09-29-2010 01:05 PM
Hi Group
I'm in the process of testing GETVPN on a developement network before I deploy. I have a basic setup of 1 KS and 3 GM's which is working fine. The next stage of my testing is to deploy a second KS using COOP. The configuration on both KS are indentical except for the priority and addresses etc. see below
KS1
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key tempkey1 address 192.168.64.4
crypto isakmp key tempkey1 address 192.168.80.4
crypto isakmp key tempkey1 address 192.168.1.254
crypto isakmp key tempkey1 address 192.168.64.5
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
!
crypto ipsec profile profile1
set security-association lifetime seconds 7200
set transform-set aes128
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server local
rekey algorithm aes 128
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
registration interface Loopback80
sa ipsec 1
profile profile1
match address ipv4 getvpn-acl
replay time window-size 5
address ipv4 192.168.1.255
redundancy
local priority 100
peer address ipv4 192.168.2.255
!
KS2
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key tempkey1 address 192.168.64.4
crypto isakmp key tempkey1 address 192.168.80.4
crypto isakmp key tempkey1 address 192.168.1.254
crypto isakmp key tempkey1 address 192.168.64.5
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
!
crypto ipsec profile profile1
set security-association lifetime seconds 7200
set transform-set aes128
!
crypto gdoi group GDOI-GROUP1
identity number 12345
server local
rekey algorithm aes 128
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
registration interface Loopback80
sa ipsec 1
profile profile1
match address ipv4 getvpn-acl
replay time window-size 5
address ipv4 192.168.2.255
redundancy
local priority 250
peer address ipv4 192.168.1.255
!
The crypto keys have been generated and exported on KS1 and import on KS2. The KS's are 2821 routers running c2800nm-advsecurityk9-mz.150-1.M3.bin.
The following show crypto gdoi ks coop, shows that the KS coop operation is holding at registering
KS1#sh crypto gdoi ks coop
Crypto Gdoi Group Name :GDOI-GROUP1
Group handle: 2147483650, Local Key Server handle: 2147483650
Local Address: 192.168.1.255
Local Priority: 100
Local KS Role: Secondary , Local KS Status: Alive
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 0, Retries: 0
Invalid ANN PST recvd: 0
New GM Temporary Blocking Enforced?: No
Antireplay Sequence Number: 0
Peer Sessions:
Session 1:
Server handle: 2147483655
Peer Address: 192.168.2.255
Peer Priority: 0
Peer KS Role: Secondary , Peer KS Status: Unknown
Antireplay Sequence Number: 0
IKE status: In Progress
Counters:
Ann msgs sent: 0
Ann msgs sent with reply request: 0
Ann msgs recv: 0
Ann msgs recv with reply request: 0
Packet sent drops: 0
Packet Recv drops: 0
Total bytes sent: 0
Total bytes recv: 0
Debugs Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Sep 29 19:59:36.255: ISAKMP:(0): no idb in request
Sep 29 19:59:36.255: ISAKMP:(0): SA request profile is (NULL)
Sep 29 19:59:36.255: ISAKMP: Created a peer struct for 192.168.2.255, peer port 848
Sep 29 19:59:36.255: ISAKMP: New peer created peer = 0x46893648 peer_handle = 0x800004F8
Sep 29 19:59:36.255: ISAKMP: Locking peer struct 0x46893648, refcount 1 for isakmp_initiator
Sep 29 19:59:36.255: ISAKMP: local port 848, remote port 848
Sep 29 19:59:36.255: ISAKMP: set new node 0 to QM_IDLE
Sep 29 19:59:36.255: ISAKMP:(0):insert sa successfully sa = 47325510
Sep 29 19:59:36.255: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Sep 29 19:59:36.255: ISAKMP:(0):No pre-shared key with 192.168.2.255!
Sep 29 19:59:36.255: ISAKMP:(0): No Cert or pre-shared address key.
Sep 29 19:59:36.255: ISAKMP:(0): construct_initial_message: Can not start Main mode
Sep 29 19:59:36.255: ISAKMP: Unlocking peer struct 0x46893648 for isadb_unlock_peer_delete_sa(), count 0
Sep 29 19:59:36.255: ISAKMP: Deleting peer node by peer_reap for 192.168.2.255: 46893648
Sep 29 19:59:36.255: ISAKMP:(0):purging SA., sa=47325510, delme=47325510
Sep 29 19:59:36.255: ISAKMP:(0):purging node 1257862736
Sep 29 19:59:36.255: ISAKMP:(0):cleaning up GDOI node 1257862736
Sep 29 19:59:36.255: ISAKMP: Error while processing SA request: Failed to initialize SA
Sep 29 19:59:36.255: ISAKMP: Error while processing KMI message 0, error 2.
Sep 29 19:59:36.255: IPSEC(key_engine): got a queue event with 1 KMI message(s
I see from the groups that there a lot of people using COOP with no issues like this have I missed something fundamental?
Thanks
Solved! Go to Solution.
09-29-2010 01:16 PM
You're missing an isakmp key for the COOP KS. They create a VPN connection to each other just the GM's do. I see that the KS IP's are 192.168.x.255. I assume that their real IP is not a broadcast address?
KS1 needs something like-
crypto isakmp key mYcOoPkEy address [key server 2]
and
KS2 needs something like-
crypto isakmp key mYcOoPkEy address [key server 1]
Hope it helps.
09-29-2010 01:16 PM
You're missing an isakmp key for the COOP KS. They create a VPN connection to each other just the GM's do. I see that the KS IP's are 192.168.x.255. I assume that their real IP is not a broadcast address?
KS1 needs something like-
crypto isakmp key mYcOoPkEy address [key server 2]
and
KS2 needs something like-
crypto isakmp key mYcOoPkEy address [key server 1]
Hope it helps.
09-29-2010 01:36 PM
Hi Collin
Thanks very much for the speedy response and correct answer to my issue. I been through a few design and config docs for GETVPN and I didn't see any mention of this.
Thanks again
Mark
09-29-2010 01:38 PM
Glad to hear it's working. I worked off the the configuration guide v1.0 which is excellent (and at the time I deployed the only one available).
09-30-2010 12:53 AM
Hi Collin
Could you send me a URL for the Version one doc please?
Thanks
Mark
09-30-2010 06:36 AM
It looks like it has been updated. I'll see if I have the original one at home. If I do, I'll post it.
10-05-2010 09:17 AM
10-05-2010 12:36 PM
Excellent Collin - thank you very much
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: