Hi,
*Can someone please verify that isakmp key for GETVPN VRF aware should be
in vrf or not ?*
setup is R1 as KS and R2and R3 are GM.
Concept is KS is not vrf aware but USER traffic is inside vrf, im not sure
that on GMs isakmp key should be in vrf or not.
*Scenario A: No isakmp key in vrf . This is work fine and I can see from sh
crypto ipsec sa vrf GP100 that counters are incrementing.*
R1: KS
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
R2/R3:GM
crypto isakmp key cisco address 10.0.0.100
*Scenario B: Im not sure that its the right thing to do. there is no
documentation out there for get vpn PSK.*
Below *does NOT* work. is this the right thing to do at all? if yes what
needs to be added ?
*KS*
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
*GM:*
crypto keyring GP200 vrf GP200
no local-address Loopback0
pre-shared-key address 10.0.0.100 key cisco
crypto keyring GP100 vrf GP100
no local-address Loopback0
pre-shared-key address 10.0.0.100 key cisco
!
crypto isakmp profile GP100
vrf GP100
keyring GP100
match identity address 10.0.0.100 255.255.255.255 GP100
crypto isakmp profile GP200
vrf GP200
keyring GP200
match identity address 10.0.0.100 255.255.255.255 GP200
crypto map GET-GP100 isakmp-profile GP100
crypto map GET-GP200 isakmp-profile GP200
-------------------------------------------------------------------------------------------------------------
*Full KS:*
access-list 100 permit ip 100.100.100.0 0.0.0.255 100.100.100.0 0.0.0.255
access-list 199 permit ip 200.200.200.0 0.0.0.255 200.200.200.0 0.0.0.255
crypto key generate rsa label rsagetvpn
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile GDOI
set security-association lifetime seconds 7200
set transform-set cisco1
!
crypto gdoi group gdoi-GP100
identity number 1000
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsagetvpn
rekey transport unicast
sa ipsec 1
profile GDOI
match address ipv4 100
replay counter window-size 64
address ipv4 10.0.0.100
!
crypto gdoi group gdoi-GP200
identity number 2000
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsagetvpn
rekey transport unicast
sa ipsec 1
profile GDOI
match address ipv4 199
replay counter window-size 64
address ipv4 10.0.0.100
!
!
!
!
!
interface Vlan10
ip address 10.0.0.100 255.255.255.0
----------------------------------------------------------------------------------------------------------
Full GM:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.0.0.100
!
!
crypto gdoi group gdoi-GP100
identity number 1000
server address ipv4 10.0.0.100
client registration interface FastEthernet0/0.10
!
!
crypto map GET-GP100 10 gdoi
set group gdoi-GP100
!
!
!
!!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.0.2 255.255.255.0
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip vrf forwarding GP100
ip address 100.0.0.2 255.255.255.0
crypto map GET-GP100
!
Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 20 2013 - 17:34:40 ART
This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART