GETVPN

Similar Questions

• DMVPN or GETVPN

  Team - we have a client that runs GET VPN over MPLS link to DC to rays.  They are heading for a refresh of the network.    We thought in suggesting IWAN to them.  DMVPN is one of the 4 pillars of IWAN.  Can ask the customer to go to DMVPN instead of GetVPN.  Or should we do it any other way.  Against, please highlight.

  Thank you

  bijbalaktn,

  When you say 'updating of the network', which implies? We will always use MPLS as our transportation network?

  GETVPN or DMVPN is a solution in an MPLS network. Two benefits of GETVPN include a little less overhead of encapsulation (as it is just the ESP without GRE encapsulation) and the lack of accountability for an overlay routing protocol. That said, when comparing DMVPN and GETVPN, most of the people are much more comfortable with DMVPN which is an advantage in and of itself. In addition, if you are considering a solution IWAN DMVPN is a requirement by the CVD IWAN.

  In short, a solution should work and it's really up to you; personally, I'm a big fan of both. If you are uncomfortable with GETVPN and it worked for you, it may be better to stay with that. However, DMVPN is expected to function properly for you as well.

  HTH,

  Frank

• GetVPN KS and GM on the same box

  I'm trying to set up a network with GetVPN instead of standard IPSec tunnels and tried to get the KS and GM to be on the same box, is it possible? If so does anyone have an example of a config.

  Thank you

  Andrew

  Hello Andrew,.

  It is my understanding that KS and GM on the router are not supported.

  Kind regards

  Arul

  * Pls note all useful messages *.

• GETVPN in CsC MPLS

  Hello

  I'm implementing a getvpn on a router that is connected to an interface to a mpls backbone. He made the LDP with the router of the provider and BGP with my other sites in the MPLS cloud.

  I have another interface secondary interfaces that map to VRF. This interface is connected to a L3 switch which has VRF configuration as well.

  In this configuration when I ping from the closure of swich for the closure of the router in the VRF everything works.

  After activating the card encryption on the interface sub pointing to the switch of the ping command fails, and I receive the following message

  % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest is CUST2/10.10.81.252, src_addr is 10.10.81.5, prot = 1

  When I place the card encryption on the interface to the router of suppliers it does also not because there is no configured vrf.

  Now, the $1,000,000 question, it is a supported configuration and where can I I have to place the card encryption in order to make this installation work.

  Thanks in advance

  Alex

  Alex,

  GetVPN is a device intended to routers right PEs, unless something has changed (I'm mostly off the safe space for a year) you will have a hard time overcoming the limitations.

  There was a great project to have cryptographic cards working as a feature of infiltration, which most likely would have worked well enough here, but I think that with the advent of logical interfaces it was put away. But anyway, we are interested in the things that work.

  You can check on on the side of MS in this forum if they have a solution for the encryption of PE - PE or 'encryption as a service'... we talk a bit on the interwebz, but I have not seen anything significant out.

  M.

• DMVPN/GETVPN double spoke router Design

  All the:

  I'm developing a new design of VPN - cloud DMVPN, routers double hub to the main site, router hub unique to the backup site and double routers spoke at the Directorate General/remotes.

  This is all via internet transport, with overlay GETVPN to encrypt.

  Somebody has experiences establishing DMVPN designs with dual spoke routers, and how go you about it? HSRP @ interface outside or inside, determination of Protocol routing only, etc...

  Thanks in advance!

  Hi Steve,.

  Using BGP will complicate things a bit.

  This is because you must announce the IP (used as source GRE) HSRP on both your ISP. If you need to own that IP.

  If this is not possible, you can use the double Hub - double DMVPN Layout (a part of the link DMVPN I joined precedent).

  This will require a WILL by the router and routing to use routing protocol.

  HSRP can still be used on the inside of the interface, the GRE tunnel status tracking.

  Doesnít of traffic must be translated as possible via GRE tunnels.

  Please rate if this helped.

  Kind regards

  Daniel

• DMVPN getvpn or DVTI

  Hello

  in fact I situation as mentioned further and I am confused about design and implement what VPN topology, I choose DMVPN, GETVPN or DVTI

  I have 4 branch and 1 main site, branches have 2 connectivity to HQ a via INTERNET one another through MPLS, so I want to have Fail-over on the links and also secure two-way tunnel

  Best regards

  John Mayer

  GETVPN is not supposed to be used on the internet. If this isn't the solution.

  With this small amount of sites I set up static VTI on MPLS and use DVTIs on the internet if the branches have dynamic IPs. If the branches also have the static IP, I re also these links with the stuffy VTI.

  DMVPN could also be used in this scenario, but the protocol overhead is not necessary in this small scale scenario.

• GETVPN Questions

  I'm trying to implement GETVPN to encrypt all sensitive data on telco provider network. Just

  to give you a bit of history, we have about 500 1921 located routers remote agencies.   We also have a Headend device

  Here, who will act as the key for all server GM in remote branches.   The router on the central/headquarters site will obviously be something much more to function as the key server.

  Some remote organizations use an IP subnet, we ascribe to our network and others use their own subnet so they can interact with their local

  Thus the network.    For those who use their own private plan, we do a static NAT or a PAT in the remote router in order to allow their

  desktop access to appropriate applications.     We were told that GETVPN wouldn't work if we were PAT'ing addresses.   Is this a real

  Statement?   I'm a bit confused by this statement, as the order of operations happens AFTER NAT on the outbound and BEFORE NAT on

  incoming traffic.

  So I guess that basically I'm just a NAT/PAT question make a difference?  If it works now without GETVPN, should not work with?

  If anyone could enlighten me, I would appreciate it.

  In addition, since we have about 500 remote users, how GETVPN works during the implementation?   So let's say, we apply the config at Headquarters

  side and one of the remotes, this causes ALL other remotes to go down because they have not been implemented yet or we can slowly config each remote router over time?

  Thanks in advance,

  WARNING: It's around year old knowledge, don't hesitate to do consult me.

  You're right about the count on NAT and GETVPN on the same device. It will work (with obvious diligence).

  What does not work, it's a getvpn device is behind a NATing device.

  For your second question, have a look at the GETVPN DIG

  http://www.Cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-VPN/GETVPN_DIG_version_1_0_External.PDF

  Particualrly, ITS passive and ITS reception are something that might be interesting.

  FYI, the configuration guide.

  http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_getvpn/configuration/15-Mt/sec-get-VPN-15-Mt-book/sec-get-VPN.html

• GETVPN and nbar

  Hello community,

  We run GETVPN on our branches and the need arose to find out how traffic works from branch to main site. So, I thought activation nbar and use manage engine Netflow Analyzer to graphically represent the traffic. My problem is that the router receives never managed by netflow analyzer and on the main site, I get a message:

  % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 10.130.21.62, src_addr = 192.168.1.250, prot = 17

  (where 10.130.21.62 my netflow analyzer and 192.168.1.250 looping of routers).

  I use "ip source stream import Loopback0" export traffic to.

  So my question is:

  Traffic is from the router itself not encrypted? -What is causing my problem?

  I'll also try to see what happens if I change the source of import-export flows to a physical interface...

  No indication of how to solve this problem will be highly appreciated.

  Thanks in advance,

  Katerina

  Hello

  Yes, you must have a CCO login in order to use the bug toolkit, but here is the description of bug:

  CSCsk25481 Details of bug

  Flexible Netflow export unencrypted packets

  None Symptoms: IOS does not encrypt the NetFlow export packages coming from the router itself. This is day 0 features like features are not applied to the NetFlow export packages, and has never been. The solution to this does not solve the above to the old code of netflow-Cisco switch, but rather offers the possibility to encrypt outgoing packets to the new flexible netflow NetFlow export product. Conditions: NetFlow or Flexible NetFlow must be configured to export the data for the problem to be seen. Workaround: There is no work around

  You don't need really 15.0 code to make this work, do anything later than 12.4 (20) T. What you need is the command 'exit-functions' under the configuration of the flow of exporter. Could you give it a try and let us know if that helps?

  Thank you

  Wen

• GETVPN Configuration Tips

  Hello Cisco support community teams.

  I intend to implement GETVPN for my Client. I have several questions about GETVPN failover behavior.

  I have test the configuration on GNS3 with C3725 router and also tested on real C2800Series router, and the result of the behavior is the same.

  1. I have 2 KS on the topology, is the GM only saved with a KS?

  2. When primary KS down, GM has not changed to secondary KS, so I need clear gdoi crypto on the GM, is there any configuration required to modify the GM car to other assets KS?

  3. I have check on the GM I had encap and decrypt, but never the decaps and decipher?

  Please find the attachment for the example topology and configuration.

  Thank you and have a nice day.

  Sincerely yours

  Audrey

  Take a look at the SEARCH it will answer most of your questions.

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.PDF

  Section 1.2.7

  (1) Yes.

  (2) check the DIG, avoid a need to register immediately, "Secondary KS" should become a new primary.

  (3) you say it is not reciving ecnrypted traffic or that it does not increment the counter? I would not trust GNS3. If the problem is the same on 15.1 (4) 2800 M, check with the people in the TAC.

• Card Crypto GETVPN on loopback

  Hello

  We have 6 WAN routers connected through MPLS ISP cloud, we must apply GET VPN between these WAN routers.

  We have 2 servers of keys (1800 routers), and WAN routers will act as members of the Group (6 GMs)

  The configuration files are attached for work typical configuration GETVPN (crypto map applied to the WAN interface)

  In the key server configuration, the crypto isakmp command uses the WAN IP of each router WAN (172.16.x.x) address, and since KS routers are connected to the local network (VSS), they should be able to join 172.16.X.X and therefore the subnet in 172.16.X.X is announced for the local network (check GM-configuration file under eigrp - connected redist)

  That's what our customers want to avoid! they don't want 172.16.X.X to make advertising for the local network.

  I know it's possible in the configuration GETVPN to configure, the command crypto isakmp for use the loopback address of the routers WAN instead of the WAN IP address, but in this case the card encryption should be applied to address loopback, and for this, all traffic to be encrypted and decrypted to go through the loopback on all routers WAN interfaces.

  I was wondering what is the best solution in this case, I have to use the config below on GM

  card crypto-address loopback 0
  

  TEST allowed 10 route map

  set interface Loopback0

  TEST IP policy route map-local

  But I don't know if it is correct, or there may be a better idea... so I thought share with you guys to discuss all the best ideas.

  Ali,

  We do not support cryptographic cards on loopback interfaces.

  Use the crypto-local address (in the case of vanilla IPsec) card or customer record interface (even if it is for another use) order under specifcy gdoi what inetrface or VRF you want to record source to / receive to generate a new key on.

  You can take a look at DIG:

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.PDF

  section 4.2.1.2.3 and other talk.

  M.

• getvpn key problem

  I get this newspaper.

  GDOI-1-KS_NO_RSA_KEYS %: RSA - GROUP_KEY key: not found, required for the Group GROUP_1

  Even if I create rsa keys, I always get this journal...

  KEY-2 #sh crypto mypubkey rsa key

  % Of key pair is generated at: 16:14:02 UTC on July 26, 2011

  Key name: KEY-2. GETVPN.com

  Storage device: private-config

  Use: Encryption key

  The key is exportable.

  Key data:

  305C300D 06092 HAS 86 01010105 00034B 00 30480241 00AF6DD5 94776919 4886F70D

  24753 C 02 6AC2937B 73600F1C FD958857 16A5564E CF66D1F8 26BCFC60 1 B 986527

  37611A 72 A699EEF3 2C6CE411 EE809A20 D86E0BFF C4753A43 E1020301 0001

  % Of key pair is generated at: 16:20 UTC, July 26, 2011

  Key name: KEY - 2.GETVPN.com.server

  Temporary key

  Use: Encryption key

  Key is not exportable.

