GETVPN vrf aware -isakmp key in vrf or NOT in vrf ?

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Wed, 20 Nov 2013 17:34:40 -0800

Hi,

*Can someone please verify that isakmp key for GETVPN VRF aware should be
in vrf or not ?*

setup is R1 as KS and R2and R3 are GM.

Concept is KS is not vrf aware but USER traffic is inside vrf, im not sure
that on GMs isakmp key should be in vrf or not.

*Scenario A: No isakmp key in vrf . This is work fine and I can see from sh
crypto ipsec sa vrf GP100 that counters are incrementing.*

R1: KS

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

R2/R3:GM

crypto isakmp key cisco address 10.0.0.100

*Scenario B: Im not sure that its the right thing to do. there is no
documentation out there for get vpn PSK.*

Below *does NOT* work. is this the right thing to do at all? if yes what
needs to be added ?

*KS*

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

*GM:*

crypto keyring GP200 vrf GP200
no local-address Loopback0
  pre-shared-key address 10.0.0.100 key cisco

crypto keyring GP100 vrf GP100
 no local-address Loopback0
  pre-shared-key address 10.0.0.100 key cisco
!

crypto isakmp profile GP100
   vrf GP100
   keyring GP100
   match identity address 10.0.0.100 255.255.255.255 GP100

crypto isakmp profile GP200
   vrf GP200
   keyring GP200
   match identity address 10.0.0.100 255.255.255.255 GP200

 crypto map GET-GP100 isakmp-profile GP100
 crypto map GET-GP200 isakmp-profile GP200

-------------------------------------------------------------------------------------------------------------

*Full KS:*

access-list 100 permit ip 100.100.100.0 0.0.0.255 100.100.100.0 0.0.0.255

access-list 199 permit ip 200.200.200.0 0.0.0.255 200.200.200.0 0.0.0.255

crypto key generate rsa label rsagetvpn

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac

 mode transport

!

crypto ipsec profile GDOI

 set security-association lifetime seconds 7200

 set transform-set cisco1

!

crypto gdoi group gdoi-GP100

 identity number 1000

 server local

  rekey retransmit 10 number 2

  rekey authentication mypubkey rsa rsagetvpn

  rekey transport unicast

  sa ipsec 1

   profile GDOI

   match address ipv4 100

   replay counter window-size 64

  address ipv4 10.0.0.100

!

crypto gdoi group gdoi-GP200

 identity number 2000

 server local

  rekey retransmit 10 number 2

  rekey authentication mypubkey rsa rsagetvpn

  rekey transport unicast

  sa ipsec 1

   profile GDOI

   match address ipv4 199

   replay counter window-size 64

  address ipv4 10.0.0.100

!

!

!

!

!

interface Vlan10

 ip address 10.0.0.100 255.255.255.0

----------------------------------------------------------------------------------------------------------

Full GM:

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 10.0.0.100

!

!

crypto gdoi group gdoi-GP100

 identity number 1000

 server address ipv4 10.0.0.100

 client registration interface FastEthernet0/0.10

!

!

crypto map GET-GP100 10 gdoi

 set group gdoi-GP100

!

!

!

!!

interface FastEthernet0/0.10

 encapsulation dot1Q 10

 ip address 10.0.0.2 255.255.255.0

!

interface FastEthernet0/0.100

 encapsulation dot1Q 100

 ip vrf forwarding GP100

 ip address 100.0.0.2 255.255.255.0

 crypto map GET-GP100

!

Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 20 2013 - 17:34:40 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART