Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​GETVPN - Key Server and Group Member Unicast Setup w/ PSK

Picture
In this example, IOS15 is the key server and R3, CSR1, CSR8, CSR9 and CSR10 are the Group Members. The GMs are configured to register with the KS and then download the crypto policy. This is setup over the MPLS connection. Since GET VPN was originally intended to work over an any to any transport, like MPLS L3 VPN in a full mesh design. Not shown is the BGP to EIGRP and EIGRP to BGP redistribution done on all the GMs to allow the exchange of routes between all the sites. MPLS is the transport mechanism in this setup. 



IOS15 - Key Server
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server local
  rekey algorithm aes 128
  rekey authentication mypubkey rsa GETVPN
  rekey transport unicast
  sa ipsec 10
   profile DMVPN
   match address ipv4 GETVPN
   replay counter window-size 64
   no tag
  address ipv4 10.1.15.15
!
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP
!
ip access-list extended GETVPN
 deny   udp any any eq 848
 deny   udp any eq 848 any
 deny   tcp any any eq bgp
 deny   tcp any eq bgp any
 deny   udp any any eq snmp
 deny   udp any eq snmp any
 permit ip any any



R3, CSR1, CSR8, CSR9 and CSR10
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server address ipv4 15.15.15.15
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP

R3
interface GigabitEthernet0/2
 crypto map GDOI

CSR1
interface GigabitEthernet3
 crypto map GDOI

CSR8
interface GigabitEthernet3
 crypto map GDOI

CSR9
interface GigabitEthernet1
 crypto map GDOI

CSR10
interface GigabitEthernet2
 crypto map GDOI



Key Server Phase 1
ISAKMP-PAK: (0):received packet from 10.8.10.8 dport 848 sport 848 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 10.8.10.8, peer port 848
ISAKMP: (0):New peer created peer = 0xE072790 peer_handle = 0x80000017
ISAKMP: (0):Locking peer struct 0xE072790, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 848, remote port 848
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = CBCEFE0
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1 

ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 10.8.10.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0):      encryption 3DES-CBC
ISAKMP: (0):      hash MD5
ISAKMP: (0):      default group 5
ISAKMP: (0):      auth pre-share
ISAKMP: (0):      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.

ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

ISAKMP-PAK: (0):received packet from 10.8.10.8 dport 848 sport 848 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3 

ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 10.8.10.8
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):vendor ID is DPD
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):speaking to another IOS box!
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):vendor ID seems Unity/DPD but major 110 mismatch
ISAKMP: (1010):vendor ID is XAUTH
ISAKMP: (1010):received payload type 20
ISAKMP: (1010):His hash no match - this node outside NAT
ISAKMP: (1010):received payload type 20
ISAKMP: (1010):No NAT Found for self or peer
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1010):Old State = IKE_R_MM3  New State = IKE_R_MM3 

ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_KEY_EXCH
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1010):Old State = IKE_R_MM3  New State = IKE_R_MM4 

ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) MM_KEY_EXCH
ISAKMP: (1010):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1010):Old State = IKE_R_MM4  New State = IKE_R_MM5 

ISAKMP: (1010):processing ID payload. message ID = 0
ISAKMP: (1010):ID payload 
 8
 1
ISAKMP: (1010):   address      : 10.8.10.8
ISAKMP: (1010):   protocol     : 17 
 848 
 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1010):processing HASH payload. message ID = 0
ISAKMP: (1010):processing NOTIFY INITIAL_CONTACT protocol 1
 ID = 0, sa = 0xCBCEFE0
ISAKMP: (1010):SA authentication status:

ISAKMP: (1010):SA has been authenticated with 10.8.10.8
ISAKMP: (1010):SA authentication status:

ISAKMP: (1010):Process initial contact,
ase 1 and 2 SA's with local 15.15.15.15 remote 10.8.10.8 remote port 848
ISAKMP: (0):Trying to insert a peer 15.15.15.15/10.8.10.8/848/, 
ISAKMP: (0): and inserted successfully E072790.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1010):Old State = IKE_R_MM5  New State = IKE_R_MM5 

IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1010):SA is doing 
ISAKMP: (1010):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1010):ID payload 
 8
 1
ISAKMP: (1010):   address      : 15.15.15.15
ISAKMP: (1010):   protocol     : 17 
 848 
 12
ISAKMP: (1010):Total payload length: 12
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_KEY_EXCH
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1010):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) GDOI_IDLE      
ISAKMP: (1010):set new node 526252361 to GDOI_IDLE      
ISAKMP: (1010):processing HASH payload. message ID = 526252361
ISAKMP: (1010):processing NONCE payload. message ID = 526252361
ISAKMP: (1010):GDOI Container Payloads:
  ID
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1010):Old State = IKE_KS_LISTEN  New State = IKE_KS_GET_SA_POLICY_AWAIT
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Payload type IDg (5) packet length 12
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Process pyld type IDg (5) pyld len 12 | length processed 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):GDOI SA sent successfully by KS
ISAKMP: (1010):GDOI Container Payloads:
  SA
ISAKMP: (1002):IKE SA DELETE Req recvd from GDOI
ISAKMP: (1002):peer does not do paranoid keepalives.
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) GDOI_IDLE      
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1010):Old State = IKE_KS_GET_SA_POLICY_AWAIT  New State = IKE_KS_AWAIT_ACK
ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) GDOI_IDLE      
ISAKMP: (1010):processing HASH payload. message ID = 526252361
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1010):Old State = IKE_KS_AWAIT_ACK  New State = IKE_KS_GET_KD_AWAIT
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):KS processing get KD policy packet length 0

GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):gkm_process_ack_payload, type NONE length 0

GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):GDOI KD sent successfully by KS
ISAKMP: (1010):GDOI Container Payloads:
  GDOI SEQUENCE NUMBER
  GDOI KEY DOWNLOAD(KD)
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) GDOI_IDLE      
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1010):Old State = IKE_KS_GET_KD_AWAIT  New State = IKE_KS_DONE





Group Member ISAKMP and IPsec debugs
​%CRYPTO-6-GDOI_ON_OFF: GDOI is ON
IPSEC(key_engine): got a queue event with 1 KMI message(s)
%CRYPTO-5-GM_REGSTER: Start registration to KS 15.15.15.15 for group GETVPNGROUP using address 10.8.10.8 fvrf default ivrf default
ISAKMP-ERROR: (0):no idb in request
ISAKMP: (0):SA request profile is (NULL)
ISAKMP: (0):Created a peer struct for 15.15.15.15, peer port 848
ISAKMP: (0):New peer created peer = 0x80007F09771739C8 peer_handle = 0x800000008000026C
ISAKMP: (0):Locking peer struct 0x80007F09771739C8, refcount 1 for isakmp_initiator
ISAKMP: (0):local port 848, remote port 848
ISAKMP: (0):set new node 0 to QM_IDLE      
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F0977A37D58
ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP: (0):constructed NAT-T vendor-07 ID
ISAKMP: (0):constructed NAT-T vendor-03 ID
ISAKMP: (0):constructed NAT-T vendor-02 ID
ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1 

ISAKMP: (0):beginning Main Mode exchange
ISAKMP-PAK: (0):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_NO_STATE
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP-PAK: (0):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_NO_STATE
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0):      encryption 3DES-CBC
ISAKMP: (0):      hash MD5
ISAKMP: (0):      default group 5
ISAKMP: (0):      auth pre-share
ISAKMP: (0):      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 0
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.

ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

ISAKMP-PAK: (0):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

ISAKMP-PAK: (0):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):vendor ID is Unity
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):vendor ID is DPD
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):speaking to another IOS box!
ISAKMP: (1666):received payload type 20
ISAKMP: (1666):His hash no match - this node outside NAT
ISAKMP: (1666):received payload type 20
ISAKMP: (1666):No NAT Found for self or peer
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1666):Old State = IKE_I_MM4  New State = IKE_I_MM4 

ISAKMP: (1666):Send initial contact
ISAKMP: (1666):SA is doing 
ISAKMP: (1666):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1666):ID payload 
        next-payload : 8
        type         : 1
ISAKMP: (1666): address      : 10.8.10.8
ISAKMP: (1666): protocol     : 17 
        port         : 848 
        length       : 12
ISAKMP: (1666):Total payload length: 12
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_KEY_EXCH
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1666):Old State = IKE_I_MM4  New State = IKE_I_MM5 

ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_KEY_EXCH
ISAKMP: (1666):processing ID payload. message ID = 0
ISAKMP: (1666):ID payload 
        next-payload : 8
        type         : 1
ISAKMP: (1666): address      : 15.15.15.15
ISAKMP: (1666): protocol     : 17 
        port         : 848 
        length       : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1666):processing HASH payload. message ID = 0
ISAKMP: (1666):SA authentication status:
        authenticated
ISAKMP: (1666):SA has been authenticated with 15.15.15.15
ISAKMP: (0):Trying to insert a peer 10.8.10.8/15.15.15.15/848/, 
ISAKMP: (0): and inserted successfully 80007F09771739C8.
ISAKMP: (1666):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1666):Old State = IKE_I_MM5  New State = IKE_I_MM6 

ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1666):Old State = IKE_I_MM6  New State = IKE_I_MM6 

ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1666):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

ISAKMP: (1666):Begin GDOI Registration:

ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) GDOI_IDLE      
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, IKE_INIT_GDOI
ISAKMP: (1666):Old State = IKE_GM_AWAIT_SA  New State = IKE_GM_AWAIT_SA
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1666):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) GDOI_IDLE      
ISAKMP: (1666):processing HASH payload. message ID = 2427027841
ISAKMP: (1666):processing NONCE payload. message ID = 2427027841
ISAKMP: (1666):GDOI Container Payloads:
        SA
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1666):Old State = IKE_GM_AWAIT_SA  New State = IKE_GM_SET_SA_POLICY_AWAIT
%GDOI-5-SA_TEK_UPDATED: SA TEK was updated
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) GDOI_IDLE      
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1666):Old State = IKE_GM_SET_SA_POLICY_AWAIT  New State = IKE_GM_AWAIT_KD
ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) GDOI_IDLE      
ISAKMP: (1666):processing HASH payload. message ID = 2427027841
ISAKMP: (1666):GDOI Container Payloads:
        GDOI SEQUENCE NUMBER
        GDOI KEY DOWNLOAD(KD)
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1666):Old State = IKE_GM_AWAIT_KD  New State = IKE_GM_INSTALL_KD_AWAIT
%GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xE2577A6753B66540B93B277110818300
%GDOI-5-GM_REGS_COMPL: Registration to KS 15.15.15.15 complete for group GETVPNGROUP using address 10.8.10.8 fvrf default ivrf default
ISAKMP: (1666):GDOI Container Payloads:
        GDOI SEQUENCE NUMBER
        GDOI KEY DOWNLOAD(KD)
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP-ERROR: (1666):deleting node 2427027841 error TRUE reason "GDOI GM registration complete"
ISAKMP: (1666):Registration Complete

ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1666):Old State = IKE_GM_INSTALL_KD_AWAIT  New State = IKE_GM_DONE
ISAKMP-ERROR: (1666):Could not find the Node with MID: 2427027841
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F09DCD6BE80
IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.8.10.8, sa_proto= 50, 
    sa_spi= 0x529586E7(1385531111), 
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2191
    sa_lifetime(k/sec)= (0/3228),
  (identity) local= 10.8.10.8:0, remote= 0.0.0.0:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
IPSEC(create_sa): sa created,
  (sa) sa_dest= 0.0.0.0, sa_proto= 50, 
    sa_spi= 0x529586E7(1385531111), 
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2192
    sa_lifetime(k/sec)= (0/3228),
  (identity) local= 10.8.10.8:0, remote= 0.0.0.0:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 15.15.15.15 for group GETVPNGROUP & gm identity 10.8.10.8 fvrf default ivrf default


GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Payload type IDg (5) packet length 12
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Process pyld type IDg (5) pyld len 12 | length processed 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):GDOI SA sent successfully by KS
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):KS processing get KD policy packet length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):gkm_process_ack_payload, type NONE length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):GDOI KD sent successfully by KS



IOSv15#show crypto gdoi 
GROUP INFORMATION

    Group Name               : GETVPNGROUP (Unicast)
    Re-auth on new CRL       : Disabled
    Group Identity           : 100
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Group Members            : 5
    IPSec SA Direction       : Both
    IP D3P Window            : Disabled
    CKM status               : Disabled
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 68539 secs
        Time to Rekey        : 68314 secs
        Acknowledgement Cfg  : Cisco
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 10
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : DMVPN
      Replay method          : Count Based
      Replay Window Size     : 64
      Tagging method         : Disabled
      SA Rekey
         Remaining Lifetime  : 1815 secs
        Time to Rekey        : 1429 secs
      ACL Configured         : access-list GETVPN

     Group Server list       : Local




IOSv15#show crypto gdoi ks members summary 

Group Member Information : 

Group Name: GETVPNGROUP, ID: 100, Group Members: 5
Key Server ID: 10.1.15.15, GMDB state: LOCAL, Group Members: 5
  Member ID     Version      Rekey sent     Rekey Ack missed
  10.1.10.10    1.0.16         5               0
  10.3.10.3     1.0.17         5               2
  10.8.10.8     1.0.16         5               0
  10.9.10.9     1.0.16         5               0
  10.10.10.10   1.0.16         5               0




IOSv15#show crypto gdoi ks identifier 

KS Sender ID (KSSID) Information for Group GETVPNGROUP:

    Transform Mode           : Non-Counter (Non-Suite-B)
    Re-initializing          : No
    SID Length (Group Size)  : 24 bits (MEDIUM)
    Current KSSID In-Use     : none
    Last GMSID Used          : none



IOSv15#show crypto gdoi ks policy 
Key Server Policy:
For group GETVPNGROUP (handle: 2147483650) server 10.1.15.15 (handle: 2147483650):

  # of teks : 1  Seq num : 15
  KEK POLICY (transport type : Unicast)
    spi : 0xB93B277110818300E2577A6753B66540
    management alg     : disabled    encrypt alg       : AES       
    crypto iv length   : 16          key size          : 16      
    orig life(sec)     : 86400       remaining life(sec): 68464     
    time to rekey (sec): 68239     
    sig hash algorithm : enabled     sig key length    : 294     
    sig size           : 256       
    sig key name       : GETVPN
    acknowledgement    : Cisco

  TEK POLICY (encaps : ENCAPS_TRANSPORT)
    spi                : 0xF09AF78
    access-list        : GETVPN
    CKM rekey epoch    : N/A (disabled)
    transform          : esp-3des esp-md5-hmac 
    alg key size       : 24            sig key size          : 16        
    orig life(sec)     : 3600          remaining life(sec)   : 1740      
    tek life(sec)      : 3600          elapsed time(sec)     : 1860      
    override life (sec): 0             antireplay window size: 64        
    time to rekey (sec): 1354      



CSR1#show crypto gdoi gm 
Group Member Information For Group GETVPNGROUP:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_GETVPNGROUP_temp_acl

    Group member             : 10.1.10.10      vrf: None
       Local addr/port       : 10.1.10.10/848
       Remote addr/port      : 15.15.15.15/848
       fvrf/ivrf             : None/None
       Version               : 1.0.16
       Registration status   : Registered
       Registered with       : 15.15.15.15
       Re-registers in       : 1339 sec
       Succeeded registration: 6
       Attempted registration: 6
       Last rekey from       : 10.1.15.15
       Last rekey seq num    : 13
       Unicast rekey received: 5
       Rekey ACKs sent       : 5
       Rekey Rcvd(hh:mm:ss)  : 00:34:36
       DP Error Monitoring   : OFF
       IPSEC init reg executed    : 0
       IPSEC init reg postponed   : 0
       Active TEK Number     : 1
       SA Track (OID/status) : disabled



CSR1#show crypto gdoi gm acl 
Group Name: GETVPNGROUP
 ACL Downloaded From KS 10.1.15.15:
   access-list   deny udp any any port = 848
   access-list   deny udp any port = 848 any
   access-list   deny tcp any any port = 179
   access-list   deny tcp any port = 179 any
   access-list   deny udp any any port = 161
   access-list   deny udp any port = 161 any
   access-list   permit ip any any
 ACL Configured Locally: 
 ACL of default bypass policy for group-key management traffic:
   GigabitEthernet3: deny udp host 10.1.10.10 eq 848 any eq 848



CSR1#show crypto gdoi gm dataplane counters 

Data-plane statistics for group GETVPNGROUP:
    #pkts encrypt            : 7885     #pkts decrypt            : 0    
    #pkts tagged (send)      : 0        #pkts untagged (rcv)     : 0    
    #pkts no sa (send)       : 0        #pkts invalid sa (rcv)   : 0    
    #pkts encaps fail (send) : 0        #pkts decap fail (rcv)   : 0    
    #pkts invalid prot (rcv) : 0        #pkts verify fail (rcv)  : 0    
    #pkts not tagged (send)  : 0        #pkts not untagged (rcv) : 0    
    #pkts internal err (send): 0        #pkts internal err (rcv) : 0    




CSR10#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
15.15.15.15     10.10.10.10     GDOI_IDLE         1068 ACTIVE



CSR10#show crypto ipsec sa 

interface: GigabitEthernet2
    Crypto map tag: GDOI, local addr 10.10.10.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   Group: GETVPNGROUP
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 417, #pkts encrypt: 417, #pkts digest: 417
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.10, remote crypto endpt.: 0.0.0.0
     plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
     current outbound spi: 0xF09AF78(252292984)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF09AF78(252292984)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2247, flow_id: CSR:247, sibling_flags FFFFFFFF80000008, crypto map: GDOI
        sa timing: remaining key lifetime (sec): 1352
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF09AF78(252292984)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2248, flow_id: CSR:248, sibling_flags FFFFFFFF80000008, crypto map: GDOI
        sa timing: remaining key lifetime (sec): 1352
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:



SW23#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 10.20.23.20 to network 0.0.0.0

D*EX  0.0.0.0/0 [170/3328] via 10.20.23.20, 04:09:48, Vlan23
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
      10.0.0.0/8 is variably subnetted, 25 subnets, 2 masks
D EX     10.0.0.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.1.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.1.11.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.1.13.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.1.15.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.2.8.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.2.9.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.2.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.3.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.8.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.8.18.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.9.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.9.19.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D        10.10.10.0/24 [90/3328] via 10.20.23.20, 04:11:06, Vlan23
D        10.10.20.0/24 [90/3072] via 10.20.23.20, 04:11:23, Vlan23
D EX     10.18.18.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.18.21.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.19.19.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.19.22.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.20.0.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.255.1.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.255.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX     10.255.100.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
      15.0.0.0/32 is subnetted, 1 subnets
D EX     15.15.15.15 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
      33.0.0.0/32 is subnetted, 1 subnets
D EX     33.33.33.33 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
      88.0.0.0/32 is subnetted, 1 subnets
D EX     88.88.88.88 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
      101.0.0.0/32 is subnetted, 1 subnets
D        101.101.101.101 [90/131072] via 10.20.23.20, 04:11:06, Vlan23




SW23#ping 10.19.22.22        
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/32/46 ms
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto