GET VPN Basic Setup

From: Marcin Zgola <MZgola_at_netrixllc.com>
Date: Fri, 20 Nov 2009 15:32:54 -0600

Guys, trying to get GET VPN in the lab up and running. Just to understands basics of GET VPN.

Here is my config. I can't get the tunnel interfaces to talk. I think my ACL is wrong, or maybe I am missing something totally different. I want to use GET VPN in DMVPN environment where DMVPN HUB will be a KEY SERVER as well.

HUB:
!
!
!
!
!
!
!
!
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile getvpn-profile
 set transform-set myset
!
crypto gdoi group TEST-VPN
 identity address ipv4 192.168.120.1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa rekey-rsa
  rekey transport unicast
  sa ipsec 1
   profile getvpn-profile
   match address ipv4 getvpn-traffic
   replay time window-size 10
  address ipv4 2.2.2.1
!
!
interface Tunnel1
 bandwidth 45000
 ip address 192.168.120.1 255.255.252.0
 no ip redirects
 ip mtu 1400
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 no ip next-hop-self eigrp 100
 ip pim sparse-dense-mode
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp network-id 101
 ip nhrp holdtime 300
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 100
 no ip mroute-cache
 qos pre-classify
 cdp enable
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1001
 tunnel path-mtu-discovery
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.0
 duplex auto
shut

interface GigabitEthernet1/0
 ip address 10.0.0.1 255.0.0.0
!
router eigrp 100
 network 10.0.0.0
 network 192.168.0.0 0.0.255.255

ip access-list extended getvpn-traffic
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

SPOKE

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto gdoi group TEST-VPN
 identity address ipv4 192.168.120.1
 server address ipv4 2.2.2.1
!
!
crypto map TEST-VPN 1 gdoi
 set group TEST-VPN
!
interface Tunnel1
 bandwidth 1000
 ip address 192.168.120.128 255.255.252.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip pim sparse-dense-mode
 ip nhrp authentication dmvpn
 ip nhrp map multicast 2.2.2.1
 ip nhrp map 192.168.120.1 2.2.2.1
 ip nhrp network-id 100
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.120.1
 ip virtual-reassembly
 ip summary-address eigrp 100 172.20.128.0 255.255.252.0 5
 no ip mroute-cache
 delay 1500
 qos pre-classify
 cdp enable
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1000
 tunnel path-mtu-discovery
!
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
 crypto map MCENERY-VPN

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 20 2009 - 15:32:54 ART

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:29 ART