  Key data:

  307C300D 06092 HAS 86 4886F70D 00036B 00 01010105 00ACB3B4 30680261 61488B 26

  1B094A8D 3D9E30FC 4F204DB8 00842618 B16BA72A A0004264 8EAFAE2A 9A6851D5

  A60F8C12 83E47F2E F59E1479 1BA75C5A 8CBC4BFA CD303587 E788B2D0 1CFE0CD6

  A3466D75 FCCFE4F7 9F1AFB4C F0B3ADD9 58BCB2AA 64149AC5 0B 020301 0001

  What should be the problem?

  config:

  crypto ISAKMP policy 1

  BA aes 256

  preshared authentication

  Group 2

  life 3600

  ISAKMP crypto key GETVPNKEY address 5.5.5.5

  ISAKMP crypto key GETVPNKEY address 6.6.6.0 255.255.255.0

  ISAKMP crypto key GETVPNKEY 1.1.1.0 address 255.255.255.0

  ISAKMP crypto key GETVPNKEY address 123.0.0.0 255.0.0.0

  ISAKMP crypto keepalive 10

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac GETVPN_TRANS_GROUP

  !

  Profile of crypto ipsec GDOI_PROFILE_GROUP

  Set security-association second life 7200

  game of transformation-GETVPN_TRANS_GROUP

  !

  gdoi crypto group GROUP_1

  Identification number 1

  local server

  generate a new key broadcast 10 number 2

  generate a new GROUP_KEY mypubkey rsa authentication key

  generate a new key transport unicast

  its ipsec 1

  Profile GDOI_PROFILE_GROUP

  match address ipv4 GETVPN_ACL

  no replay

  ipv4 123.1.1.3 address

  redundancy

  Local priority 10

  peer of ipv4 123.1.1.2 address

  GETVPN_ACL extended IP access list

  Licensing ip 1.1.1.1 host 5.5.5.5

  Licensing ip 1.1.1.1 host 6.6.6.6

  permit ip host 6.6.6.6 1.1.1.1

  permit ip host 5.5.5.5 1.1.1.1

  !

  access list 101 ip allow a whole

  Hello

  The name of the rsa key configured in the gdoi group is GROUP_KEY. Keys with this name doesn't seem to be present on the device. The present only key in sh crypto mypubkey rsa key is KEY-2. GETVPN.com.

  Try changing the command "generate a new passkey mypubkey rsa GROUP_KEY" to "generate a new key mypubkey rsa authentication".

  KEY-2. GETVPN.com ".

  Or generate another set of key with the name GROUP_KEY

  -Atul

• Simultaneous use of two key GETVPN servers

  Hello

  We want to be able to split our GETVPN nodes between two key servers, active/active, instead of all nodes in a single KS who has a failover to a secondary KS. Anyone know if this Setup will work?

  Thank you

  Dave

  See the section "3.7.3.3 balancing GM records at COOP KSs ' in the guide below.  It treats multiple options for balancing of GMs through multiple KS.

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.PDF

  Todd

• What is GETVPN?

  Hi all

  One have good doc for functioning GETVPN?

  What this GETVPN is different from IPSec?

  Thank you for your understanding.

  The GDOI in Cisco and the JUNOS software implementation is based on the RFC 3547, that's why they work at the same time.

  Thus, so long as other vendors follow this RFC, I think they should work correctly.

  Let me know.

  Please note any workstation that you be useful.

  Post edited by: Javier Portuguez

• GETVPN - problem

  Hello

  I am trying to run GETVPN on small test network. I have three routers:

  R1 - like KS

  R3 R4 & as a Member

  R1 config:

  crypto ISAKMP policy 10

  BA aes

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set GET aes - esp esp-sha-hmac

  !

