GETVPN over MPLS - Loss of routing between CE and PE
Trying to wrap my head around the design and config for GETVPN to facilitate secure links between sites via a MPLS network. I labbed everything up , and all is working as far as MPLS and the routes redistributed between BGP and the CE IGPS etc. All sites have full connectivity and see the routes that they should. The problem comes when I add in a Key Server and begin to activate GDOI members. Of course the connectivity to the KS is fine initially- it sits behind one of the dtech CEs and it's network is advertised. The members register, but once the IPSEC SAs are established at the CEs, I lose my IGP neighbor-ships between the CE and PE routers understandably- which of course drops all the customer routes and connectivity. I'm obviously missing something in the design concept to say the least!
What needs to be done to encrypt the traffic between the CE site routers, and also maintain the peering with the PE VRF interfaces?? What's the best real world practice here?
Attached is a GNS 3 screen shot diagram of the lab. Only concerned with the dtech sites in green. Any help with this would be great, and certainly a solid learning experience for me! thanks in advance....Dennis
Hi Harish....thanks for the reply. Not being familiar with GETVPN, I realized what was wrong. I totally spaced on preventing the routing traffic from being encrypted! Added the necessary deny statements to my GDIO KS ACL to deny the routing protocols in use (RIPv2, OSPF, EIGRP in my case)...and all is good now!! Lesson learned!
KS-R13#show crypto gdoi ks acl Group Name: DTECHGDOI Configured ACL: access-list GETVPN-ACL deny eigrp any any access-list GETVPN-ACL deny ospf any any access-list GETVPN-ACL deny udp any any port = 520 access-list GETVPN-ACL deny tcp any any port = 179 access-list GETVPN-ACL deny tcp any any port = 22 access-list GETVPN-ACL deny tcp any port = 22 any access-list GETVPN-ACL deny udp any any port = 161 access-list GETVPN-ACL deny udp any any port = 162 access-list GETVPN-ACL deny udp any port = 161 any access-list GETVPN-ACL deny udp any port = 514 any access-list GETVPN-ACL deny udp any any port = 514 access-list GETVPN-ACL deny udp any any port = 123 access-list GETVPN-ACL deny udp any port = 123 any access-list GETVPN-ACL deny tcp any any port = 49 access-list GETVPN-ACL deny tcp any port = 49 any access-list GETVPN-ACL permit ip any any
Different than what you're trying to do though. I have my KS server on the customer private network. And I'm using what would be a traditional MPLS ISP scenario..with BGP and route exchanging etc....not connecting sites via layer 2 | VLPS.
I would think you'd want the KS server on the private network right ? Not on the PE...I'd have to research that to see if that's possible\feasible
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...