback1

crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
!
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
!

crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10

!

crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12

!

0 Helpful

kevin.hu
Level 3
Level 3
In response to HUBERT RESCH

‎03-11-2014 11:08 AM

your config helped me with my lab set up.  Thank you.

0 Helpful

Andrej Sumak
Level 1
Level 1
In response to HUBERT RESCH

‎07-20-2015 11:43 AM

Hi Hubsi :), 

 

or you could simply use a single GDOI group as I did. It works like a charm... 

But then you have to have the same identity number on both KS's defined....
 

crypto keyring KEY_VRFB vrf siteB
  local-address Serial0/1
  pre-shared-key address 192.1.1.1 key ciscocciesec
crypto keyring KEY_VRFA vrf siteA
  local-address Serial0/0
  pre-shared-key address 192.1.1.1 key ciscocciesec
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ciscocciesec address 192.1.1.1
crypto isakmp profile GET_siteA
   vrf siteA
   keyring KEY_VRFA
   match identity address 192.1.1.1 255.255.255.255 siteA
   local-address Serial0/0
crypto isakmp profile GET_siteB
   vrf siteB
   keyring KEY_VRFB
   match identity address 192.1.1.1 255.255.255.255 siteB
   local-address Serial0/1
!
!
crypto gdoi group GET
 identity number 12345
 server address ipv4 192.1.1.1
!
!
!
crypto map GETMAP_A local-address Serial0/0
crypto map GETMAP_A isakmp-profile GET_siteA
crypto map GETMAP_A 10 gdoi 
 set group GET
!
crypto map GETMAP_B local-address Serial0/1
crypto map GETMAP_B isakmp-profile GET_siteB
crypto map GETMAP_B 10 gdoi 
 set group GET
!
!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents