Re: GETVPN vrf aware -isakmp key in vrf or NOT in vrf ? from Piotr Kaluzny on 2013-11-21 (Ccielab archives 12/2013)

From: Piotr Kaluzny <piotrk_at_ipexpert.com>
Date: Thu, 21 Nov 2013 08:58:05 +0100

Hi Jeremy

If your registration interface is not in a VRF (and I believe it is not),
you should not try to specify VRF for the key.

Regards,

Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com>
CCIE # 25665 :: Security
*:: World-Class Cisco Certification Training*

Direct: +1.810.332.1444
:: Free Videos <http://www.youtube.com/ipexpertinc>
:: Free Training / Product Offerings <https://www.facebook.com/IPexpert>
:: CCIE Blog <http://blog.ipexpert.com/>
:: Twitter <https://twitter.com/ipexpert>

On Thu, Nov 21, 2013 at 2:34 AM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> Hi,
>
> *Can someone please verify that isakmp key for GETVPN VRF aware should be
> in vrf or not ?*
>
> setup is R1 as KS and R2and R3 are GM.
>
>
> Concept is KS is not vrf aware but USER traffic is inside vrf, im not sure
> that on GMs isakmp key should be in vrf or not.
>
> *Scenario A: No isakmp key in vrf . This is work fine and I can see from
> sh crypto ipsec sa vrf GP100 that counters are incrementing.*
>
>
>
> R1: KS
>
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>
>
> R2/R3:GM
>
> crypto isakmp key cisco address 10.0.0.100
>
>
>
> *Scenario B: Im not sure that its the right thing to do. there is no
> documentation out there for get vpn PSK.*
>
>
> Below *does NOT* work. is this the right thing to do at all? if yes what
> needs to be added ?
>
>
>
> *KS*
>
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>
>
> *GM:*
>
> crypto keyring GP200 vrf GP200
> no local-address Loopback0
> pre-shared-key address 10.0.0.100 key cisco
>
> crypto keyring GP100 vrf GP100
> no local-address Loopback0
> pre-shared-key address 10.0.0.100 key cisco
> !
>
> crypto isakmp profile GP100
> vrf GP100
> keyring GP100
> match identity address 10.0.0.100 255.255.255.255 GP100
>
> crypto isakmp profile GP200
> vrf GP200
> keyring GP200
> match identity address 10.0.0.100 255.255.255.255 GP200
>
>
> crypto map GET-GP100 isakmp-profile GP100
> crypto map GET-GP200 isakmp-profile GP200
>
>
>
>
> -------------------------------------------------------------------------------------------------------------
>
> *Full KS:*
>
>
> access-list 100 permit ip 100.100.100.0 0.0.0.255 100.100.100.0 0.0.0.255
>
> access-list 199 permit ip 200.200.200.0 0.0.0.255 200.200.200.0 0.0.0.255
>
>
>
>
>
> crypto key generate rsa label rsagetvpn
>
>
>
> crypto isakmp policy 10
>
> encr 3des
>
> authentication pre-share
>
> group 2
>
>
>
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>
> !
>
> !
>
> crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac
>
> mode transport
>
> !
>
> crypto ipsec profile GDOI
>
> set security-association lifetime seconds 7200
>
> set transform-set cisco1
>
> !
>
> crypto gdoi group gdoi-GP100
>
> identity number 1000
>
> server local
>
> rekey retransmit 10 number 2
>
> rekey authentication mypubkey rsa rsagetvpn
>
> rekey transport unicast
>
> sa ipsec 1
>
> profile GDOI
>
> match address ipv4 100
>
> replay counter window-size 64
>
> address ipv4 10.0.0.100
>
> !
>
> crypto gdoi group gdoi-GP200
>
> identity number 2000
>
> server local
>
> rekey retransmit 10 number 2
>
> rekey authentication mypubkey rsa rsagetvpn
>
> rekey transport unicast
>
> sa ipsec 1
>
> profile GDOI
>
> match address ipv4 199
>
> replay counter window-size 64
>
> address ipv4 10.0.0.100
>
> !
>
> !
>
> !
>
> !
>
> !
>
> interface Vlan10
>
> ip address 10.0.0.100 255.255.255.0
>
>
>
> ----------------------------------------------------------------------------------------------------------
>
>
>
> Full GM:
>
>
>
> crypto isakmp policy 1
>
> encr 3des
>
> authentication pre-share
>
> group 2
>
>
>
> crypto isakmp key cisco address 10.0.0.100
>
> !
>
> !
>
> crypto gdoi group gdoi-GP100
>
> identity number 1000
>
> server address ipv4 10.0.0.100
>
> client registration interface FastEthernet0/0.10
>
> !
>
> !
>
> crypto map GET-GP100 10 gdoi
>
> set group gdoi-GP100
>
> !
>
> !
>
> !
>
> !!
>
> interface FastEthernet0/0.10
>
> encapsulation dot1Q 10
>
> ip address 10.0.0.2 255.255.255.0
>
> !
>
> interface FastEthernet0/0.100
>
> encapsulation dot1Q 100
>
> ip vrf forwarding GP100
>
> ip address 100.0.0.2 255.255.255.0
>
> crypto map GET-GP100
>
> !

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 21 2013 - 08:58:05 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART