12-06-2010 08:45 AM
Hi,
we want to configure following on some of our routers.
3 VRF-lite (before it has been 3 seperate routers)
For each VRF we have to use a seperate GDOI-Group , different PSKs.
The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).
I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.
to configure the same KS-address for different GDOI-groups seems to be not possible
crypto gdoi group GROUP-1
identity number 1111111
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
crypto gdoi group GROUP-2
identity number 2222222
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.
We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.
Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.
Thx
Hubert
12-08-2010 09:20 AM
Hi Hubert,
The KS is not VRF-Aware. A normal deployment scenario will be to separate Control Plane and Data traffic. Control Plane traffic refers to the communication between GM and KS, this traffic can be part of different VRF then the VRF for Data Plane traffic.
Data Plane traffic is the actual User traffic and you can have multiple VRFs to spearate Data Traffic.
See below which can explain this further
So in your case, you have move the KS to a separate VRF, while keeping GROUP-1 and GROUP-2 in their specific VRFs.
Thanks,
Naman
12-08-2010 11:39 PM
Hi Naman, I think there is a misunderstanding of my problem.
On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.
The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)
Configuration is like following
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
!
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
!
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
!
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
!
crypto map MAP-12-SECURE-WAN local-address Loopback0
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
!
interface Loopback1
ip vrf forwarding VRF_10
ip address 10.10.10.45 255.255.255.252
interface Loopback1
ip vrf forwarding VRF_12
ip address 12.12.12.45 255.255.255.252
!
interface gig0/1.10
ip vrf forwarding VRF_10
crypto map MAP-10-SECURE-WAN
!
interface gig0/1.12
ip vrf forwarding VRF_12
crypto map MAP-12-SECURE-WAN
So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
!
crypto keyring ISAKMP_KEY_GETVPN_10
local-address Loopback0
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
crypto keyring ISAKMP_KEY_GETVPN_12
local-address Loopback1
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
vrf VRF_10
keyring ISAKMP_KEY_GETVPN_10
self-identity address
match identity address 22.161.255.33 255.255.255.255
match identity address 22.109.255.45 255.255.255.255
keepalive 20 retry 2
local-address Loopback0
crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
vrf VRF_12
keyring ISAKMP_KEY_GETVPN_12
self-identity address
match identity address 22.161.255.33 255.255.255.255
match identity address 22.109.255.45 255.255.255.255
keepalive 20 retry 2
local-address Loopback1
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
!
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
!
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
!
crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
!
But it seems it does not work !!!
Any idea ?
Thx in Advance
Hubert
12-09-2010 02:58 AM
Hi , found out whats the reason was!!
See below !
Hubert
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
!
crypto keyring ISAKMP_KEY_GETVPN_10 vrf VRF_10
local-address Loopback0
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
crypto keyring ISAKMP_KEY_GETVPN_12 vrf VRF_12
local-address Loopback1
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
vrf VRF_10
keyring ISAKMP_KEY_GETVPN_10
self-identity address
match identity address 22.161.255.33 255.255.255.255 VRF_10
match identity address 22.109.255.45 255.255.255.255 VRF_10
keepalive 20 retry 2
local-address Loopback0
crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
vrf VRF_12
keyring ISAKMP_KEY_GETVPN_12
self-identity address
match identity address 22.161.255.33 255.255.255.255 VRF_12
match identity address 22.109.255.45 255.255.255.255 VRF_12
keepalive 20 retry 2
local-address Loopback1
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
!
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
!
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
!
crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
!
03-11-2014 11:08 AM
your config helped me with my lab set up. Thank you.
07-20-2015 11:43 AM
Hi Hubsi :),
or you could simply use a single GDOI group as I did. It works like a charm...
But then you have to have the same identity number on both KS's defined....
crypto keyring KEY_VRFB vrf siteB
local-address Serial0/1
pre-shared-key address 192.1.1.1 key ciscocciesec
crypto keyring KEY_VRFA vrf siteA
local-address Serial0/0
pre-shared-key address 192.1.1.1 key ciscocciesec
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ciscocciesec address 192.1.1.1
crypto isakmp profile GET_siteA
vrf siteA
keyring KEY_VRFA
match identity address 192.1.1.1 255.255.255.255 siteA
local-address Serial0/0
crypto isakmp profile GET_siteB
vrf siteB
keyring KEY_VRFB
match identity address 192.1.1.1 255.255.255.255 siteB
local-address Serial0/1
!
!
crypto gdoi group GET
identity number 12345
server address ipv4 192.1.1.1
!
!
!
crypto map GETMAP_A local-address Serial0/0
crypto map GETMAP_A isakmp-profile GET_siteA
crypto map GETMAP_A 10 gdoi
set group GET
!
crypto map GETMAP_B local-address Serial0/1
crypto map GETMAP_B isakmp-profile GET_siteB
crypto map GETMAP_B 10 gdoi
set group GET
!
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: