In this example, IOS15 is the key server and R3, CSR1, CSR8, CSR9 and CSR10 are the Group Members. The GMs are configured to register with the KS and then download the crypto policy. This is setup over the MPLS connection. Since GET VPN was originally intended to work over an any to any transport, like MPLS L3 VPN in a full mesh design. Not shown is the BGP to EIGRP and EIGRP to BGP redistribution done on all the GMs to allow the exchange of routes between all the sites. MPLS is the transport mechanism in this setup.
IOS15 - Key Server
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
crypto gdoi group GETVPNGROUP
identity number 100
server local
rekey algorithm aes 128
rekey authentication mypubkey rsa GETVPN
rekey transport unicast
sa ipsec 10
profile DMVPN
match address ipv4 GETVPN
replay counter window-size 64
no tag
address ipv4 10.1.15.15
!
crypto map GDOI 10 gdoi
set group GETVPNGROUP
!
ip access-list extended GETVPN
deny udp any any eq 848
deny udp any eq 848 any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny udp any any eq snmp
deny udp any eq snmp any
permit ip any any
R3, CSR1, CSR8, CSR9 and CSR10
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto gdoi group GETVPNGROUP
identity number 100
server address ipv4 15.15.15.15
crypto map GDOI 10 gdoi
set group GETVPNGROUP
R3
interface GigabitEthernet0/2
crypto map GDOI
CSR1
interface GigabitEthernet3
crypto map GDOI
CSR8
interface GigabitEthernet3
crypto map GDOI
CSR9
interface GigabitEthernet1
crypto map GDOI
CSR10
interface GigabitEthernet2
crypto map GDOI
Key Server Phase 1
ISAKMP-PAK: (0):received packet from 10.8.10.8 dport 848 sport 848 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 10.8.10.8, peer port 848
ISAKMP: (0):New peer created peer = 0xE072790 peer_handle = 0x80000017
ISAKMP: (0):Locking peer struct 0xE072790, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 848, remote port 848
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = CBCEFE0
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 10.8.10.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption 3DES-CBC
ISAKMP: (0): hash MD5
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP-PAK: (0):received packet from 10.8.10.8 dport 848 sport 848 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 10.8.10.8
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):vendor ID is DPD
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):speaking to another IOS box!
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):vendor ID seems Unity/DPD but major 110 mismatch
ISAKMP: (1010):vendor ID is XAUTH
ISAKMP: (1010):received payload type 20
ISAKMP: (1010):His hash no match - this node outside NAT
ISAKMP: (1010):received payload type 20
ISAKMP: (1010):No NAT Found for self or peer
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1010):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_KEY_EXCH
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1010):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) MM_KEY_EXCH
ISAKMP: (1010):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1010):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP: (1010):processing ID payload. message ID = 0
ISAKMP: (1010):ID payload
8
1
ISAKMP: (1010): address : 10.8.10.8
ISAKMP: (1010): protocol : 17
848
12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1010):processing HASH payload. message ID = 0
ISAKMP: (1010):processing NOTIFY INITIAL_CONTACT protocol 1
ID = 0, sa = 0xCBCEFE0
ISAKMP: (1010):SA authentication status:
ISAKMP: (1010):SA has been authenticated with 10.8.10.8
ISAKMP: (1010):SA authentication status:
ISAKMP: (1010):Process initial contact,
ase 1 and 2 SA's with local 15.15.15.15 remote 10.8.10.8 remote port 848
ISAKMP: (0):Trying to insert a peer 15.15.15.15/10.8.10.8/848/,
ISAKMP: (0): and inserted successfully E072790.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1010):Old State = IKE_R_MM5 New State = IKE_R_MM5
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1010):SA is doing
ISAKMP: (1010):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1010):ID payload
8
1
ISAKMP: (1010): address : 15.15.15.15
ISAKMP: (1010): protocol : 17
848
12
ISAKMP: (1010):Total payload length: 12
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_KEY_EXCH
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1010):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) GDOI_IDLE
ISAKMP: (1010):set new node 526252361 to GDOI_IDLE
ISAKMP: (1010):processing HASH payload. message ID = 526252361
ISAKMP: (1010):processing NONCE payload. message ID = 526252361
ISAKMP: (1010):GDOI Container Payloads:
ID
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1010):Old State = IKE_KS_LISTEN New State = IKE_KS_GET_SA_POLICY_AWAIT
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Payload type IDg (5) packet length 12
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Process pyld type IDg (5) pyld len 12 | length processed 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):GDOI SA sent successfully by KS
ISAKMP: (1010):GDOI Container Payloads:
SA
ISAKMP: (1002):IKE SA DELETE Req recvd from GDOI
ISAKMP: (1002):peer does not do paranoid keepalives.
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) GDOI_IDLE
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1010):Old State = IKE_KS_GET_SA_POLICY_AWAIT New State = IKE_KS_AWAIT_ACK
ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) GDOI_IDLE
ISAKMP: (1010):processing HASH payload. message ID = 526252361
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1010):Old State = IKE_KS_AWAIT_ACK New State = IKE_KS_GET_KD_AWAIT
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):KS processing get KD policy packet length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):gkm_process_ack_payload, type NONE length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):GDOI KD sent successfully by KS
ISAKMP: (1010):GDOI Container Payloads:
GDOI SEQUENCE NUMBER
GDOI KEY DOWNLOAD(KD)
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) GDOI_IDLE
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1010):Old State = IKE_KS_GET_KD_AWAIT New State = IKE_KS_DONE
Group Member ISAKMP and IPsec debugs
%CRYPTO-6-GDOI_ON_OFF: GDOI is ON
IPSEC(key_engine): got a queue event with 1 KMI message(s)
%CRYPTO-5-GM_REGSTER: Start registration to KS 15.15.15.15 for group GETVPNGROUP using address 10.8.10.8 fvrf default ivrf default
ISAKMP-ERROR: (0):no idb in request
ISAKMP: (0):SA request profile is (NULL)
ISAKMP: (0):Created a peer struct for 15.15.15.15, peer port 848
ISAKMP: (0):New peer created peer = 0x80007F09771739C8 peer_handle = 0x800000008000026C
ISAKMP: (0):Locking peer struct 0x80007F09771739C8, refcount 1 for isakmp_initiator
ISAKMP: (0):local port 848, remote port 848
ISAKMP: (0):set new node 0 to QM_IDLE
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F0977A37D58
ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP: (0):constructed NAT-T vendor-07 ID
ISAKMP: (0):constructed NAT-T vendor-03 ID
ISAKMP: (0):constructed NAT-T vendor-02 ID
ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
ISAKMP: (0):beginning Main Mode exchange
ISAKMP-PAK: (0):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_NO_STATE
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP-PAK: (0):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_NO_STATE
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM2
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption 3DES-CBC
ISAKMP: (0): hash MD5
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 0
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM2
ISAKMP-PAK: (0):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM3
ISAKMP-PAK: (0):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):vendor ID is Unity
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):vendor ID is DPD
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):speaking to another IOS box!
ISAKMP: (1666):received payload type 20
ISAKMP: (1666):His hash no match - this node outside NAT
ISAKMP: (1666):received payload type 20
ISAKMP: (1666):No NAT Found for self or peer
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1666):Old State = IKE_I_MM4 New State = IKE_I_MM4
ISAKMP: (1666):Send initial contact
ISAKMP: (1666):SA is doing
ISAKMP: (1666):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1666):ID payload
next-payload : 8
type : 1
ISAKMP: (1666): address : 10.8.10.8
ISAKMP: (1666): protocol : 17
port : 848
length : 12
ISAKMP: (1666):Total payload length: 12
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_KEY_EXCH
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1666):Old State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_KEY_EXCH
ISAKMP: (1666):processing ID payload. message ID = 0
ISAKMP: (1666):ID payload
next-payload : 8
type : 1
ISAKMP: (1666): address : 15.15.15.15
ISAKMP: (1666): protocol : 17
port : 848
length : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1666):processing HASH payload. message ID = 0
ISAKMP: (1666):SA authentication status:
authenticated
ISAKMP: (1666):SA has been authenticated with 15.15.15.15
ISAKMP: (0):Trying to insert a peer 10.8.10.8/15.15.15.15/848/,
ISAKMP: (0): and inserted successfully 80007F09771739C8.
ISAKMP: (1666):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1666):Old State = IKE_I_MM5 New State = IKE_I_MM6
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1666):Old State = IKE_I_MM6 New State = IKE_I_MM6
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1666):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
ISAKMP: (1666):Begin GDOI Registration:
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) GDOI_IDLE
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, IKE_INIT_GDOI
ISAKMP: (1666):Old State = IKE_GM_AWAIT_SA New State = IKE_GM_AWAIT_SA
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1666):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) GDOI_IDLE
ISAKMP: (1666):processing HASH payload. message ID = 2427027841
ISAKMP: (1666):processing NONCE payload. message ID = 2427027841
ISAKMP: (1666):GDOI Container Payloads:
SA
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1666):Old State = IKE_GM_AWAIT_SA New State = IKE_GM_SET_SA_POLICY_AWAIT
%GDOI-5-SA_TEK_UPDATED: SA TEK was updated
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) GDOI_IDLE
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1666):Old State = IKE_GM_SET_SA_POLICY_AWAIT New State = IKE_GM_AWAIT_KD
ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) GDOI_IDLE
ISAKMP: (1666):processing HASH payload. message ID = 2427027841
ISAKMP: (1666):GDOI Container Payloads:
GDOI SEQUENCE NUMBER
GDOI KEY DOWNLOAD(KD)
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1666):Old State = IKE_GM_AWAIT_KD New State = IKE_GM_INSTALL_KD_AWAIT
%GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xE2577A6753B66540B93B277110818300
%GDOI-5-GM_REGS_COMPL: Registration to KS 15.15.15.15 complete for group GETVPNGROUP using address 10.8.10.8 fvrf default ivrf default
ISAKMP: (1666):GDOI Container Payloads:
GDOI SEQUENCE NUMBER
GDOI KEY DOWNLOAD(KD)
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP-ERROR: (1666):deleting node 2427027841 error TRUE reason "GDOI GM registration complete"
ISAKMP: (1666):Registration Complete
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1666):Old State = IKE_GM_INSTALL_KD_AWAIT New State = IKE_GM_DONE
ISAKMP-ERROR: (1666):Could not find the Node with MID: 2427027841
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F09DCD6BE80
IPSEC(create_sa): sa created,
(sa) sa_dest= 10.8.10.8, sa_proto= 50,
sa_spi= 0x529586E7(1385531111),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2191
sa_lifetime(k/sec)= (0/3228),
(identity) local= 10.8.10.8:0, remote= 0.0.0.0:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
IPSEC(create_sa): sa created,
(sa) sa_dest= 0.0.0.0, sa_proto= 50,
sa_spi= 0x529586E7(1385531111),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2192
sa_lifetime(k/sec)= (0/3228),
(identity) local= 10.8.10.8:0, remote= 0.0.0.0:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 15.15.15.15 for group GETVPNGROUP & gm identity 10.8.10.8 fvrf default ivrf default
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Payload type IDg (5) packet length 12
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Process pyld type IDg (5) pyld len 12 | length processed 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):GDOI SA sent successfully by KS
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):KS processing get KD policy packet length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):gkm_process_ack_payload, type NONE length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):GDOI KD sent successfully by KS
IOSv15#show crypto gdoi
GROUP INFORMATION
Group Name : GETVPNGROUP (Unicast)
Re-auth on new CRL : Disabled
Group Identity : 100
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 5
IPSec SA Direction : Both
IP D3P Window : Disabled
CKM status : Disabled
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 68539 secs
Time to Rekey : 68314 secs
Acknowledgement Cfg : Cisco
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 10
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : DMVPN
Replay method : Count Based
Replay Window Size : 64
Tagging method : Disabled
SA Rekey
Remaining Lifetime : 1815 secs
Time to Rekey : 1429 secs
ACL Configured : access-list GETVPN
Group Server list : Local
IOSv15#show crypto gdoi ks members summary
Group Member Information :
Group Name: GETVPNGROUP, ID: 100, Group Members: 5
Key Server ID: 10.1.15.15, GMDB state: LOCAL, Group Members: 5
Member ID Version Rekey sent Rekey Ack missed
10.1.10.10 1.0.16 5 0
10.3.10.3 1.0.17 5 2
10.8.10.8 1.0.16 5 0
10.9.10.9 1.0.16 5 0
10.10.10.10 1.0.16 5 0
IOSv15#show crypto gdoi ks identifier
KS Sender ID (KSSID) Information for Group GETVPNGROUP:
Transform Mode : Non-Counter (Non-Suite-B)
Re-initializing : No
SID Length (Group Size) : 24 bits (MEDIUM)
Current KSSID In-Use : none
Last GMSID Used : none
IOSv15#show crypto gdoi ks policy
Key Server Policy:
For group GETVPNGROUP (handle: 2147483650) server 10.1.15.15 (handle: 2147483650):
# of teks : 1 Seq num : 15
KEK POLICY (transport type : Unicast)
spi : 0xB93B277110818300E2577A6753B66540
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 16
orig life(sec) : 86400 remaining life(sec): 68464
time to rekey (sec): 68239
sig hash algorithm : enabled sig key length : 294
sig size : 256
sig key name : GETVPN
acknowledgement : Cisco
TEK POLICY (encaps : ENCAPS_TRANSPORT)
spi : 0xF09AF78
access-list : GETVPN
CKM rekey epoch : N/A (disabled)
transform : esp-3des esp-md5-hmac
alg key size : 24 sig key size : 16
