GET VPN or Group Encrypted Transport is next in the list of VPNs to cover.
Much of the configuration will be the same as we have seen before (ISAKMP policies, transform sets, IPSec profiles), but some will be quite new (GDOI groups).
Before we start with the fun stuff, we'll need to set up the basic connectivity (and it will be very basic):
GDOI-Server(config)#router ospf 1 GDOI-Server(config-router)#router-id 7.7.7.7 GDOI-Server(config-router)#network 10.1.12.0 0.0.0.255 area 1 GDOI-Server(config-router)# *Jul 5: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0 GDOI-Server(config-router)#int gi 0/0 GDOI-Server(config-if)#ip ospf auth mess GDOI-Server(config-if)#ip ospf mess 1 md5 cisco GDOI-Server(config-if)# ISP-3(config)#router ospf 1 ISP-3(config-router)#router-id 10.1.12.1 ISP-3(config-router)#area 1 auth mess ISP-3(config-router)#network 10.1.12.0 0.0.0.255 area 1 ISP-3(config-router)#network 10.1.13.0 0.0.0.255 area 1 ISP-3(config-router)#network 10.1.14.0 0.0.0.255 area 1 ISP-3(config-router)# ISP-3(config-router)#int rang ISP-3(config-router)#int rang gi 0/0 - 2 ISP-3(config-if-range)#ip ospf auth messa ISP-3(config-if-range)#ip ospf mess 1 md5 cisco ISP-3(config-if-range)# GDOI-G1(config)#router ospf 1 GDOI-G1(config-router)#router-id 8.8.8.8 GDOI-G1(config-router)#network 10.1.13.0 0.0.0.255 area 1 GDOI-G1(config-router)#area 1 authe mess GDOI-G1(config-router)#network 8.8.8.8 0.0.0.0 area 1 GDOI-G1(config-router)# GDOI-G1(config-router)#int gi 0/0 GDOI-G1(config-if)#int gi 0/1 GDOI-G1(config-if)#ip ospf auth mess GDOI-G1(config-if)#ip ospf mess 1 md5 cisco GDOI-G1(config-if)# *Jul 5: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done GDOI-G1(config-if)# GDOI-G2(config)#router ospf 1 GDOI-G2(config-router)#router-id 9.9.9.9 GDOI-G2(config-router)#network 9.9.9.9 0.0.0.0 a 1 GDOI-G2(config-router)#network 10.1.14.0 0.0.0.255 area 1 GDOI-G2(config-router)#area 1 auth mess GDOI-G2(config-router)#int gi 0/2 GDOI-G2(config-if)#ip ospf auth mess GDOI-G2(config-if)#ip os mess 1 md cisco GDOI-G2(config-if)# *Jul 5: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/2 from LOADING to FULL, Loading Done GDOI-G2(config-if)# GDOI-Server#ping 8.8.8.8 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 7.7.7.7 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms GDOI-Server#ping 9.9.9.9 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds: Packet sent with a source address of 7.7.7.7 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/7 ms GDOI-Server#OK, let's begin in the same way as we did with dual-hub DMVPN, and chuck the basics into notepad and paste then into the routers:
crypto isakmp policy 10 encryption 3des authentication pre-share hash sha group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac exit crypto ipsec profile GET-Profile set transform-set GET-TS exitThis time, I put the commands on the GDOI-Server router first, then copied them to notepad and pasted into the clients, this way it means that any fat-fingering will be picked up on quicker, and not transferred to the clients:
GDOI-G1(config)#crypto isakmp policy 10 GDOI-G1(config-isakmp)#encryption 3des GDOI-G1(config-isakmp)#authentication pre-share GDOI-G1(config-isakmp)#hash sha GDOI-G1(config-isakmp)#group 2 GDOI-G1(config-isakmp)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0 GDOI-G1(config)#crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac GDOI-G1(cfg-crypto-trans)#exit GDOI-G1(config)#crypto ipsec profile GET-Profile GDOI-G1(ipsec-profile)#set transform-set GET-TS GDOI-G1(ipsec-profile)#exit GDOI-G1(config)# GDOI-G2(config)#crypto isakmp policy 10 GDOI-G2(config-isakmp)#encryption 3des GDOI-G2(config-isakmp)#authentication pre-share GDOI-G2(config-isakmp)#hash sha GDOI-G2(config-isakmp)#group 2 GDOI-G2(config-isakmp)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0 GDOI-G2(config)#crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac GDOI-G2(cfg-crypto-trans)#exit GDOI-G2(config)#crypto ipsec profile GET-Profile GDOI-G2(ipsec-profile)#set transform-set GET-TS GDOI-G2(ipsec-profile)#exitNow, let's head back to the server and see what GET VPN has in store. I will be making heavy use of the context-sensitive help here, and putting notes in the output:
GDOI-Server(config)#crypto gdoi ? group Configure a GKM (Group Key Management, GDOI or G-IKEv2) Group GDOI-Server(config)#crypto gdoi group ? WORD Group Name ipv6 IPv6 GKM (Group Key Management) Group GDOI-Server(config)#crypto gdoi group GDOI-G1 GDOI-Server(config-gkm-group)#? GKM (Group Key Management) Group configuration commands: client Set the group dsclient parameters default Set a command to its defaults exit Exit the group mode identity Set the identity of the group no Negate a command or set its defaults passive Set the group in passive mode server Set the group server for of the group GDOI-Server(config-gkm-group)#server ? address Identify the group server by address hostname Identify the group server by hostname local Configure GKM group server defined locally GDOI-Server(config-gkm-group)#server local ? GDOI-Server(config-gkm-group)#server local GDOI-Server(gkm-local-server)# *Jul 5: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON GDOI-Server(gkm-local-server)#address ? ipv4 Set ipv4 address of local server GDOI-Server(gkm-local-server)#address ipv4 ? A.B.C.D IPv4 local address GDOI-Server(gkm-local-server)#address ipv4 7.7.7.7 GDOI-Server(gkm-local-server)#sa ? d3p Enable IP delivery delay detection protocol for all SAs within the group ipsec Configure an IPsec SA pair-wise-keying Enable KGS pair-wise-keying receive-only Configure SA to work only in inbound direction GDOI-Server(gkm-local-server)#sa ipsec ? Sequence to insert into SA list GDOI-Server(gkm-local-server)#sa ipsec 1 GDOI-Server(gkm-sa-ipsec)#? GKM local server IPsec SA configuration commands: default Set a command to its defaults exit Exit the sa ipsec mode match Match characteristics of packets to encrypt no Negate a command or set its defaults profile Configure an ipsec profile for the SA replay Set replay method tag Set inline tagging method GDOI-Server(gkm-sa-ipsec)#profile GET-Profile GDOI-Server(gkm-sa-ipsec)#match ? address Match addresses of packets to encrypt GDOI-Server(gkm-sa-ipsec)#match address ? ipv4 Match ipv4 packets ipv6 Match ipv6 packets GDOI-Server(gkm-sa-ipsec)#match address ipv4 ? IP access-list number IP access-list number (expanded range) WORD Access-list name GDOI-Server(gkm-sa-ipsec)#match address ipv4 G1 GDOI-Server(gkm-sa-ipsec)#exit GDOI-Server(gkm-local-server)#exit GDOI-Server(config-gkm-group)#end GDOI-Server#sh run crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac mode tunnel crypto ipsec profile GET-Profile set transform-set GET-TS crypto gdoi group GDOI-G1 identity number 1 server local sa ipsec 1 ! Incomplete ! Match address is not configured profile GET-Profile match address ipv4 G1 replay counter window-size 64 no tag address ipv4 7.7.7.7 GDOI-Server#One thing I do find very useful is that the IOS will tell me what I am missing. It doesn't do this for everything (it's not a mind-reader), but here it is very useful and shows me that the gdoi group is incomplete, and I am missing a match address statement. Let's fix that by permitting our overlay IP address (VPN range, like we have in DMVPN):
