GET VPN - part eleven (multicast) - update

Update to GET VPN - part four (multicast) - http://myitmicroblog.svbtle.com/get-vpn-part-four

On one of my GMs I found a problem. It was registered but I didn’t see any ‘rekeys received’:

R3#sh crypto gdoi gm rekey
Group GDOI-GROUP-GREEN
    No rekey info available


Group GDOI-GROUP-RED (Multicast)
    Number of Rekeys received (cumulative)       : 0
    Number of Rekeys received after registration : 0
    Multicast destination address                : 239.192.1.190


R3#

I saw following messages:

R3#
*Dec 20 06:06:04.404: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-GROUP-RED may have expired/been cleared, or didn't go through. Re-register to KS.
R3#
*Dec 20 06:06:04.412: %CRYPTO-5-GM_REGSTER: Start registration to KS 3.3.3.2 for group GDOI-GROUP-RED using address 7.7.7.2
*Dec 20 06:06:05.000: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Dec 20 06:06:05.008: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec 20 06:06:05.136: %GDOI-5-GM_REGS_COMPL: Registration to KS 3.3.3.2 complete for group GDOI-GROUP-RED using address 7.7.7.2
*Dec 20 06:06:05.156: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 3.3.3.2 for group GDOI-GROUP-RED & gm identity  7.7.7.2
R3#
R3#
R3#
R3#sh crypto gdoi gm rekey
Group GDOI-GROUP-GREEN
    No rekey info available

but the number was still zero:

Group GDOI-GROUP-RED (Multicast)
    Number of Rekeys received (cumulative)       : 0
    Number of Rekeys received after registration : 0
    Multicast destination address                : 239.192.1.190

I discovered one difference between GMs which worked fine and this one:

crypto isakmp key cisco address 0.0.0.0

This is weird because I have a VRF aware and ISAKMP uses keyring with a VRF MNG. Once I added this line to the configuration I saw the number started to increase:

R3#sh crypto gdoi gm rekey
Group GDOI-GROUP-GREEN
    No rekey info available


Group GDOI-GROUP-RED (Multicast)
    Number of Rekeys received (cumulative)       : 7
    Number of Rekeys received after registration : 7
    Multicast destination address                : 239.192.1.190


R3#

When I removed this line I notice it still worked. Just to remind: even you see your GM is registered it doesn’t mean the re-keying process is working fine. Maybe restart would solve the issue. I don’t know as I wasn’t able to recreate the issue once again. You should always check the re-keys value.

I also noticed that with ‘ip pim sparse-mode’ on GMs interfaces I can’t see any rekeys. Once I removed them it started working fine.

GM configuration:

ip multicast-routing
ip igmp ssm-map enable

ip pim ssm range 1
access-list 1 permit 239.192.1.190

It can be also caused because I did these tests on GNS3, not real devices.

 
3
Kudos
 
3
Kudos

Now read this

FlexVPN - client and server

It’s time to test IKEv2. Cisco introduced the new IKE version 2 together with new configuration “standard” - FlexVPN. The idea was to have one unified way of configuration for all VPN types like site-to-site, client server, DMVPN (GET... Continue →