Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
0
Helpful
4
Replies

GET VPN - Configuration Assistance

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-26-2012 04:26 AM

Hi There

I'm trying to configure GETVPN and it's not working. Can someone advice me, if I have made a configuraiton error

      

I did refer to https://supportforums.cisco.com/message/3109605

but I still don't understand. Please help

      

The loopback interfaces are acting as my LAN

R1 - Loopback 1 = 1.1.1.0/24 is LAN in R1

R2 - Loopback 1 = 2.2.2.0/24 is LAN in R2

Warm regards,
Ramraj Sivagnanam Sivajanam
Labels:
133938-R2.txt.zip
133939-R1 KS.txt.zip
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎08-26-2012 04:42 AM

I see a couple of problems with your config:

1) You KS is probybly also a member of the Encryption-domain, so this router also needs the crypto-map, applied to the public interface.

2) The crypto ACL also needs the traffic for the traffic R1 to R2. A good summarisable IP-design is helpful there.

3) Not a problem but a "no go": 3DES should never be used with GETVPN as with many peers there could be IV-collisions.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to Karsten Iwen

‎08-26-2012 07:40 AM

Hi Karsten

I did as per your suggestion, this doesn't work. I can't ping from 2.2.2.1 (R2 LAN IP) to 1.1.1.1 (KS LAN IP)

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to Ramraj Sivagnanam Sivajanam

‎08-26-2012 07:41 AM


R1-KS#show run
Building configuration...

Current configuration : 1873 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 136.1.23.2
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-md5-hmac
!
crypto ipsec profile VPN
set transform-set VPN
!
crypto gdoi group VPN
identity number 1234
server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa VPN
  rekey transport unicast
  sa ipsec 1
   profile VPN
   match address ipv4 100
   replay time window-size 5
  address ipv4 136.1.121.1
!
!
crypto map VPN 10 gdoi
set group VPN
!
!
!
!
!
!
!
interface Loopback1
description LAN
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description WAN
ip address 136.1.121.1 255.255.255.0
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
no fair-queue
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 136.1.121.254
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password cisco
login local
transport input telnet ssh
!
!
end

R1#show cry
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
136.1.121.1     136.1.23.2      GDOI_IDLE         1002    0 ACTIVE
0.0.0.0         136.1.121.1     GDOI_REKEY           0    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

R1#

=======================================================================
R2#show run
Building configuration...

Current configuration : 1482 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 136.1.121.1
!
crypto gdoi group VPN
identity number 1234
server address ipv4 136.1.121.1
!
!
crypto map VPN local-address FastEthernet0/0
crypto map VPN 10 gdoi
set group VPN
!
!
!
!
!
!
!
interface Loopback1
description LAN
ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
description WAN
ip address 136.1.23.2 255.255.255.0
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 136.1.23.3
!
!
ip http server
no ip http secure-server
ip dns server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password cisco
login
transport input telnet
!
!
end

R2#show cry
R2#show crypto isa
R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
136.1.23.2      136.1.121.1     GDOI_REKEY        1034    0 ACTIVE
136.1.121.1     136.1.23.2      GDOI_IDLE         1033    0 ACTIVE
136.1.23.2      136.1.121.1     GDOI_REKEY        1035    0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: VPN, local addr 136.1.23.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   current_peer  port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 136.1.23.2, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x4204E717(1107617559)

     inbound esp sas:
      spi: 0x4204E717(1107617559)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 69, flow_id: SW:69, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1694)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE
      spi: 0xEB4EB2F0(3947803376)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 75, flow_id: SW:75, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1883)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4204E717(1107617559)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 70, flow_id: SW:70, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1694)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE
      spi: 0xEB4EB2F0(3947803376)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 76, flow_id: SW:76, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1883)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (136.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (136.1.0.0/255.255.0.0/0/0)
   current_peer  port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 136.1.23.2, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x4204E717(1107617559)

     inbound esp sas:
      spi: 0x4204E717(1107617559)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 73, flow_id: SW:73, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1695)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE
      spi: 0xEB4EB2F0(3947803376)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 77, flow_id: SW:77, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1883)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4204E717(1107617559)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 74, flow_id: SW:74, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1695)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE
      spi: 0xEB4EB2F0(3947803376)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 78, flow_id: SW:78, crypto map: VPN
        sa timing: remaining key lifetime (sec): (1883)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R2#ping 1.1.1.1 source 2.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.1
.....
Success rate is 0 percent (0/5)
R2#

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Karsten Iwen
VIP
VIP
In response to Ramraj Sivagnanam Sivajanam

‎08-26-2012 09:34 AM 

crypto isakmp policy 1
  encr aes 256
  hash md5
...
!
crypto ipsec transform-set VPN esp-aes 256 esp-md5-hmac

you just missed the chance to also get rid off MD5 ... Doesn't that hurt in the fingers to configure that?

You don't speak a routing-protocol with your backbone-router. Is that router aware of your Loopback-Networks? It has to as GET relies on end-to-end routing.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents