Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GETVPN

Hi,

Iam having a problem while configuring GETVPN.

The scenerio is I have 3 routers in three different locations and they are connected through MPLS,when I configure getvpn than my connectivity from branch locations lost.

Crypto is also map on wan interface of Group members may be this is the issue but i dont have any idea,ACL is also on KS but fro testing i have set to any any.

Kindly advise.

dd.JPG

  • VPN
7 REPLIES
Bronze

Re: GETVPN

I have found that if you provide the "specific" details of your issue, folks don't have to work as hard to help and you get GREAT assistance here.

Kindly paste your config(s) (remove or alter all "personal" information).

Also explain what you have already tried, noting what worked and what failed and provide the output of pertinent information.

Hopefully someone will be able to help.

Regards

Frank

Cisco Employee

Re: GETVPN

Hi,

Your scheme is not very clear, but you may notice that in typical implementations GETVPN is handled by client (on CE routers) and MPLS by provider (on PE router), and that the router used as a KS can't send trafic to other GM, so that it should be a separate router, which can be on a separate connexion to the provider backbone or behind a GM.

New Member

Re: GETVPN

Problem resolve their was issue in the ACL.

Thanks for the reply still i want to know few things

Question 1:

When I run Sh running config

following lines appear in my configuration.

! Incomplete reke configuration

! incomplete rekey adreesss

Question 2:

How to verify getvpn is working?

How to check data sent from one location to other is encrypted or not?

Cisco Employee

Re: GETVPN

You may use the following commands to check that your getvpn is working:

C1#sh crypto isakmp sa  !on the KS
IPv4 Crypto ISAKMP SA dst             src             state          conn-id status 10.1.1.2        10.1.2.2       GDOI_IDLE         1005 ACTIVE 10.1.1.2        10.1.3.2        GDOI_IDLE         1006 ACTIVE

you may as well check the #pkt encryp and #pkt decrypt in the 'show crypto ipsec sa'  on GM routers to see that packets are encrypted/decrypted.

You may also check registered GM on the KS.

C1#sh crypto gdoi ks members

or that a GM is registered on the KS

C2#sh crypto gdoi gm    

these commands should helps you verify that your GET VPN is working but you may have a lot of other commands...

You can also have a look here:

https://supportforums.cisco.com/docs/DOC-13423

New Member

Re: GETVPN

Thanks Bro,

But still i want to know few things

1-When I restar time my KS and GMs they will take long time even take hours to exchange keys,why this going to be happend?

2-From router iam able to acess my GMS but from network iam unable to access GMs why?although my mails and application are running fine.

3-Can we run KS and GM on Same router?

Cisco Employee

Re: GETVPN

responses below:

1- the GET VPN, as other VPN, make the SA only when interesting traffic is triggered (traffic in the ACL that is pushed by the KS). If you aactually have interesting traffic, I suggest running debug crypto isakmp/gdoi to see what's happening.

2- Maybe a routing or filtering issue, check your routing table.

3- Normally not, but there's maybe a workaround for this.

New Member

Re: GETVPN

Can Any one send me the Routes for above scenerion.

480
Views
0
Helpful
7
Replies
This widget could not be displayed.