orig life(sec) : 3600 remaining life(sec) : 1740
tek life(sec) : 3600 elapsed time(sec) : 1860
override life (sec): 0 antireplay window size: 64
time to rekey (sec): 1354
CSR1#show crypto gdoi gm
Group Member Information For Group GETVPNGROUP:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_GETVPNGROUP_temp_acl
Group member : 10.1.10.10 vrf: None
Local addr/port : 10.1.10.10/848
Remote addr/port : 15.15.15.15/848
fvrf/ivrf : None/None
Version : 1.0.16
Registration status : Registered
Registered with : 15.15.15.15
Re-registers in : 1339 sec
Succeeded registration: 6
Attempted registration: 6
Last rekey from : 10.1.15.15
Last rekey seq num : 13
Unicast rekey received: 5
Rekey ACKs sent : 5
Rekey Rcvd(hh:mm:ss) : 00:34:36
DP Error Monitoring : OFF
IPSEC init reg executed : 0
IPSEC init reg postponed : 0
Active TEK Number : 1
SA Track (OID/status) : disabled
CSR1#show crypto gdoi gm acl
Group Name: GETVPNGROUP
ACL Downloaded From KS 10.1.15.15:
access-list deny udp any any port = 848
access-list deny udp any port = 848 any
access-list deny tcp any any port = 179
access-list deny tcp any port = 179 any
access-list deny udp any any port = 161
access-list deny udp any port = 161 any
access-list permit ip any any
ACL Configured Locally:
ACL of default bypass policy for group-key management traffic:
GigabitEthernet3: deny udp host 10.1.10.10 eq 848 any eq 848
CSR1#show crypto gdoi gm dataplane counters
Data-plane statistics for group GETVPNGROUP:
#pkts encrypt : 7885 #pkts decrypt : 0
#pkts tagged (send) : 0 #pkts untagged (rcv) : 0
#pkts no sa (send) : 0 #pkts invalid sa (rcv) : 0
#pkts encaps fail (send) : 0 #pkts decap fail (rcv) : 0
#pkts invalid prot (rcv) : 0 #pkts verify fail (rcv) : 0
#pkts not tagged (send) : 0 #pkts not untagged (rcv) : 0
#pkts internal err (send): 0 #pkts internal err (rcv) : 0
CSR10#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
15.15.15.15 10.10.10.10 GDOI_IDLE 1068 ACTIVE
CSR10#show crypto ipsec sa
interface: GigabitEthernet2
Crypto map tag: GDOI, local addr 10.10.10.10
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
Group: GETVPNGROUP
current_peer 0.0.0.0 port 848
PERMIT, flags={}
#pkts encaps: 417, #pkts encrypt: 417, #pkts digest: 417
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.10, remote crypto endpt.: 0.0.0.0
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xF09AF78(252292984)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF09AF78(252292984)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2247, flow_id: CSR:247, sibling_flags FFFFFFFF80000008, crypto map: GDOI
sa timing: remaining key lifetime (sec): 1352
Kilobyte Volume Rekey has been disabled
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF09AF78(252292984)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2248, flow_id: CSR:248, sibling_flags FFFFFFFF80000008, crypto map: GDOI
sa timing: remaining key lifetime (sec): 1352
Kilobyte Volume Rekey has been disabled
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
SW23#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.20.23.20 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3328] via 10.20.23.20, 04:09:48, Vlan23
2.0.0.0/32 is subnetted, 1 subnets
D EX 2.2.2.2 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
10.0.0.0/8 is variably subnetted, 25 subnets, 2 masks
D EX 10.0.0.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.11.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.13.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.15.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.2.8.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.2.9.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.2.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.3.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.8.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.8.18.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.9.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.9.19.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D 10.10.10.0/24 [90/3328] via 10.20.23.20, 04:11:06, Vlan23
D 10.10.20.0/24 [90/3072] via 10.20.23.20, 04:11:23, Vlan23
D EX 10.18.18.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.18.21.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.19.19.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.19.22.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.20.0.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.255.1.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.255.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.255.100.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
15.0.0.0/32 is subnetted, 1 subnets
D EX 15.15.15.15 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
33.0.0.0/32 is subnetted, 1 subnets
D EX 33.33.33.33 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
88.0.0.0/32 is subnetted, 1 subnets
D EX 88.88.88.88 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
101.0.0.0/32 is subnetted, 1 subnets
D 101.101.101.101 [90/131072] via 10.20.23.20, 04:11:06, Vlan23
SW23#ping 10.19.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/32/46 ms
IOS15 - Key Server
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
crypto gdoi group GETVPNGROUP
identity number 100
server local
rekey algorithm aes 128
rekey authentication mypubkey rsa GETVPN
rekey transport unicast
sa ipsec 10
profile DMVPN
match address ipv4 GETVPN
replay counter window-size 64
no tag
address ipv4 10.1.15.15
!
crypto map GDOI 10 gdoi
set group GETVPNGROUP
!
ip access-list extended GETVPN
deny udp any any eq 848
deny udp any eq 848 any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny udp any any eq snmp
deny udp any eq snmp any
permit ip any any
R3, CSR1, CSR8, CSR9 and CSR10
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 0.0.0.0
!
crypto gdoi group GETVPNGROUP
identity number 100
server address ipv4 15.15.15.15
crypto map GDOI 10 gdoi
set group GETVPNGROUP
R3
interface GigabitEthernet0/2
crypto map GDOI
CSR1
interface GigabitEthernet3
crypto map GDOI
CSR8
interface GigabitEthernet3
crypto map GDOI
CSR9
interface GigabitEthernet1
crypto map GDOI
CSR10
interface GigabitEthernet2
crypto map GDOI
Key Server Phase 1
ISAKMP-PAK: (0):received packet from 10.8.10.8 dport 848 sport 848 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 10.8.10.8, peer port 848
ISAKMP: (0):New peer created peer = 0xE072790 peer_handle = 0x80000017
ISAKMP: (0):Locking peer struct 0xE072790, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 848, remote port 848
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = CBCEFE0
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 10.8.10.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption 3DES-CBC
ISAKMP: (0): hash MD5
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP-PAK: (0):received packet from 10.8.10.8 dport 848 sport 848 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 10.8.10.8
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):vendor ID is DPD
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):speaking to another IOS box!
ISAKMP: (1010):processing vendor id payload
ISAKMP: (1010):vendor ID seems Unity/DPD but major 110 mismatch
ISAKMP: (1010):vendor ID is XAUTH
ISAKMP: (1010):received payload type 20
ISAKMP: (1010):His hash no match - this node outside NAT
ISAKMP: (1010):received payload type 20
ISAKMP: (1010):No NAT Found for self or peer
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1010):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_KEY_EXCH
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1010):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) MM_KEY_EXCH
ISAKMP: (1010):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1010):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP: (1010):processing ID payload. message ID = 0
ISAKMP: (1010):ID payload
8
1
ISAKMP: (1010): address : 10.8.10.8
ISAKMP: (1010): protocol : 17
848
12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1010):processing HASH payload. message ID = 0
ISAKMP: (1010):processing NOTIFY INITIAL_CONTACT protocol 1
ID = 0, sa = 0xCBCEFE0
ISAKMP: (1010):SA authentication status:
ISAKMP: (1010):SA has been authenticated with 10.8.10.8
ISAKMP: (1010):SA authentication status:
ISAKMP: (1010):Process initial contact,
ase 1 and 2 SA's with local 15.15.15.15 remote 10.8.10.8 remote port 848
ISAKMP: (0):Trying to insert a peer 15.15.15.15/10.8.10.8/848/,
ISAKMP: (0): and inserted successfully E072790.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1010):Old State = IKE_R_MM5 New State = IKE_R_MM5
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1010):SA is doing
ISAKMP: (1010):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1010):ID payload
8
1
ISAKMP: (1010): address : 15.15.15.15
ISAKMP: (1010): protocol : 17
848
12
ISAKMP: (1010):Total payload length: 12
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) MM_KEY_EXCH
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1010):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP: (1010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) GDOI_IDLE
ISAKMP: (1010):set new node 526252361 to GDOI_IDLE
ISAKMP: (1010):processing HASH payload. message ID = 526252361
ISAKMP: (1010):processing NONCE payload. message ID = 526252361
ISAKMP: (1010):GDOI Container Payloads:
ID
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1010):Old State = IKE_KS_LISTEN New State = IKE_KS_GET_SA_POLICY_AWAIT
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Payload type IDg (5) packet length 12
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Process pyld type IDg (5) pyld len 12 | length processed 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):GDOI SA sent successfully by KS
ISAKMP: (1010):GDOI Container Payloads:
SA
ISAKMP: (1002):IKE SA DELETE Req recvd from GDOI
ISAKMP: (1002):peer does not do paranoid keepalives.
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) GDOI_IDLE
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1010):Old State = IKE_KS_GET_SA_POLICY_AWAIT New State = IKE_KS_AWAIT_ACK
ISAKMP-PAK: (1010):received packet from 10.8.10.8 dport 848 sport 848 Global (R) GDOI_IDLE
ISAKMP: (1010):processing HASH payload. message ID = 526252361
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1010):Old State = IKE_KS_AWAIT_ACK New State = IKE_KS_GET_KD_AWAIT
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):KS processing get KD policy packet length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):gkm_process_ack_payload, type NONE length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767106:100):GDOI KD sent successfully by KS
ISAKMP: (1010):GDOI Container Payloads:
GDOI SEQUENCE NUMBER
GDOI KEY DOWNLOAD(KD)
ISAKMP-PAK: (1010):sending packet to 10.8.10.8 my_port 848 peer_port 848 (R) GDOI_IDLE
ISAKMP: (1010):Sending an IKE IPv4 Packet.
ISAKMP: (1010):Node 526252361, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1010):Old State = IKE_KS_GET_KD_AWAIT New State = IKE_KS_DONE
Group Member ISAKMP and IPsec debugs
%CRYPTO-6-GDOI_ON_OFF: GDOI is ON
IPSEC(key_engine): got a queue event with 1 KMI message(s)
%CRYPTO-5-GM_REGSTER: Start registration to KS 15.15.15.15 for group GETVPNGROUP using address 10.8.10.8 fvrf default ivrf default
ISAKMP-ERROR: (0):no idb in request
ISAKMP: (0):SA request profile is (NULL)
ISAKMP: (0):Created a peer struct for 15.15.15.15, peer port 848
ISAKMP: (0):New peer created peer = 0x80007F09771739C8 peer_handle = 0x800000008000026C
ISAKMP: (0):Locking peer struct 0x80007F09771739C8, refcount 1 for isakmp_initiator
ISAKMP: (0):local port 848, remote port 848
ISAKMP: (0):set new node 0 to QM_IDLE
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F0977A37D58
ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP: (0):constructed NAT-T vendor-07 ID
ISAKMP: (0):constructed NAT-T vendor-03 ID
ISAKMP: (0):constructed NAT-T vendor-02 ID
ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
ISAKMP: (0):beginning Main Mode exchange
ISAKMP-PAK: (0):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_NO_STATE
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP-PAK: (0):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_NO_STATE
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM2
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption 3DES-CBC
ISAKMP: (0): hash MD5
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 0
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM2
ISAKMP-PAK: (0):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM3
ISAKMP-PAK: (0):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 15.15.15.15
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):vendor ID is Unity
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):vendor ID is DPD
ISAKMP: (1666):processing vendor id payload
ISAKMP: (1666):speaking to another IOS box!
ISAKMP: (1666):received payload type 20
ISAKMP: (1666):His hash no match - this node outside NAT
ISAKMP: (1666):received payload type 20
ISAKMP: (1666):No NAT Found for self or peer
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1666):Old State = IKE_I_MM4 New State = IKE_I_MM4
ISAKMP: (1666):Send initial contact
ISAKMP: (1666):SA is doing
ISAKMP: (1666):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1666):ID payload
next-payload : 8
type : 1
ISAKMP: (1666): address : 10.8.10.8
ISAKMP: (1666): protocol : 17
port : 848
length : 12
ISAKMP: (1666):Total payload length: 12
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) MM_KEY_EXCH
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1666):Old State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) MM_KEY_EXCH
ISAKMP: (1666):processing ID payload. message ID = 0
ISAKMP: (1666):ID payload
next-payload : 8
type : 1
ISAKMP: (1666): address : 15.15.15.15
ISAKMP: (1666): protocol : 17
port : 848
length : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1666):processing HASH payload. message ID = 0
ISAKMP: (1666):SA authentication status:
authenticated
ISAKMP: (1666):SA has been authenticated with 15.15.15.15
ISAKMP: (0):Trying to insert a peer 10.8.10.8/15.15.15.15/848/,
ISAKMP: (0): and inserted successfully 80007F09771739C8.
ISAKMP: (1666):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1666):Old State = IKE_I_MM5 New State = IKE_I_MM6
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1666):Old State = IKE_I_MM6 New State = IKE_I_MM6
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1666):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
ISAKMP: (1666):Begin GDOI Registration:
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) GDOI_IDLE
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, IKE_INIT_GDOI
ISAKMP: (1666):Old State = IKE_GM_AWAIT_SA New State = IKE_GM_AWAIT_SA
ISAKMP: (1666):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1666):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) GDOI_IDLE
ISAKMP: (1666):processing HASH payload. message ID = 2427027841
ISAKMP: (1666):processing NONCE payload. message ID = 2427027841
ISAKMP: (1666):GDOI Container Payloads:
SA
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1666):Old State = IKE_GM_AWAIT_SA New State = IKE_GM_SET_SA_POLICY_AWAIT
%GDOI-5-SA_TEK_UPDATED: SA TEK was updated
ISAKMP-PAK: (1666):sending packet to 15.15.15.15 my_port 848 peer_port 848 (I) GDOI_IDLE
ISAKMP: (1666):Sending an IKE IPv4 Packet.
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1666):Old State = IKE_GM_SET_SA_POLICY_AWAIT New State = IKE_GM_AWAIT_KD
ISAKMP-PAK: (1666):received packet from 15.15.15.15 dport 848 sport 848 Global (I) GDOI_IDLE
ISAKMP: (1666):processing HASH payload. message ID = 2427027841
ISAKMP: (1666):GDOI Container Payloads:
GDOI SEQUENCE NUMBER
GDOI KEY DOWNLOAD(KD)
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
ISAKMP: (1666):Old State = IKE_GM_AWAIT_KD New State = IKE_GM_INSTALL_KD_AWAIT
%GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xE2577A6753B66540B93B277110818300
%GDOI-5-GM_REGS_COMPL: Registration to KS 15.15.15.15 complete for group GETVPNGROUP using address 10.8.10.8 fvrf default ivrf default
ISAKMP: (1666):GDOI Container Payloads:
GDOI SEQUENCE NUMBER
GDOI KEY DOWNLOAD(KD)
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP-ERROR: (1666):deleting node 2427027841 error TRUE reason "GDOI GM registration complete"
ISAKMP: (1666):Registration Complete
ISAKMP: (1666):Node 2427027841, Input = IKE_MESG_INTERNAL, UNKNOWN
ISAKMP: (1666):Old State = IKE_GM_INSTALL_KD_AWAIT New State = IKE_GM_DONE
ISAKMP-ERROR: (1666):Could not find the Node with MID: 2427027841
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F09DCD6BE80
IPSEC(create_sa): sa created,
(sa) sa_dest= 10.8.10.8, sa_proto= 50,
sa_spi= 0x529586E7(1385531111),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2191
sa_lifetime(k/sec)= (0/3228),
(identity) local= 10.8.10.8:0, remote= 0.0.0.0:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
IPSEC(create_sa): sa created,
(sa) sa_dest= 0.0.0.0, sa_proto= 50,
sa_spi= 0x529586E7(1385531111),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2192
sa_lifetime(k/sec)= (0/3228),
(identity) local= 10.8.10.8:0, remote= 0.0.0.0:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
%GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 15.15.15.15 for group GETVPNGROUP & gm identity 10.8.10.8 fvrf default ivrf default
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Payload type IDg (5) packet length 12
GDOI:KS REGISTRATION:EVT:(0):GDOI Process Get SA Policy: Process pyld type IDg (5) pyld len 12 | length processed 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):GDOI SA sent successfully by KS
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):KS processing get KD policy packet length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):gkm_process_ack_payload, type NONE length 0
GDOI:KS REGISTRATION:EVT:(GETVPNGROUP:318767109:100):GDOI KD sent successfully by KS
IOSv15#show crypto gdoi
GROUP INFORMATION
Group Name : GETVPNGROUP (Unicast)
Re-auth on new CRL : Disabled
Group Identity : 100
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 5
IPSec SA Direction : Both
IP D3P Window : Disabled
CKM status : Disabled
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 68539 secs
Time to Rekey : 68314 secs
Acknowledgement Cfg : Cisco
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 10
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : DMVPN
Replay method : Count Based
Replay Window Size : 64
Tagging method : Disabled
SA Rekey
Remaining Lifetime : 1815 secs
Time to Rekey : 1429 secs
ACL Configured : access-list GETVPN
Group Server list : Local
IOSv15#show crypto gdoi ks members summary
Group Member Information :
Group Name: GETVPNGROUP, ID: 100, Group Members: 5
Key Server ID: 10.1.15.15, GMDB state: LOCAL, Group Members: 5
Member ID Version Rekey sent Rekey Ack missed
10.1.10.10 1.0.16 5 0
10.3.10.3 1.0.17 5 2
10.8.10.8 1.0.16 5 0
10.9.10.9 1.0.16 5 0
10.10.10.10 1.0.16 5 0
IOSv15#show crypto gdoi ks identifier
KS Sender ID (KSSID) Information for Group GETVPNGROUP:
Transform Mode : Non-Counter (Non-Suite-B)
Re-initializing : No
SID Length (Group Size) : 24 bits (MEDIUM)
Current KSSID In-Use : none
Last GMSID Used : none
IOSv15#show crypto gdoi ks policy
Key Server Policy:
For group GETVPNGROUP (handle: 2147483650) server 10.1.15.15 (handle: 2147483650):
# of teks : 1 Seq num : 15
KEK POLICY (transport type : Unicast)
spi : 0xB93B277110818300E2577A6753B66540
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 16
orig life(sec) : 86400 remaining life(sec): 68464
time to rekey (sec): 68239
sig hash algorithm : enabled sig key length : 294
sig size : 256
sig key name : GETVPN
acknowledgement : Cisco
TEK POLICY (encaps : ENCAPS_TRANSPORT)
spi : 0xF09AF78
access-list : GETVPN
CKM rekey epoch : N/A (disabled)
transform : esp-3des esp-md5-hmac
alg key size : 24 sig key size : 16
orig life(sec) : 3600 remaining life(sec) : 1740
tek life(sec) : 3600 elapsed time(sec) : 1860
override life (sec): 0 antireplay window size: 64
time to rekey (sec): 1354
CSR1#show crypto gdoi gm
Group Member Information For Group GETVPNGROUP:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_GETVPNGROUP_temp_acl
Group member : 10.1.10.10 vrf: None
Local addr/port : 10.1.10.10/848
Remote addr/port : 15.15.15.15/848
fvrf/ivrf : None/None
Version : 1.0.16
Registration status : Registered
Registered with : 15.15.15.15
Re-registers in : 1339 sec
Succeeded registration: 6
Attempted registration: 6
Last rekey from : 10.1.15.15
Last rekey seq num : 13
Unicast rekey received: 5
Rekey ACKs sent : 5
Rekey Rcvd(hh:mm:ss) : 00:34:36
DP Error Monitoring : OFF
IPSEC init reg executed : 0
IPSEC init reg postponed : 0
Active TEK Number : 1
SA Track (OID/status) : disabled
CSR1#show crypto gdoi gm acl
Group Name: GETVPNGROUP
ACL Downloaded From KS 10.1.15.15:
access-list deny udp any any port = 848
access-list deny udp any port = 848 any
access-list deny tcp any any port = 179
access-list deny tcp any port = 179 any
access-list deny udp any any port = 161
access-list deny udp any port = 161 any
access-list permit ip any any
ACL Configured Locally:
ACL of default bypass policy for group-key management traffic:
GigabitEthernet3: deny udp host 10.1.10.10 eq 848 any eq 848
CSR1#show crypto gdoi gm dataplane counters
Data-plane statistics for group GETVPNGROUP:
#pkts encrypt : 7885 #pkts decrypt : 0
#pkts tagged (send) : 0 #pkts untagged (rcv) : 0
#pkts no sa (send) : 0 #pkts invalid sa (rcv) : 0
#pkts encaps fail (send) : 0 #pkts decap fail (rcv) : 0
#pkts invalid prot (rcv) : 0 #pkts verify fail (rcv) : 0
#pkts not tagged (send) : 0 #pkts not untagged (rcv) : 0
#pkts internal err (send): 0 #pkts internal err (rcv) : 0
CSR10#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
15.15.15.15 10.10.10.10 GDOI_IDLE 1068 ACTIVE
CSR10#show crypto ipsec sa
interface: GigabitEthernet2
Crypto map tag: GDOI, local addr 10.10.10.10
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
Group: GETVPNGROUP
current_peer 0.0.0.0 port 848
PERMIT, flags={}
#pkts encaps: 417, #pkts encrypt: 417, #pkts digest: 417
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.10, remote crypto endpt.: 0.0.0.0
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xF09AF78(252292984)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF09AF78(252292984)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2247, flow_id: CSR:247, sibling_flags FFFFFFFF80000008, crypto map: GDOI
sa timing: remaining key lifetime (sec): 1352
Kilobyte Volume Rekey has been disabled
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF09AF78(252292984)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2248, flow_id: CSR:248, sibling_flags FFFFFFFF80000008, crypto map: GDOI
sa timing: remaining key lifetime (sec): 1352
Kilobyte Volume Rekey has been disabled
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
SW23#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.20.23.20 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3328] via 10.20.23.20, 04:09:48, Vlan23
2.0.0.0/32 is subnetted, 1 subnets
D EX 2.2.2.2 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
10.0.0.0/8 is variably subnetted, 25 subnets, 2 masks
D EX 10.0.0.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.11.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.13.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.1.15.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.2.8.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.2.9.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.2.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.3.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.8.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.8.18.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.9.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.9.19.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D 10.10.10.0/24 [90/3328] via 10.20.23.20, 04:11:06, Vlan23
D 10.10.20.0/24 [90/3072] via 10.20.23.20, 04:11:23, Vlan23
D EX 10.18.18.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.18.21.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.19.19.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.19.22.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.20.0.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.255.1.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.255.10.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
D EX 10.255.100.0/24 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
15.0.0.0/32 is subnetted, 1 subnets
D EX 15.15.15.15 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
33.0.0.0/32 is subnetted, 1 subnets
D EX 33.33.33.33 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
88.0.0.0/32 is subnetted, 1 subnets
D EX 88.88.88.88 [170/26368] via 10.20.23.20, 04:10:53, Vlan23
101.0.0.0/32 is subnetted, 1 subnets
D 101.101.101.101 [90/131072] via 10.20.23.20, 04:11:06, Vlan23
SW23#ping 10.19.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/32/46 ms