9 Replies Latest reply: Feb 13, 2012 9:07 AM by jchan RSS

    GETVPN - KS Issue (No IPSEC SA establishment in KS)

    Alkuin Melvin

      Looking for some help about IPSEC SA establishment in GETVPN. The ISAKMP SA between GM and KS is good, but the IPSEC SA on only shown up on GM not on KS? Why is that?

       

      Below is partial configuration for KS and GM.

       

       

      KS Configuration :

       

      hostname R1

      !

      ip domain name cisco.com

      !     

      crypto isakmp policy 10

      encr aes

      authentication pre-share

      group 5

      crypto isakmp key getvpn address 100.100.100.2

      !

      !

      crypto ipsec transform-set MYTRANSFORM esp-aes esp-sha-hmac

      !

      crypto ipsec profile MYPROFILE

      set transform-set MYTRANSFORM

      !

      crypto gdoi group MYGDOI

      identity number 777

      server local

        rekey retransmit 10 number 2

        rekey authentication mypubkey rsa MYGDOIKEY

        rekey transport unicast

        sa ipsec 10

         profile MYPROFILE

         match address ipv4 100

         replay counter window-size 64

        address ipv4 100.100.100.1

      !

      crypto map MYMAP 10 gdoi

      set group MYGDOI

      !

      !

      !

      !

      interface FastEthernet0/0

      ip address 192.168.10.1 255.255.255.0

      ip virtual-reassembly

      duplex auto

      speed auto

      !

      interface Serial0/0

      no ip address

      encapsulation frame-relay

      clock rate 56000

      !

      interface Serial0/0.1 multipoint

      bandwidth 32

      ip address 100.100.100.1 255.255.255.0

      ip virtual-reassembly

      frame-relay map ip 100.100.100.2 102 broadcast

      frame-relay map ip 100.100.100.1 102 broadcast

      crypto map MYMAP

      !

      ip route 192.168.20.0 255.255.255.0 100.100.100.2

      !

      no ip http server

      no ip http secure-server

      !

      access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

      access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

       

       

      GM Configuration :

       

      hostname R2

      !

      crypto isakmp policy 10

      encr aes

      authentication pre-share

      group 5

      crypto isakmp key getvpn address 100.100.100.1

      !

      !

      crypto ipsec transform-set MYTRANSFORM esp-aes esp-sha-hmac

      !

      crypto ipsec profile MYPROFILE

      set transform-set MYTRANSFORM

      !

      crypto gdoi group MYGDOI

      identity number 777

      server address ipv4 100.100.100.1

      !

      crypto map MYMAP 10 gdoi

      set group MYGDOI

      !

      interface FastEthernet0/0

      ip address 192.168.20.1 255.255.255.0

      ip virtual-reassembly

      duplex auto

      speed auto

      !

      interface Serial0/0.1 multipoint

      bandwidth 32

      ip address 100.100.100.2 255.255.255.0

      ip virtual-reassembly

      frame-relay map ip 100.100.100.1 201 broadcast

      crypto map MYMAP

      !

      ip route 192.168.10.0 255.255.255.0 100.100.100.1

       

       

       

      R2#sh crypto gdoi ipsec sa

       

      SA created for group MYGDOI:

        Serial0/0.1:

          protocol = ip

            local ident  = 192.168.10.0/24, port = 0

            remote ident = 192.168.20.0/24, port = 0

            direction: Both, replay: Disabled

          protocol = ip

            local ident  = 192.168.20.0/24, port = 0

            remote ident = 192.168.10.0/24, port = 0

            direction: Both, replay: Disabled

       

       

       

      Thanks