GDOI not GDOIing.
- From: spam.sc@xxxxxxxxx
- Date: Wed, 30 Jan 2008 14:38:51 -0800 (PST)
I'm trying to do what should be at heart a simple configuration. I
have three routers: A, the keyserver, B, the local client, and C, the
remote. B and C are connected via their serial ports. I've used the
examples in the "Cisco IOS Security Configuration guide to configure
all three (all running IOS v.12.4(13r)T).
On the keyserver /show crypto gdoi/ shows me a KS in "Alive" mode, a
unicast group, but no group members. On the clients I see an active
group server (router A) and a group name and identity that matches
what's on the keyserver. Rekeys are all 0 and ACLs and TEK Policy for
Serial 0/0/0 are blank. If I try to show SAs on any of the three, they
all come up blank.
Here are the configs, redacted a bit. Let's call A 1.1, B 2.1, and C
3.1.
Keyserver (A):
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key keykey address 1.1.2.1
crypto isakmp key keykey address 1.1.3.1
crypto ipsec transform-set gdoi-trans-group1 esp-3des esp-sha-hmac
!
crypto ipsec profile gdoi-profile-branches
set security-association lifetime seconds 1800
set transform-set gdoi-trans-group1
!
crypto gdoi group branches
identity number 1
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa branchkeys
rekey transport unicast
sa ipsec 1
profile gdoi-profile-branches
match address ipv4 198
replay counter window-size 64
address ipv4 1.1.1.1
redundancy
local priority 10
peer address ipv4 1.1.1.2
access-list 198 permit ip any any
(I got desperate on the ACL).
Here's Router B:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key keykey address 1.1.1.1
!
crypto gdoi group branches
identity number 1
server address ipv4 1.1.1.1
!
!
crypto map map-group1 10 gdoi
set group branches
interface Serial0/0/0
interface Serial0/0/0
description connected to RouterC
ip unnumbered FastEthernet0/0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip ospf network point-to-point
no fair-queue
crypto map map-group1
And last, Router C:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key keykey address 1.1.1.1
!
!
crypto ipsec transform-set gdoi-trans-group1 esp-3des esp-sha-hmac
crypto gdoi group branches
identity number 1
server address ipv4 1.1.1.1
!
!
crypto map map-group1 10 gdoi
set group branches
interface Serial0/0/0
description connected to RouterB
backup delay 5 120
backup interface Dialer1
ip unnumbered FastEthernet0/0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no fair-queue
crypto map map-group1
Some statuses
Keyserver:
RouterA#show crypto gdoi ipsec sa
SA created for group branches:
RouterA#show crypto ipsec profile
IPSEC profile gdoi-profile-branches
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): N
Transform sets={
gdoi-trans-group1,
}
Both the clients look like:
RouterB#show crypto gdoi
GROUP INFORMATION
Group Name : branches
Group Identity : 1
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 1.1.1.1
Group Server list : 1.1.1.1
GM Reregisters in : 0 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 1.1.1.1
TEK POLICY:
Serial0/0/0:
So I'm about as lost as a piggy looking for its mammy in a sausage
factory. Anything obvious I'm missing here?
.
- Follow-Ups:
- Re: GDOI not GDOIing.
- From: Christophe Fillot
- Re: GDOI not GDOIing.
- Prev by Date: Network Static NAT Help
- Next by Date: Re: opsf over ipsec tunnel problem
- Previous by thread: Network Static NAT Help
- Next by thread: Re: GDOI not GDOIing.
- Index(es):
Relevant Pages
|
|
