Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GETVPN over MPLS - Loss of routing between CE and PE

Hello all...

Trying to wrap my head around the design and config for GETVPN to facilitate secure links between sites via a MPLS network. I labbed everything up , and all is working as far as MPLS and the routes redistributed between BGP and the CE IGPS etc. All sites have full connectivity and see the routes that they should. The problem comes when I add in a Key Server and begin to activate GDOI members. Of course the connectivity to the KS is fine initially-  it sits behind one of the dtech CEs and it's network is advertised. The members register, but once the IPSEC SAs are established at the CEs, I lose my IGP neighbor-ships between the CE and PE routers understandably- which of course drops all the customer routes and connectivity. I'm obviously missing something in the design concept to say the least!

What needs to be done to encrypt the traffic between the CE site routers, and also maintain the peering with the PE VRF interfaces?? What's the best real world practice here?

Attached is a GNS 3 screen shot diagram of the lab. Only concerned with the dtech sites in green. Any help with this would be great, and certainly a solid learning experience for me! thanks in advance....Dennis


Everyone's tags (1)

Hello, Can you paste the



Can you paste the config for CE and KS ?




New Member

Hi Harish....thanks for the

Hi Harish....thanks for the reply. Not being familiar with GETVPN, I realized what was wrong. I totally spaced on preventing the routing traffic from being encrypted! Added the necessary deny statements to my GDIO KS ACL to deny the routing protocols in use (RIPv2, OSPF, EIGRP in my case)...and all is good now!! Lesson learned! 

KS-R13#show crypto gdoi ks acl
 Configured ACL:
   access-list GETVPN-ACL  deny eigrp any any
   access-list GETVPN-ACL  deny ospf any any
   access-list GETVPN-ACL  deny udp any any port = 520
   access-list GETVPN-ACL  deny tcp any any port = 179
   access-list GETVPN-ACL  deny tcp any any port = 22
   access-list GETVPN-ACL  deny tcp any port = 22 any
   access-list GETVPN-ACL  deny udp any any port = 161
   access-list GETVPN-ACL  deny udp any any port = 162
   access-list GETVPN-ACL  deny udp any port = 161 any
   access-list GETVPN-ACL  deny udp any port = 514 any
   access-list GETVPN-ACL  deny udp any any port = 514
   access-list GETVPN-ACL  deny udp any any port = 123
   access-list GETVPN-ACL  deny udp any port = 123 any
   access-list GETVPN-ACL  deny tcp any any port = 49
   access-list GETVPN-ACL  deny tcp any port = 49 any
   access-list GETVPN-ACL  permit ip any any


New Member

Did you ever fix your GETVPN

Did you ever fix your GETVPN issue across the MPLS. I am having some issue - Maybe you can help me.

New Member

Hello mediaos...

Hello mediaos...

yeah - that was quite some time ago. I put that up on my blog if you want to take a look- hopefully it will help you. I kind of worked through the config, making notes along that way

Here's the link -

And issue was what I realized and mentioned in this post- I didn't have the routing traffic exempted via an acl on the KS server - see above

New Member

 I look over your config...

 I look over your config....My issue is when run GETVPN over MPLS.....I enable GETVPN on the outgoing interface of the PE. The PE's are connected via VPLS.

Have you tried it over MPLS?

New Member

Yeah...I did add GETVPN to

Yeah...I did add GETVPN to another lab also with MPLS -- that one is here:

Different than what you're trying to do though. I have my KS server on the customer private network. And I'm using what would be a traditional MPLS ISP scenario..with BGP and route exchanging etc....not connecting sites via layer 2 | VLPS.

I would think you'd want the KS server on the private network right ? Not on the PE...I'd have to research that to see if that's possible\feasible

New Member

Hi Dennis, did you enable

Hi Dennis, did you enable GETVPN on the PE or the CE?