Solved: GETVPN Configuration Advice

Rudyanto Tjio · ‎07-08-2013

Hello Cisco Support Community Teams,

I am planning to implement GETVPN for my Client. i have several issues regarding the GETVPN failover behavior.

I have test the configuration on GNS3 using C3725 Router, and also tested on real C2800Series router, and the behavior result is the same.

1. I have 2 KS on the topology, is the GM only registered with one KS?

2. When primary KS down, the GM didn't change to Secondary KS, so i need to clear crypto gdoi on the GM, is there any configuration needed to make the GM auto change to others active KS?

3. i check on the GM that i got encap and decrypt, but never get the decaps and decrypt?

Please find the attachment for the topolgy and configuration example.

Thank you and have a nice day.

Sincerely Yours

Rudyanto

Marcin Latosiewicz · ‎07-08-2013

Have a look at the DIG it will answer most of your questions.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf

Section 1.2.7

1) Yes.

2) Check the DIG, there should not be a need to register straight away, "secondary KS" should become new primary.

3) Are you saying it's not reciving ecnrypted traffic or that it does not increment the counter? I would not trust GNS3 too much. If the problem is same on 15.1(4)M on 2800, check it with the folks in TAC.

View solution in original post

Marcin Latosiewicz · ‎07-08-2013

Have a look at the DIG it will answer most of your questions.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf

Section 1.2.7

1) Yes.

2) Check the DIG, there should not be a need to register straight away, "secondary KS" should become new primary.

3) Are you saying it's not reciving ecnrypted traffic or that it does not increment the counter? I would not trust GNS3 too much. If the problem is same on 15.1(4)M on 2800, check it with the folks in TAC.

Rudyanto Tjio · ‎07-08-2013

Hi Marcin,

Thank you for your answers.

on the point 3, i got the show crypto ipsec :

remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)

current_peer port 848

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 3, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

i cannot see the decaps and decrypt counting on the ipsec, i am also suspect the limit of gns3. i will try later on the real network.

and last question:

for the best practice, do i need to configure specific traffic access-list for the data? from my configuration, i am using permit ip any any.

ip access-list extended GETVPN-POLICY-ACL

{some access-list configuration remove}

permit ip any any

example i have traffic from branch data ip 10.10.10.0/24 to datacenter 20.20.20.0/24

ip access-list extended GETVPN-POLICY-ACL

{some access-list configuration, and change the any any to spesific}

permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

Thank you

Marcin Latosiewicz · ‎07-08-2013

Aggregate policy, i.e. as short as possible is the best one. For most setups permit ip any any.

From DIG, section 1.2.3

Asymmetric policies lead to a geometric expansion in the number of ACL entries. An aggregate

policy that serves the most GMs is ideal. The most complete aggregate policy is permit ip any any.

This policy encrypts all traffic leaving the GM crypto interface. Therefore, exceptions must be made

(that is, deny entries) to exclude encryption of control plane traffic and management plane

necessary to bootstrap the GM

Rudyanto Tjio · ‎07-08-2013

Hello Marcin,

Thank you very much for your help and explanation. I really appreciate it

Sincerely Yours,

Rudyanto