GDOI-Server(config)#ip access-list extended G1 GDOI-Server(config-ext-nacl)#remark Probably our VPN IP range GDOI-Server(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255 GDOI-Server(config-ext-nacl)#do sh run | s crypto gdoi crypto gdoi group GDOI-G1 identity number 1 server local sa ipsec 1 profile GET-Profile match address ipv4 G1 replay counter window-size 64 no tag address ipv4 7.7.7.7 GDOI-Server(config-ext-nacl)#! better! GDOI-Server(config-ext-nacl)#Makes sense really! Let's have a look at a few show commands:
GDOI-Server#sh crypto gdoi group GDOI-G1 Group Name : GDOI-G1 (Multicast) Re-auth on new CRL : Disabled Group Identity : 1 Group Type : GDOI (ISAKMP) Crypto Path : ipv4 Key Management Path : ipv4 Group Members : 0 IPSec SA Direction : Both Group Rekey Lifetime : 86400 secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts: 2 IPSec SA Number : 1 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GET-Profile Replay method : Count Based Replay Window Size : 64 Tagging method : Disabled ACL Configured : access-list G1 Group Server list : Local GDOI-Server#sh crypto gdoi ks Total group members registered to this box: 0 Key Server Information For Group GDOI-G1: Group Name : GDOI-G1 Re-auth on new CRL : Disabled Group Identity : 1 Group Type : GDOI (ISAKMP) Group Members : 0 Rekey Acknowledgement Cfg: Cisco IPSec SA Direction : Both CKM status : Disable ACL Configured: access-list G1 GDOI-Server# GDOI-Server#sh crypto gdoi GROUP INFORMATION Group Name : GDOI-G1 (Multicast) Re-auth on new CRL : Disabled Group Identity : 1 Group Type : GDOI (ISAKMP) Crypto Path : ipv4 Key Management Path : ipv4 Group Members : 0 IPSec SA Direction : Both Group Rekey Lifetime : 86400 secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts: 2 IPSec SA Number : 1 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GET-Profile Replay method : Count Based Replay Window Size : 64 Tagging method : Disabled ACL Configured : access-list G1 Group Server list : Local GDOI-Server#Nothing registered yet, but thats not surprising as we have not configured any client. Let's create the second group:
GDOI-Server(config)#crypto gdoi group GDOI-G2 GDOI-Server(config-gkm-group)#identity number 2 GDOI-Server(config-gkm-group)#server local GDOI-Server(gkm-local-server)#sa ipsec 1 GDOI-Server(gkm-sa-ipsec)#profile GET-Profile GDOI-Server(gkm-sa-ipsec)#match address ipv4 G2 GDOI-Server(gkm-sa-ipsec)#replay counter window-size 64 GDOI-Server(gkm-sa-ipsec)#no tag GDOI-Server(gkm-sa-ipsec)#exit GDOI-Server(gkm-local-server)#address ipv4 7.7.7.7 GDOI-Server(gkm-local-server)#exit GDOI-Server(config-gkm-group)#exit GDOI-Server(config)#ip access-list extended G2 GDOI-Server(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255 GDOI-Server(config-ext-nacl)#exit GDOI-Server(config)#do sh run | s crypto gdoi crypto gdoi group GDOI-G1 identity number 1 server local sa ipsec 1 profile GET-Profile match address ipv4 G1 replay counter window-size 64 no tag address ipv4 7.7.7.7 crypto gdoi group GDOI-G2 identity number 2 server local sa ipsec 1 profile GET-Profile match address ipv4 G2 replay counter window-size 64 no tag address ipv4 7.7.7.7 GDOI-Server(config)#OK, I have kind of bumbled my way through that, but let's see if we can get one of the clients to connect...
GDOI-G1(config)#crypto gdoi group GDOI-G1 GDOI-G1(config-gkm-group)#? GKM (Group Key Management) Group configuration commands: client Set the group client parameters default Set a command to its defaults exit Exit the group mode identity Set the identity of the group no Negate a command or set its defaults passive Set the group in passive mode server Set the group server for of the group GDOI-G1(config-gkm-group)#server ? address Identify the group server by address hostname Identify the group server by hostname local Configure GKM group server defined locally GDOI-G1(config-gkm-group)#server address ? ipv4 Set the IPv4 address of the group server GDOI-G1(config-gkm-group)#server address ipv4 ? A.B.C.D Group server IPv4 address GDOI-G1(config-gkm-group)#server address ipv4 7.7.7.7 GDOI-G1(config-gkm-group)#identity ? address Set the identity of the group as an address number Set the identity of the group as a number GDOI-G1(config-gkm-group)#identity number 1 GDOI-G1(config-gkm-group)#exit GDOI-G1(config)#crypto isakmp profile GET-Profile GDOI-G1(conf-isa-prof)#match ? certificate Peer certificate attributes identity Peer identity GDOI-G1(conf-isa-prof)#match identity ? address IP Address(es) group Group name host match a hostname/domain user-fqdn match a username/domain GDOI-G1(conf-isa-prof)#match identity address ? A.B.C.D IP address prefix ipv6 IPv6 Address(es) GDOI-G1(conf-isa-prof)#match identity address 7.7.7.7 GDOI-G1(conf-isa-prof)#exit GDOI-G1(config)#crypto map GDOI-G1 isakmp-profile GET-Profile GDOI-G1(config)#crypto map G1 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured. GDOI-G1(config-crypto-map)#set group GDOI-G1 GDOI-G1(config-crypto-map)#int gi0/1 GDOI-G1(config-if)#crypto ? ipsec Set IPSec parameters map Assign a Crypto Map GDOI-G1(config-if)#crypto map ? WORD Crypto Map tag GDOI-G1(config-if)#crypto map G1 GDOI-G1(config-if)# *Jul 5: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON *Jul 5: %CRYPTO-5-GM_REGSTER: Start registration to KS 7.7.7.7 for group GDOI-G1 using address 10.1.13.8 fvrf default ivrf default *Jul 5: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 7.7.7.7 GDOI-G1(config-if)# GDOI-G1(config-if)# *Jul 5: %CRYPTO-4-IKMP_NO_SA: IKE message from 7.7.7.7 has no SA and is not an initialization offer *Jul 5: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 7.7.7.7OK... some issues here. Let's try setting the client interface:
GDOI-G1(config)#crypto gdoi group GDOI-G1 GDOI-G1(config-gkm-group)#client ? bypass-policy Allow group-key management traffic sent to this GM only protocol Group Member Registration & Rekey Protocol recovery-check Specify GM recovery check parameters registration Set the group client management/register interface rekey Set the group client acceptable rekey ciphers and hashs status group-member status transform-sets Specify list of group client acceptable transform sets transport-encrypt-key Enforce group or pair-wise keying GDOI-G1(config-gkm-group)#client registration interface gi0/1Still no dice, but then I left out a whole load of possible commands for the rekey. This blog post is pretty useful, and kind of mirrors the same set-up that I have. So let's add the rekey information and see if that helps.
