cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2898
Views
0
Helpful
11
Replies

GETVPN re-registration instead of rekying

Thomas Schmitt
Level 1
Level 1

Hello

My GETVPN Key Server dosn't send rekeying messages any more and I don't know why - could somebody give me advise pls?.

I have had an working GETVPN System, then I added backup connection (now every GM has 2 GETVPN Interfaces) and now the Key Server dosn't send the rekeying messages out.

Compared to the working version I added only a few lines to the GM config file, KS config wasn't changed at all:

! GM uses this address as identity at KS

int lo 0
ip add 3.3.3.1 255.255.255.255

crypto map getvpn-map local-address lo0

int s0/0
ip unnumbered lo0
crypto map getvpn-map
int s0/1
ip unnumbered lo0
crypto map getvpn-map

I tryed also various IP Addresses for S0/0 and S0/1, also own addresses for both interfaces - GETVPN works all the time, but every time the IPsec SA expires, GMs start re-registration (obvious the don't get the rekeying Message).

What could be the reason for this behavior?

thx.

11 Replies 11

Maykol Rojas
Cisco Employee
Cisco Employee

Hey,

Would you please paste the rekey configuration?

Cheers

Mike

Mike

Sure

trere is nothing espetial and I changed only something at GM configuration

KS1

crypto gdoi group getvpn
identity number 1234
server local
address ipv4 1.1.1.1
rekey lifetime seconds 900
rekey retransmit 40 number 3
rekey authentication mypubkey rsa COOP_KS
rekey transport unicast
sa ipsec 1
profile getvpn-profile
match address ipv4 199
replay time window-size 7
redundancy
local priority 10
peer address ipv4 2.2.2.1

KS2:

crypto gdoi group getvpn
identity number 1234
server local
address ipv4 2.2.2.1
rekey lifetime seconds 900
rekey retransmit 40 number 3
rekey authentication mypubkey rsa COOP_KS
rekey transport unicast
sa ipsec 1
profile getvpn-profile
match address ipv4 199
replay time window-size 7
redundancy
local priority 5
peer address ipv4 1.1.1.1

GMs:

crypto gdoi group getvpn
identity number 1234
server address ipv4 1.1.1.1
server address ipv4 2.2.2.1

crypto map getvpn-map 10 gdoi
set group getvpn

int lo 0
ip add 3.3.3.1 255.255.255.255

crypto map getvpn-map local-address lo0

Dmytro,

You like unnumbered interfaces :-)

What version IOS is it? KS and GM please.

I'd be also interested in topology diagram, I'm curious how second GET VPN cloud and KS integrate.

Marcin

Hello

the version is the same as bevor:

my verion: Cisco IOS Software, 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)

Topology looks like this:

and as I said bevor - the KS configuration was working for the same topology, but between GM1, GM2 and GM3 was Router "Provider" - the GMs has had only one GETVPN interface and the GDOI crypto map was bounded to this (S0/0) interface.

Now has every GM the same GDOI crypto map, but boundet to S0/0 and S0/1; ISAKMP identity is now the address from loopback interface.

Since I changed the GM configuration, the KS doesn't sending the rekeying messages - every time the IPsec SA times out, GMs start Re-Registration. But the traffic is encrypted.

Dmytro,

Well there are some problems with KS behind GMs.

First of all we'd need to make sure that udp/848 (GDOI) is not subject to encryption. (this should be automatically excluded, but if possible let's make it explicit)  - you didn't attach access-l 199 so I don't know what it contains.

In the configuration you edited in, both GMs are connecting to nearer KS. Except for GM3.

Can you please show me "show crypto isa sa" outputs on KSes and GMs?

Marcin

Now I do know the Problem!

this is the method how I share the Key for rekeying:

KS1

crypto key generate rsa general-keys label COOP_KS modulus 1024 exportable
crypto key export rsa COOP_KS pem terminal 3des S3cr3Tpa55

KS2

crypto key import rsa COOP_KS exportable terminal S3cr3Tpa55

but it seems to be not enough to start rekeying. Because only if I create own "COOP_KS" key (different from KS1), then sends KS2 rekying messages

What should be done additionaly to the key-import?

Or did I import the key wrong? I copy firtst the public key

from hier *------------------ PUBLIC ...------------- ...key ... ------------ END ... ----------* until another "*". then 2x "enter" and get the message, for private key.

*------------- PRIVATE .... ----------- encription ... key ... ----------END ... --------------* then "enter" and "strg+c". The message "key import successful" apperars.

Is something wrong?

ACL 199:

access-list 199 deny udp any any eq 500
access-list 199 deny udp any any eq 848
access-list 199 deny ip any 224.0.0.0 31.255.255.255
access-list 199 permit ip any any

Dmytro,

As far as I remember the RSA keys on both KS can be completly different there is no reason to import/export them.

Is there a doc specyfing they need to be the same?

Marcin

Yes, seys the GETVPN design und implementation guide (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf) see 2.2.3 Configuring GDOI

Quote: "Note: RSA keys must be generated on any KS. All KSs must share the same keys, so these keys must be generated with an ―exportable‖ tag. The keys are then imported on the remaining KSs. These keys do not need to be imported on the GMs.Note: RSA keys must be generated on any KS. All KSs must share the same keys, so these keys must be generated with an ―exportable‖ tag. The keys are then imported on the remaining KSs. These keys do not need to be imported on the GMs."

Dmytro,

You learn something new every day ;-)

Can you open a TAC case for this? I'm pretty sure we'd get through this faster like this.

(You can reference this thread in the SR so TAC will not lose time asking qustions you already answered)

Marcin

I read a moment ago about TAC Case and I have either SMART.NET or OOC or my own cisco device to use the serial number and it seems to take really much time; time that I don't have. I will simply configure all GMs to use only the KS1 and then it's OK - it is only for a lab.

thank you for help.

Dmytro,

Well I can't promise we'll be on track soon, but let me try best effort.

Regarding export and import of RSA did you follow this?

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_key.html

Or anything similar?

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: