cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
542
Views
0
Helpful
2
Replies

VRF AWARE GIKEV2 GET VPN - ERROR Rekey SA not found for group GROUP-A

hello,

 

please see my topology (attached)

 

I am testing Gikev2 GET VPN via VRF aware setup

 

where router 1 and router 3 (int g0/0) are in VRF-A

 

where router 4 and router 3 (int g0/1) are in VRF-B

 

Key server is in Global routing table

 

I had enabled route leaking so that all the vrfs are able to reach the key server.

 

I had set up the key server (please see attached config)

 

Now at the group member R1, when I enable crypto map at the interface (with attached config ) . I get below error


.Jun 5 12:23:07.743: GDOI:INFRA:TER:(GROUP-A:0:1):Rekey SA not found for group GROUP-A
.Jun 5 12:23:07.743: GDOI:INFRA:DET:(GROUP-A:0:1):Deleting rekey SA with new_rekey spi 0x0000

 

please help and suggest

 

Attached all the debug output from the group member

 

But even after enabling debugging, key server does  not generate any debugs, when group member tries to register, so traffic is not even reaching key server.

 

but I had confirmed, group members can reach key server, they are able to ping.

 

1 ACCEPTED SOLUTION

Accepted Solutions

finally got it working

 

crypto ikev2 policy POL-A

 match fvrf CUSTA

 proposal PROP-A

 

crypto ikev2 profile PROF-A

 match fvrf CUSTA

 match certificate CERT-1

 identity local fqdn R3.LAB.NET

 authentication local rsa-sig

 authentication remote rsa-sig

 pki trustpoint CA

 

View solution in original post

2 REPLIES 2

please help if below config is correct for GIKEV2 VRF AWARE VPN

 

interface Loopback1
ip vrf forwarding CUSTA
ip address 10.10.20.1 255.255.255.0

crypto pki certificate map CERT-1 10
issuer-name co lab

crypto ikev2 proposal PROP-A
encryption 3des
integrity sha1
group 2

crypto ikev2 policy POL-A
proposal PROP-A

crypto ikev2 profile PROF-A
match certificate CERT-1
identity local fqdn R3.LAB.NET
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
ivrf CUSTA


crypto gkm group GROUP-A
identity number 1
server address ipv4 5.5.5.5
client protocol gikev2 PROF-A

crypto map CMAPA 10 gdoi
set group GROUP-A

int GigabitEthernet0/0.10
crypto map CMAPA

 

finally got it working

 

crypto ikev2 policy POL-A

 match fvrf CUSTA

 proposal PROP-A

 

crypto ikev2 profile PROF-A

 match fvrf CUSTA

 match certificate CERT-1

 identity local fqdn R3.LAB.NET

 authentication local rsa-sig

 authentication remote rsa-sig

 pki trustpoint CA

 

View solution in original post

Content for Community-Ad