06-05-2021 06:12 AM
hello,
please see my topology (attached)
I am testing Gikev2 GET VPN via VRF aware setup
where router 1 and router 3 (int g0/0) are in VRF-A
where router 4 and router 3 (int g0/1) are in VRF-B
Key server is in Global routing table
I had enabled route leaking so that all the vrfs are able to reach the key server.
I had set up the key server (please see attached config)
Now at the group member R1, when I enable crypto map at the interface (with attached config ) . I get below error
.Jun 5 12:23:07.743: GDOI:INFRA:TER:(GROUP-A:0:1):Rekey SA not found for group GROUP-A
.Jun 5 12:23:07.743: GDOI:INFRA:DET:(GROUP-A:0:1):Deleting rekey SA with new_rekey spi 0x0000
please help and suggest
Attached all the debug output from the group member
But even after enabling debugging, key server does not generate any debugs, when group member tries to register, so traffic is not even reaching key server.
but I had confirmed, group members can reach key server, they are able to ping.
Solved! Go to Solution.
06-05-2021 08:27 AM
finally got it working
crypto ikev2 policy POL-A
match fvrf CUSTA
proposal PROP-A
crypto ikev2 profile PROF-A
match fvrf CUSTA
match certificate CERT-1
identity local fqdn R3.LAB.NET
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
06-05-2021 07:47 AM
please help if below config is correct for GIKEV2 VRF AWARE VPN
interface Loopback1
ip vrf forwarding CUSTA
ip address 10.10.20.1 255.255.255.0
crypto pki certificate map CERT-1 10
issuer-name co lab
crypto ikev2 proposal PROP-A
encryption 3des
integrity sha1
group 2
crypto ikev2 policy POL-A
proposal PROP-A
crypto ikev2 profile PROF-A
match certificate CERT-1
identity local fqdn R3.LAB.NET
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
ivrf CUSTA
crypto gkm group GROUP-A
identity number 1
server address ipv4 5.5.5.5
client protocol gikev2 PROF-A
crypto map CMAPA 10 gdoi
set group GROUP-A
int GigabitEthernet0/0.10
crypto map CMAPA
06-05-2021 08:27 AM
finally got it working
crypto ikev2 policy POL-A
match fvrf CUSTA
proposal PROP-A
crypto ikev2 profile PROF-A
match fvrf CUSTA
match certificate CERT-1
identity local fqdn R3.LAB.NET
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide