GET VPN KS COOP Issue

Answered Question
Sep 29th, 2010

Hi Group

I'm in the process of testing GETVPN on a developement network before I deploy.  I have a basic setup of 1 KS and 3 GM's  which is working fine.  The next stage of my testing is to deploy a second KS using COOP.  The configuration on both KS are indentical except for the priority and addresses etc. see below

KS1

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key tempkey1 address 192.168.64.4
crypto isakmp key tempkey1 address 192.168.80.4
crypto isakmp key tempkey1 address 192.168.1.254
crypto isakmp key tempkey1 address 192.168.64.5
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
!
crypto ipsec profile profile1
set security-association lifetime seconds 7200
set transform-set aes128
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server local
  rekey algorithm aes 128
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa getvpn-export-general
  rekey transport unicast
  registration interface Loopback80
  sa ipsec 1
   profile profile1
   match address ipv4 getvpn-acl
   replay time window-size 5
  address ipv4 192.168.1.255
  redundancy
   local priority 100
   peer address ipv4 192.168.2.255
!

KS2

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key tempkey1 address 192.168.64.4
crypto isakmp key tempkey1 address 192.168.80.4
crypto isakmp key tempkey1 address 192.168.1.254
crypto isakmp key tempkey1 address 192.168.64.5
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
!
crypto ipsec profile profile1
set security-association lifetime seconds 7200
set transform-set aes128
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server local
  rekey algorithm aes 128
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa getvpn-export-general
  rekey transport unicast
  registration interface Loopback80
  sa ipsec 1
   profile profile1
   match address ipv4 getvpn-acl
   replay time window-size 5
  address ipv4 192.168.2.255
  redundancy
   local priority 250
   peer address ipv4 192.168.1.255
!

The crypto keys have been generated and exported on KS1 and import on KS2.  The KS's are 2821 routers running c2800nm-advsecurityk9-mz.150-1.M3.bin.

The following show crypto gdoi ks coop, shows that the KS coop operation is holding at registering

KS1#sh crypto gdoi ks coop        
Crypto Gdoi Group Name :GDOI-GROUP1
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 192.168.1.255
        Local Priority: 100     
        Local KS Role: Secondary , Local KS Status: Alive    
        Secondary Timers:
                Sec Primary Periodic Time: 30
                Remaining Time: 0, Retries: 0
                Invalid ANN PST recvd: 0
                New GM Temporary Blocking Enforced?: No
                Antireplay Sequence Number: 0

        Peer Sessions:
        Session 1:
                Server handle: 2147483655
                Peer Address: 192.168.2.255
                Peer Priority: 0              
                Peer KS Role: Secondary , Peer KS Status: Unknown  
                Antireplay Sequence Number: 0

                IKE status: In Progress
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 0
                    Ann msgs recv: 0
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 0
                    Packet Recv drops: 0
                    Total bytes sent: 0
                    Total bytes recv: 0

Debugs Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto IPSEC debugging is on

Sep 29 19:59:36.255: ISAKMP:(0): no idb in request
Sep 29 19:59:36.255: ISAKMP:(0): SA request profile is (NULL)
Sep 29 19:59:36.255: ISAKMP: Created a peer struct for 192.168.2.255, peer port 848
Sep 29 19:59:36.255: ISAKMP: New peer created peer = 0x46893648 peer_handle = 0x800004F8
Sep 29 19:59:36.255: ISAKMP: Locking peer struct 0x46893648, refcount 1 for isakmp_initiator
Sep 29 19:59:36.255: ISAKMP: local port 848, remote port 848
Sep 29 19:59:36.255: ISAKMP: set new node 0 to QM_IDLE     
Sep 29 19:59:36.255: ISAKMP:(0):insert sa successfully sa = 47325510
Sep 29 19:59:36.255: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Sep 29 19:59:36.255: ISAKMP:(0):No pre-shared key with 192.168.2.255!
Sep 29 19:59:36.255: ISAKMP:(0): No Cert or pre-shared address key.

Sep 29 19:59:36.255: ISAKMP:(0): construct_initial_message: Can not start Main mode
Sep 29 19:59:36.255: ISAKMP: Unlocking peer struct 0x46893648 for isadb_unlock_peer_delete_sa(), count 0
Sep 29 19:59:36.255: ISAKMP: Deleting peer node by peer_reap for 192.168.2.255: 46893648
Sep 29 19:59:36.255: ISAKMP:(0):purging SA., sa=47325510, delme=47325510
Sep 29 19:59:36.255: ISAKMP:(0):purging node 1257862736
Sep 29 19:59:36.255: ISAKMP:(0):cleaning up GDOI node 1257862736
Sep 29 19:59:36.255: ISAKMP: Error while processing SA request: Failed to initialize SA
Sep 29 19:59:36.255: ISAKMP: Error while processing KMI message 0, error 2.
Sep 29 19:59:36.255: IPSEC(key_engine): got a queue event with 1 KMI message(s

I see from the groups that there a lot of people using COOP with no issues like this have I missed something fundamental?

Thanks

Correct Answer by Collin Clark about 6 years 4 months ago

You're missing an isakmp key for the COOP KS. They create a VPN connection to each other just the GM's do. I see that the KS IP's are 192.168.x.255. I assume that their real IP is not a broadcast address?

KS1 needs something like-

crypto isakmp key mYcOoPkEy address [key server 2]

and

KS2 needs something like-

crypto isakmp key mYcOoPkEy address [key server 1]

Hope it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Collin Clark Wed, 09/29/2010 - 13:16

You're missing an isakmp key for the COOP KS. They create a VPN connection to each other just the GM's do. I see that the KS IP's are 192.168.x.255. I assume that their real IP is not a broadcast address?

KS1 needs something like-

crypto isakmp key mYcOoPkEy address [key server 2]

and

KS2 needs something like-

crypto isakmp key mYcOoPkEy address [key server 1]

Hope it helps.

mark@rushby.net Wed, 09/29/2010 - 13:36

Hi Collin

Thanks very much for the speedy response and correct answer to my issue.  I been through a few design and config docs for GETVPN and I didn't see any mention of this.

Thanks again

Mark

Collin Clark Wed, 09/29/2010 - 13:38

Glad to hear it's working. I worked off the the configuration guide v1.0 which is excellent (and at the time I deployed the only one available).

Actions

This Discussion