Skip navigation
Cisco Learning Home > Certifications > CCIE Security > Discussions

_Communities

1190 Views 9 Replies Latest reply: Feb 13, 2012 9:07 AM by jchan RSS

Currently Being Moderated

GETVPN - KS Issue (No IPSEC SA establishment in KS)

Jan 15, 2012 10:39 AM

Alkuin Melvin 127 posts since
Jul 8, 2009

Looking for some help about IPSEC SA establishment in GETVPN. The ISAKMP SA between GM and KS is good, but the IPSEC SA on only shown up on GM not on KS? Why is that?

 

Below is partial configuration for KS and GM.

 

 

KS Configuration :

 

hostname R1

!

ip domain name cisco.com

!     

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key getvpn address 100.100.100.2

!

!

crypto ipsec transform-set MYTRANSFORM esp-aes esp-sha-hmac

!

crypto ipsec profile MYPROFILE

set transform-set MYTRANSFORM

!

crypto gdoi group MYGDOI

identity number 777

server local

  rekey retransmit 10 number 2

  rekey authentication mypubkey rsa MYGDOIKEY

  rekey transport unicast

  sa ipsec 10

   profile MYPROFILE

   match address ipv4 100

   replay counter window-size 64

  address ipv4 100.100.100.1

!

crypto map MYMAP 10 gdoi

set group MYGDOI

!

!

!

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

no ip address

encapsulation frame-relay

clock rate 56000

!

interface Serial0/0.1 multipoint

bandwidth 32

ip address 100.100.100.1 255.255.255.0

ip virtual-reassembly

frame-relay map ip 100.100.100.2 102 broadcast

frame-relay map ip 100.100.100.1 102 broadcast

crypto map MYMAP

!

ip route 192.168.20.0 255.255.255.0 100.100.100.2

!

no ip http server

no ip http secure-server

!

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

 

 

GM Configuration :

 

hostname R2

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key getvpn address 100.100.100.1

!

!

crypto ipsec transform-set MYTRANSFORM esp-aes esp-sha-hmac

!

crypto ipsec profile MYPROFILE

set transform-set MYTRANSFORM

!

crypto gdoi group MYGDOI

identity number 777

server address ipv4 100.100.100.1

!

crypto map MYMAP 10 gdoi

set group MYGDOI

!

interface FastEthernet0/0

ip address 192.168.20.1 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0.1 multipoint

bandwidth 32

ip address 100.100.100.2 255.255.255.0

ip virtual-reassembly

frame-relay map ip 100.100.100.1 201 broadcast

crypto map MYMAP

!

ip route 192.168.10.0 255.255.255.0 100.100.100.1

 

 

 

R2#sh crypto gdoi ipsec sa

 

SA created for group MYGDOI:

  Serial0/0.1:

    protocol = ip

      local ident  = 192.168.10.0/24, port = 0

      remote ident = 192.168.20.0/24, port = 0

      direction: Both, replay: Disabled

    protocol = ip

      local ident  = 192.168.20.0/24, port = 0

      remote ident = 192.168.10.0/24, port = 0

      direction: Both, replay: Disabled

 

 

 

Thanks

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)