RE: GETVPN question from Daniel Kutchin on 2010-01-08 (Ccielab archives 01/2010)

From: Daniel Kutchin <daniel_at_kutchin.com>
Date: Fri, 8 Jan 2010 18:19:12 +0100

Remember that the RSA is associated with the COOP protocol
(To ensure KS redudancy). No need to export RSAs to GMs.

So if you don't export RSA keys (best practice: Prim KS -> Sec KSs),
while the GMs could be OK, at least initially,
the KSs can't peer properly nor sync rekey parameters with each other.
So coop will break, so also the KS election.
Therefore the first indication to look for,
is multiple primary KSs (with peer status unknown).

### Possible error message ###
R5(config-ext-nacl)#
*Dec 6 12:29:50.543: %GDOI-4-COOP_KS_UNAUTH: Contact from unauthorized
KS 150.1.4.4 in group crypto-gdoi- group-1 at local
address 150.1.5.5 (Possible MISCONFIG of peer/local address)

### verify the KSs ####
R6#show crypto gdoi ks <--- R6 is a KS
Total group members registered to this box: 3

Key Server Information For Group crypto-gdoi-group-1:
    Group Name : crypto-gdoi-group-1
    Group Identity : 1
    Group Members : 3 <---- check here
    IPSec SA Direction : Both
    ACL Configured:
        access-list acl-encrypted-traffic
    Redundancy : Configured
        Local Address : 150.1.6.6
        Local Priority : 50
        Local KS Status : Alive <--- check here
        Local KS Role : Primary <--- check here

R6#sh crypto gdoi ks coop
...
        Session 2:
                Server handle: 2147483652
                Peer Address: 150.1.5.5
                Peer Priority: 75
                Peer KS Role: Secondary , Peer KS Status: Unknown <- !!!

R4(config)#do show crypto gdoi ks member

Group Member Information :

Number of rekeys sent for group crypto-gdoi-group-1 : 0

Group Member ID : 10.0.0.1
Group ID : 1
Group Name : crypto-gdoi-group-1
Key Server ID : 0.0.0.0
Rekeys sent : 0
Rekeys retries : 0
Rekey Acks Rcvd : 0
Rekey Acks missed : 0

-
Daniel

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ajay
mehra
Sent: Freitag, 8. Januar 2010 08:00
To: ccielab_at_groupstudy.com
Subject: GETVPN question

Hi GS,

Is it mandatory to import keys in all COOP KSs for secondary KS to work
properly? I am doing INE VOL 1 and according to it this is a required step
to have COOP KSs. But looking at DOC CD I did not find any command in
example to import keys in COOP KSs. Also I could make it work in my lab with
out importing the key in COOP KS. If my verification is wrong I may be
missing the concept. In my case I generated rsa exportable keys in both
Primary KS and COOP Ks and configured GM to use both the KS.

Thanks for the help,

Ajay

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 08 2010 - 18:19:12 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART