Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
0
Helpful
1
Replies

GETVPN Problem

jay.kishan
Level 1
Level 1

‎12-14-2009 02:37 AM - edited ‎03-09-2019 10:45 PM

Hey all,

I did some testing on GNS3 using 7200 series routers for GETVPN. I will also post the configuration in some time. I used three routers. Two GMs and one KS. After enabling the GDOI, both GMs were able to ping and access each other but none were able to access or ping the KS. Here is the topology.

(GM1) ----> (KS)  -----> (GM2)

All I want to ask is whether the current behavior a natural phenomenon of GETVPN or I might be missing some configuration or have done some thing wrong.

Any help is appreciated cause I am on a clock here for GETVPN. I would also appreciate some sample configuration example.

here is the relevant part of the configuration.

|--(GM1) (fa0/0) ----> (fa1/0) (KS) (fa1/1) ----> (fa0/0) (GM2) --|

KS

interface FastEthernet1/0
ip address 192.168.1.1 255.255.0.0
!
interface FastEthernet1/1
ip address 192.168.2.1 255.255.0.0
!
crypto isakmp policy 10
encryption aes
group 2
authentication pre-share
!
crypto isakmp key Cisco address 192.168.1.2
crypto isakmp key Cisco address 192.168.2.2
!
crypto ipsec transform-set mygdoi-trans esp-aes esp-sha-hmac
!
crypto ipsec profile gdoi-profile-getvpn
set security-association lifetime seconds 7200
set transform-set mygdoi-trans
!
crypto key generate rsa general-keys label getvpn-export-general modulus 1024 exportable
!
crypto gdoi group getvpn
identity number 1234
server local
rekey lifetime seconds 86400
rekey retransmit 40 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
sa ipsec 1
profile gdoi-profile-getvpn
match address ipv4 199
replay time window-size 5
address ipv4 100.1.1.1
!
access-list 199 permit ip any any

GM1

interface FastEthernet0/0
description **Link to KS**
ip address 192.168.1.2 255.255.0.0
crypto map getvpn-map
!
crypto isakmp policy 10
encryption aes
lifetime 1200
authentication pre-share
group 2
!
crypto isakmp key Cisco address 192.168.1.1
!
crypto gdoi group getvpn
identity number 1234
server address ipv4 192.168.1.1
!
crypto map getvpn-map 10 gdoi
set group getvpn
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

GM2

interface FastEthernet0/0
description **Link to KS**
ip address 192.168.2.2 255.255.0.0
crypto map getvpn-map
!
crypto isakmp policy 10
encryption aes
lifetime 1200
authentication pre-share
group 2
!
crypto isakmp key Cisco address 192.168.2.1
!
crypto gdoi group getvpn
identity number 1234
server address ipv4 192.168.2.1
!
crypto map getvpn-map 10 gdoi
set group getvpn
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1


Now, when I ping GM2 from GM1, it is successful and vice versa. But no GM is able to ping the KS. I have verified the security associations and they are ok. I dont know what is going wrong.

Any help is appreciated. Thanks in advance.

Thanks in advance.

- Jay

Labels:
0 Helpful
1 Reply 1

cwood
Level 1
Level 1

‎12-22-2009 06:38 AM

Jay -

You identify the Key Server IP address for the GM routers as "address ipv4 100.1.1.1" under your GDOI group configuration on the KS, yet I don't see an interface on the KS with that address.  Do you have a loopback interface defined with IP address 100.1.1.1?  If not, that should be what you need.

-- Chuck

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents