GetVPN spokes IPsec come up but not spoke-Hub

Hi, I'd like some help in identifying why this simple setup is not working. Simple Hub with 2 spokes (CS2 & CS3); Hub (CS1) is NTP and KEY server, each with one router behind for testing purposes. Below are the running configs and some show output. Bottom of the post shows the Hub does not have an IPsec SA with the Spokes. Although the spokes show an IPsec SA output, there are no packets encrypted/decrypted even while test routers are Telneting to each other.

Your help is greatly appreciated.

Mike G.

C1#sh run
Building configuration...
C1#
!
hostname C1
!
clock timezone PST -8
clock summer-time PDT recurring
ip cef
!
ip domain name INE.com
!
crypto pki server carsa
 database level names
 issuer-name CN=c1 L=MYDESK C=US
!
crypto pki trustpoint carsa
 revocation-check crl
 rsakeypair carsa
!
crypto pki trustpoint C1-MYSELF-CA
 enrollment url http://10.1.1.2:80
 revocation-check none
!
!
crypto pki certificate chain carsa
 certificate ca 01
!
!<snip>
!
        quit
crypto pki certificate chain C1-MYSELF-CA
 certificate 04
!
!<snip>
!
        quit
 certificate ca 01
!
!<snip>
!
crypto isakmp policy 100
 group 5
!
!
crypto ipsec transform-set TSET1 esp-aes
 mode transport
!
crypto ipsec profile P1
 set transform-set TSET1
!
crypto gdoi group GETVPN1
 identity number 1234
 server local
  rekey retransmit 10 number 2
  sa ipsec 1
   profile P1
   match address ipv4 private-traffic
   replay counter window-size 64
  address ipv4 10.1.1.2
!
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.1.4.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.255.255.255 area 0
!
ip http server
!
ip access-list extended private-traffic
 deny   udp any eq 848 any eq 848
 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
ntp authentication-key 1 md5 1511021F0725 7
ntp authenticate
ntp trusted-key 1
ntp server 10.1.1.2 key 1
!
end

C1#


C2#sh run
!
hostname C2
!
clock timezone PST -8
clock summer-time PDT recurring
!
ip domain name INE.com
!
crypto pki trustpoint carsa
 enrollment url http://10.1.1.2:80
 revocation-check none
!
!
crypto pki certificate chain carsa
 certificate 03
!
!<snip>
!
        quit
 certificate ca 01
!
!<snip>
!
        quit
!
crypto gdoi group GETVPN1
 identity number 1234
 server address ipv4 10.1.1.2
!
!
crypto map GETMAP 10 gdoi
 set group GETVPN1
!
interface FastEthernet0/0
 ip address 10.1.2.2 255.255.255.0
 crypto map GETMAP
!
interface FastEthernet0/1
 ip address 10.1.5.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.255.255.255 area 0
!
ntp authentication-key 1 md5 13061E010803 7
ntp authenticate
ntp trusted-key 1
ntp server 10.1.1.2 key 1
!
end

C2#
C3#sh run
!
hostname C3
!
clock timezone PST -8
clock summer-time PDT recurring
!
ip domain name INE.com
!
crypto pki trustpoint carsa
 enrollment url http://10.1.1.2:80
 revocation-check none
!
!
crypto pki certificate chain carsa
 certificate 02

        quit
 certificate ca 01
 
        quit
!
crypto gdoi group GETVPN1
 identity number 1234
 server address ipv4 10.1.1.2
!
!
crypto map GETMAP 10 gdoi
 set group GETVPN1
!
interface FastEthernet0/0
 ip address 10.1.3.2 255.255.255.0
 crypto map GETMAP
!
interface FastEthernet0/1
 ip address 10.1.6.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.255.255.255 area 0
!
ntp authentication-key 1 md5 01100F175804 7
ntp authenticate
ntp trusted-key 1
ntp server 10.1.1.2 key 1
!
end

C3#sh cry ipsec sa

interface: FastEthernet0/0
    Crypto map tag: GETMAP, local addr 10.1.3.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   current_peer  port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.3.2, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x52ABEBC1(1386998721)

     inbound esp sas:
      spi: 0x52ABEBC1(1386998721)
        transform: esp-aes ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, crypto map: GETMAP
        sa timing: remaining key lifetime (sec): (2531)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x52ABEBC1(1386998721)
        transform: esp-aes ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, crypto map: GETMAP
        sa timing: remaining key lifetime (sec): (2531)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
C3#sh access-list

C3#


C2#sh cry ipsec sa

interface: FastEthernet0/0
    Crypto map tag: GETMAP, local addr 10.1.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   current_peer  port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.2.2, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x52ABEBC1(1386998721)

     inbound esp sas:
      spi: 0x52ABEBC1(1386998721)
        transform: esp-aes ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, crypto map: GETMAP
        sa timing: remaining key lifetime (sec): (2419)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x52ABEBC1(1386998721)
        transform: esp-aes ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, crypto map: GETMAP
        sa timing: remaining key lifetime (sec): (2419)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
C2#

C1#sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 10.1.3.2 port 848
  IKE SA: local 10.1.1.2/848 remote 10.1.3.2/848 Active

Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 10.1.2.2 port 848
  IKE SA: local 10.1.1.2/848 remote 10.1.2.2/848 Active

C2#sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer:  port 848
  IKE SA: local 10.1.2.2/848 remote 10.1.1.2/848 Active
  IPSEC FLOW: permit ip 10.1.0.0/255.255.0.0 10.1.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: deny 17 0.0.0.0/0.0.0.0 port 848 0.0.0.0/0.0.0.0 port 848
        Active SAs: 0, origin: crypto map

C2#
C3#sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer:  port 848
  IKE SA: local 10.1.3.2/848 remote 10.1.1.2/848 Active
  IPSEC FLOW: permit ip 10.1.0.0/255.255.0.0 10.1.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: deny 17 0.0.0.0/0.0.0.0 port 848 0.0.0.0/0.0.0.0 port 848
        Active SAs: 0, origin: crypto map

C2#sh crypto gdoi gm acl
Group Name: GETVPN1
 ACL Downloaded From KS 10.1.1.2:
   access-list  deny udp any port = 848 any port = 848
   access-list  permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
 ACL Configured Locally:


C3#sh crypto gdoi gm acl
Group Name: GETVPN1
 ACL Downloaded From KS 10.1.1.2:
   access-list  deny udp any port = 848 any port = 848
   access-list  permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
 ACL Configured Locally:

C1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GETVPN1 : 0

Group Member ID   : 10.1.2.2
Group ID          : 1234
Group Name        : GETVPN1
Key Server ID     : 10.1.1.2

Group Member ID   : 10.1.3.2
Group ID          : 1234
Group Name        : GETVPN1
Key Server ID     : 10.1.1.2

C1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.2        10.1.3.2        GDOI_IDLE         1008    0 ACTIVE
10.1.1.2        10.1.2.2        GDOI_IDLE         1009    0 ACTIVE

C1#


C2#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.2        10.1.2.2        GDOI_IDLE         1005    0 ACTIVE

IPv6 Crypto ISAKMP SA

C2#
C3#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.2        10.1.3.2        GDOI_IDLE         1004    0 ACTIVE

IPv6 Crypto ISAKMP SA

C3#

C1#sh cry ipsec sa

No SAs found

C1#

Comments

  • Hi,

       I see that traffic is encrypted by both GM's, but no traffic decrypted, i'm not sure what traffic did you use to test the data-plane. The reason why there is no IPsec SA (Phase2) on C1 is because that is your key server, which is not encryotic/decrypting traffic, it is just the control-plane for the GETVPN deployment.

    Regards,

    Cristian.

  • Hello and thanks for the feedback. I have a router behind each spoke to generate telnet to a router behind C1. Are you saying that the Key Server cannot function as the Hub? If this is the case, this would explain the behavior in this scenario. However, this would mean the spokes would encrypt the Telnet on their end and if the Hub is not decrypting the traffic, then the Spokes would not be able to Telnet to the router behind the Hub, but in this lab, the spokes are able to Telnet.

    Regards,

    Mike

  • Hi,

        You need to understand the GETVPN functionality. Key Server, depeneding on the code you're running, cannot function also as a GM, so if it's not a GM, it cannot participate in the encryption/decryption domain, it cannot actively encrypt/decrypt traffic. KS is only responsible for the control-plane, pushing to GM's the KEK, TEK and proxy-acl. It has nothing to do with being a hub or spoke.

    Regards,

    Cristian.

     

Sign In or Register to comment.