GDOI \ GETVPN - GM router's traffic not being encrypted

Answered Question
Dec 13th, 2007
User Badges:

Group Member(GM) router in a GDOI environment, is not having it's Netflow or Syslog traffic encrypted. Traffic is sourced from the Loopback interface which is included in the Key Server ACL.


All other traffic originating from behind the GM router is encrypted.


Any help?


What debug commands might help pin point how this Netflow traffic is being treated, relative to GDOI?


Thanks in advance.


Correct Answer by ivillegas about 9 years 5 months ago

Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
ivillegas Thu, 12/20/2007 - 07:12
User Badges:
  • Silver, 250 points or more

Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.

kst.amand Mon, 12/24/2007 - 06:01
User Badges:

Thanks for the response. Considering when following the guidelines of blocking clear text, this presents a challenge.


We have found if in our encryption acl / interesting traffic, even if we put in a deny for the Netflow traffic, we still receive "CRYPTO-4-RECVD_PKT_NOT_IPSEC" for this traffic.


It's looking like we are unable to collect NetFlow data at all.


Suggestions?


kst.amand Wed, 01/02/2008 - 07:11
User Badges:

Solution found;


Specific 2 way traffic needed to be excluded from GDOI Interesting Traffic ACL;


* Netflow traffic to the Collector - host + port

* ICMP echo-reply traffic from collector to host router


What I had been missing was the ICMP Echo-Reply back from the collector - once identified - SOLUTION FOUND!


I hope this helps others

Actions

This Discussion