GDOI-Server(config)#crypto gdoi group GDOI-G1 GDOI-Server(config-gkm-group)#server local GDOI-Server(gkm-local-server)# rekey retransmit 10 number 3 GDOI-Server(gkm-local-server)# rekay authentication mypubkey rsa GDOI-Server-Key GDOI-Server(gkm-local-server)# rekey transport unicastI am still seeing the same errors on GDOI-G1 though. I think, from reading the post linked above, that this may be due to the ACL being incorrect. Unlike the other VPN solutions, we are not overlaying, and by this, I mean that in "standard" tunnels, we have a separate IP addressing scheme, such as the 192.168.1.0/24 subnet we used with DMVPN. GETVPN doesn't work like this, so let's change the ACL and permit the subnets. The interesting thing about GET VPN (well, GDOI to be exact) is that the Key Server (GDOI-Server in our example), downloads the IPSec policy to the GMs (Group members, which are GDOI-G1 and GDOI-G2). In this ACL we define the traffic we need to encrypt, but also the traffic which needs to excluded (OSPF and the GETVPN traffic, UDP port 848). We can have different ACLs per group, so we now get something along the lines of:
ip access-list extended G1 no permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255 deny udp any eq 848 any eq 848 deny tcp any host 224.0.0.5 deny tcp any host 224.0.0.6 permit ip 10.1.12.0 0.0.0.255 10.1.13.0 0.0.0.255 ip access-list extended G2 no permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255 deny udp any eq 848 any eq 848 deny tcp any host 224.0.0.5 deny tcp any host 224.0.0.6 permit ip 10.1.12.0 0.0.0.255 10.1.14.0 0.255.255.255Even with the change in ACL the same errors occurred. It was only when switching to the physical interface on the GDOI-Server, that there was some success:
GDOI-Server(config)#crypto gdoi group GDOI-G1 GDOI-Server(config-gkm-group)#server local GDOI-Server(gkm-local-server)#address ipv4 10.1.12.7 GDOI-G1#sh crypto gdoi GROUP INFORMATION Group Name : GDOI-G1 Group Identity : 1 Group Type : GDOI (ISAKMP) Crypto Path : ipv4 Key Management Path : ipv4 Rekeys received : 2 IPSec SA Direction : Both Group Server list : 10.1.12.7 Group Member Information For Group GDOI-G1: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GDOI-G1_temp_acl Group member : 10.1.13.8 vrf: None Local addr/port : 10.1.13.8/848 Remote addr/port : 10.1.12.7/848 fvrf/ivrf : None/None Version : 1.0.12 Registration status : Registered Registered with : 10.1.12.7 Re-registers in : 3366 sec Succeeded registration: 1 Attempted registration: 1 Last rekey from : 10.1.12.7 Last rekey seq num : 0 Unicast rekey received: 2 Rekey ACKs sent : 2 Rekey Rcvd(hh:mm:ss) : 00:00:08 DP Error Monitoring : OFF IPSEC init reg executed : 0 IPSEC init reg postponed : 0 Active TEK Number : 2 SA Track (OID/status) : disabled allowable rekey cipher: any allowable rekey hash : any allowable transformtag: any ESP Rekeys cumulative Total received : 2 After latest register : 2 Rekey Acks sents : 2 ACL Downloaded From KS 10.1.12.7: access-list deny udp any port = 848 any port = 848 access-list deny tcp any host 224.0.0.5 access-list deny tcp any host 224.0.0.6 access-list permit ip 10.1.12.0 0.0.0.255 10.1.13.0 0.0.0.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 86370 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1296 TEK POLICY for the current KS-Policy ACEs Downloaded: GigabitEthernet0/1: IPsec SA: spi: 0x7CD79516(2094503190) transform: esp-3des esp-sha-hmac sa timing:remaining key lifetime (sec): (3572) Anti-Replay(Counter Based) : 64 tag method : disabled alg key size: 24 (bytes) sig key size: 20 (bytes) encaps: ENCAPS_TUNNEL IPsec SA: spi: 0x23E7E211(602399249) transform: esp-3des esp-sha-hmac sa timing:remaining key lifetime (sec): (152) Anti-Replay(Counter Based) : 64 tag method : disabled alg key size: 24 (bytes) sig key size: 20 (bytes) encaps: ENCAPS_TUNNEL GDOI-G1# GDOI-Server#sh crypto gdoi GROUP INFORMATION Group Name : GDOI-G1 (Unicast) Re-auth on new CRL : Disabled Group Identity : 1 Group Type : GDOI (ISAKMP) Crypto Path : ipv4 Key Management Path : ipv4 Group Members : 1 IPSec SA Direction : Both Group Rekey Lifetime : 86400 secs Group Rekey Remaining Lifetime : 86232 secs Time to Rekey : 85997 secs Acknowledgement Cfg : Cisco Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts: 3 Group Retransmit Remaining Lifetime : 0 secs IPSec SA Number : 1 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GET-Profile Replay method : Count Based Replay Window Size : 64 Tagging method : Disabled SA Rekey Remaining Lifetime : 3433 secs Time to Rekey : 3037 secs ACL Configured : access-list G1 Group Server list : Local GDOI-Server#Let's finish off and add the other group in. This time we will set the isakmp profile to match the physical address of the server. This makes more sense, but the G1 router is still using 7.7.7.7, so what will happen?:
GDOI-G2(config)#crypto isakmp policy 10 GDOI-G2(config-isakmp)# encr 3des GDOI-G2(config-isakmp)# authentication pre-share GDOI-G2(config-isakmp)# hash sha GDOI-G2(config-isakmp)# group 2 GDOI-G2(config-isakmp)# lifetime 3600 GDOI-G2(config-isakmp)#crypto isakmp key cisco address 10.1.12.7 GDOI-G2(config)#crypto isakmp invalid-spi-recovery GDOI-G2(config)#crypto isakmp keepalive 10 GDOI-G2(config)#crypto isakmp profile GET-Profile % A profile is deemed incomplete until it has match identity statements GDOI-G2(conf-isa-prof)# match identity address 10.1.12.7 255.255.255.255 GDOI-G2(conf-isa-prof)#! GDOI-G2(conf-isa-prof)#! GDOI-G2(conf-isa-prof)#$c transform-set GET-TS esp-3des esp-sha-hmac GDOI-G2(cfg-crypto-trans)# mode tunnel GDOI-G2(cfg-crypto-trans)#! GDOI-G2(cfg-crypto-trans)#crypto ipsec profile GET-Profile GDOI-G2(ipsec-profile)# set transform-set GET-TS GDOI-G2(ipsec-profile)#! GDOI-G2(ipsec-profile)#! GDOI-G2(ipsec-profile)#crypto gdoi group GDOI-G2 GDOI-G2(config-gkm-group)# identity number 2 GDOI-G2(config-gkm-group)# server address ipv4 10.1.12.7 GDOI-G2(config-gkm-group)# client registration interface GigabitEthernet0/2 GDOI-G2(config-gkm-group)#! GDOI-G2(config-gkm-group)#! GDOI-G2(config-gkm-group)#crypto map G2 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured. GDOI-G2(config-crypto-map)# set group GDOI-G2 GDOI-G2(config-crypto-map)#! GDOI-G2(config-crypto-map)#crypto map GDOI-G2 isakmp-profile GET-Profile GDOI-G2(config)#! GDOI-G2(config)#interface GigabitEthernet0/2 GDOI-G2(config-if)# crypto map G2 GDOI-G2(config-if)# *Jul 6: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON *Jul 6: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.1.12.7 for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default *Jul 6: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.12.7 has no SA and is not an initialization offer GDOI-G2(config-if)# *Jul 6: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 10.1.12.7 GDOI-G2(config-if)#We see the same issues with the SA until we change the match statement in the ipsec profile:
GDOI-G2(config)#crypto isakmp profile GET-Profile GDOI-G2(conf-isa-prof)# match identity address 7.7.7.7 255.255.255.255 GDOI-G2(conf-isa-prof)#no match identity address 10.1.12.7 255.255.255.0 GDOI-G2(conf-isa-prof)#int gi 0/2 GDOI-G2(config-if)#shut GDOI-G2(config-if)# *Jul 6: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/2 from FULL to DOWN, Neighbor Down: Interface down or detached GDOI-G2(config-if)# *Jul 6: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down *Jul 6: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down GDOI-G2(config-if)# GDOI-G2(config-if)#no shut GDOI-G2(config-if)# *Jul 6: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up *Jul 6: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.1.12.7 for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default *Jul 6: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up *Jul 6: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.12.1 on GigabitEthernet0/2 from LOADING to FULL, Loading Done *Jul 6: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.12.7 has no SA and is not an initialization offer *Jul 6: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated *Jul 6: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x24FF75BFCD871C9755FE4868CC8A1369 *Jul 6: %GDOI-5-GM_REGS_COMPL: Registration to KS 10.1.12.7 complete for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default *Jul 6: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 10.1.12.7 for group GDOI-G2 & gm identity 10.1.14.9 fvrf default ivrf default GDOI-G2(config-if)#do sh crypto gdoi GROUP INFORMATION Group Name : GDOI-G2 Group Identity : 2 Group Type : GDOI (ISAKMP) Crypto Path : ipv4 Key Management Path : ipv4 Rekeys received : 0 IPSec SA Direction : Both Group Server list : 10.1.12.7 Group Member Information For Group GDOI-G2: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GDOI-G2_temp_acl Group member : 10.1.14.9 vrf: None Local addr/port : 10.1.14.9/848 Remote addr/port : 10.1.12.7/848 fvrf/ivrf : None/None Version : 1.0.12 Registration status : Registered Registered with : 10.1.12.7 Re-registers in : 1097 sec Succeeded registration: 1 Attempted registration: 8 Last rekey from : 0.0.0.0 Last rekey seq num : 0 Unicast rekey received: 0 Rekey ACKs sent : 0 Rekey Received : never DP Error Monitoring : OFF IPSEC init reg executed : 0 IPSEC init reg postponed : 0 Active TEK Number : 1 SA Track (OID/status) : disabled allowable rekey cipher: any allowable rekey hash : any allowable transformtag: any ESP Rekeys cumulative Total received : 0 After latest register : 0 Rekey Acks sents : 0 ACL Downloaded From KS 10.1.12.7: access-list deny udp any port = 848 any port = 848 access-list deny tcp any host 224.0.0.5 access-list deny tcp any host 224.0.0.6 access-list permit ip 10.1.12.0 0.0.0.255 10.1.14.0 0.0.0.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 83974 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1296 TEK POLICY for the current KS-Policy ACEs Downloaded: GigabitEthernet0/2: IPsec SA: spi: 0xA6F83D47(2801286471) transform: esp-3des esp-sha-hmac sa timing:remaining key lifetime (sec): (1176) Anti-Replay(Counter Based) : 64 tag method : disabled alg key size: 24 (bytes) sig key size: 20 (bytes) encaps: ENCAPS_TUNNEL GDOI-G2(config-if)#This seems pretty counter-intuitive. The ISAKMP profile is matching the loopback address, instead of the physical interface IP address on the GDOI-Server. surely, it would make more sense to match the interface that is sourcing the packets, right? Well, if you look at the linked blog post, there is no ISAKMP profile set, so do we need one? Let's remove it and find out:
GDOI-G1(config)#no crypto map GDOI-G1 isakmp-profile GET-Profile GDOI-G1(config)#no crypto isakmp profile GET-Profile GDOI-G1(config)#end GDOI-G2(config)#no crypto map GDOI-G2 isakmp-profile GET-Profile GDOI-G2(config)#no crypto isakmp profile GET-Profile GDOI-G2(config)#end GDOI-Server#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.12.7 10.1.13.8 GDOI_IDLE 1025 ACTIVE 10.1.12.7 10.1.14.9 GDOI_IDLE 1027 ACTIVE IPv6 Crypto ISAKMP SA GDOI-Server# GDOI-Server#sh crypto gdoi | i Name|Members Group Name : GDOI-G1 (Unicast) Group Members : 1 Profile Name : GET-Profile Group Name : GDOI-G2 (Multicast) Group Members : 1 Profile Name : GET-Profile GDOI-Server#So, less is more! Whilst we need an ISAKMP profile for Easy VPN, we don't need for GET VPN, and we didn't use it for DMVPN either. This is confirmed by reading this post from INE. this then begs the question, when do we use ISAKMP profiles?
ISAKMP Profiles
ISAKMP profiles are used under these conditions:- When a router has two or more IPSec connections that have different Phase 1 parameters
- When using Easy VPN
- If different IKE v1 policies are used between different peers
- When using VRFs with different IKE Phase 1 parameters, but the same IP address.
ISAKMP profiles match peers on one or more attributes, such as address, hostname, username and so on. We can then use these to set different parameters, such as QoS groupings.
Here is the link (again) to the Cisco doc, with some useful scenario configurations for ISAKMP profiles.
Now that this is fixed, can we go back to hosting our GETVPN frm the loopback address?
GDOI-Server(config)#crypto gdoi group GDOI-G1 GDOI-Server(config-gkm-group)#server local GDOI-Server(gkm-local-server)#sa ipsec 1 GDOI-Server(gkm-sa-ipsec)#address ipv4 7.7.7.7 GDOI-Server(gkm-sa-ipsec) GDOI-Server(gkm-sa-ipsec)#crypto gdoi group GDOI-G2 GDOI-Server(config-gkm-group)#server local GDOI-Server(gkm-local-server)#sa ipsec 1 GDOI-Server(gkm-sa-ipsec)#address ipv4 7.7.7.7 GDOI-Server(gkm-local-server)# GDOI-G1(config)#crypto gdoi group GDOI-G1 GDOI-G1(config-gkm-group)#no server address ipv4 10.1.12.7 GDOI-G1(config-gkm-group)#server address ipv4 7.7.7.7 GDOI-G1(config-gkm-group)# *Jul 6: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-G1 may have expired/been cleared, or didn't go through. Re-register to KS. *Jul 6: %CRYPTO-5-GM_REGSTER: Start registration to KS 7.7.7.7 for group GDOI-G1 using address 10.1.13.8 fvrf default ivrf default *Jul 6: %CRYPTO-4-IKMP_NO_SA: IKE message from 7.7.7.7 has no SA and is not an initialization offer *Jul 6: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated *Jul 6: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x6F792E443640770041679976AEFA1022 *Jul 6: %GDOI-5-GM_REGS_COMPL: Registration to KS 7.7.7.7 complete for group GDOI-G1 using address 10.1.13.8 fvrf default ivrf default *Jul 6: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 7.7.7.7 for group GDOI-G1 & gm identity 10.1.13.8 fvrf default ivrf default GDOI-G1(config-gkm-group)# GDOI-G2(config)#crypto gdoi grou GDOI-G2 GDOI-G2(config-gkm-group)#no server address ipv4 10.1.12.7 GDOI-G2(config-gkm-group)#server address ipv4 7.7.7.7 GDOI-G2(config-gkm-group)# *Jul 6: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-G2 may have expired/been cleared, or didn't go through. Re-register to KS. *Jul 6: %CRYPTO-5-GM_REGSTER: Start registration to KS 7.7.7.7 for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default *Jul 6: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated *Jul 6: %GDOI-5-GM_REGS_COMPL: Registration to KS 7.7.7.7 complete for group GDOI-G2 using address 10.1.14.9 fvrf default ivrf default *Jul 6: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 7.7.7.7 for group GDOI-G2 & gm identity 10.1.14.9 fvrf default ivrf default GDOI-G2(config-gkm-group)# GDOI-Server#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 7.7.7.7 10.1.13.8 GDOI_IDLE 1028 ACTIVE 7.7.7.7 10.1.14.9 GDOI_IDLE 1029 ACTIVE IPv6 Crypto ISAKMP SA GDOI-Server#sh crypto gdoi | i Name|Members Group Name : GDOI-G1 (Unicast) Group Members : 1 Profile Name : GET-Profile Group Name : GDOI-G2 (Unicast) Group Members : 1 Profile Name : GET-Profile GDOI-Server#Yes we can. It looks like the ISAKMP profile was stopping the ability to have the loopback address on the GDOI-Server as the pinpoint for the client VPNs, once this was fixed, everything works as it should.
For our needs so far, we have not needed to use ISAKMP profiles, though, but that will change when we come to look at Easy VPN, which is up next.