  Crypto ipsec GET profile

  transformation-GET game

  !

  gdoi crypto group GET

  Identification number 1

  local server

  recomposition of the seconds of life 300

  generate a new key broadcast 10 number 2

  generate a new passkey mypubkey rsa R1.test.com

  generate a new key transport unicast

  its ipsec 1

  GET profile

  match 150 ipv4 addresses

  window-size 64 meter reading

  ipv4 10.0.0.1 address

  interface FastEthernet0/0

  the IP 10.0.0.1 255.255.255.0

  half duplex

  Config of R3:

  crypto ISAKMP policy 10

  BA aes

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

  !

  !

  gdoi crypto group GET

  Identification number 1

  Server address 10.0.0.1 ipv4

  !

  !

  GET 10 gdoi crypto card

  set the Group GET

  interface FastEthernet0/0

  IP 10.0.0.3 255.255.255.0

  half duplex

  GET crypto card

  View orders:

  R1 #sh crypto gdoi

  Group information

  Group name: GET

  Group identity: 1

  Group members: 2

  The IPSec Security Association Management: both

  Active Server Group: Local

  Group life to generate a new key: 300 seconds

  Generate a new key Group

  Remaining life: dry 189

  Period to generate a new key of retransmission: dry 10

  Recomposition of retransmission attempts: 2

  Retransmission of group

  Remaining life: 0 seconds

  Many IPSec security association: 1

  Life to generate a new IPSec SA key: 3600 seconds

  Profile name: GET

  Method of proofreading: County based

  Re-read the window size: 64

  Generate a new key, SA

  Remaining life: dry 1390

  Configured ACL: access-list 150

  List of servers in Group: Local

  and

  R4 #sh crypto gdoi

  Group information

  Group name: GET

  Group identity: 1

  New keys generated received: 0

  The IPSec Security Association Management: both

  ACL received between KS: gdoi_group_GET_temp_acl

  Active Server Group: 10.0.0.1

  List of servers in Group: 10.0.0.1

  R4 #.

  I received an error message:

  * 19:05:17.691 Apr 16: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet.

  (ip) vrf/adr_dest = 10.0.0.4 src_addr = 10.0.0.1, prot = 17

  R4(Config-if) #.

  You have an idea what is the problem?

  Hello Hubert,.

  The reason is as follows.

  New generated keys are sent via udp on port 848. Since they are encrypted by CEC [but not by TEK], the router cannot decipher when IPSEC is looking.

  In fact, your policy of KS should look like:

  Access-list 150 deny udp any any eq 848

  150 ip access list allow a whole

• GETVPN with local policy deny

  Hello

  I am applying GETVPN in an operational company with more than 150 branches. The only way to migrate a branch by branch without interrubting others, is to deny each local branch through deny political at the GM in the domain controller.

  The local ACL deny is 600 lines long, and when it is applied, the CPU usage reaches 97%, which is expected.

  The question is: this 97% use cites the router or its neighborships eigrp at some point? could affect the hardware of the router if left like this for 2 weeks for example.

  Thanks in advance

  Kind regards

  AMR

  CPU should be 97% only for a few seconds to a few minutes [process of Crypto ACL taking all resources during the creation of the internal classification structure.

  600 lines of local political refusal is HUGE, and I don't know if we're still testing at Cisco.

  You can check with show proc CPU sorted to see what process is guilty. CRYPTO ACL process and routing [such a eigrp] have the same priority [normal] and under normal conditions, things shouldn't Rabat.

  The way in which you are migrating is a little weird.

  Generally, customers are the following:

  1 - installation of the servers receive only [no encryption] mode key

  gdoi crypto group dgvpn1

  .....

  local server

  ......

  his only reception

  Of course, there is already an ACL defined here [for example that of step 3-]. It does not matter since we turn off encryption.

  2 deploy GETVPN on all GM since there is no encryption. not to worry much about the consequences on the data path.

  The objective here is to check if the control plan [alias GDOI] works well [everyone receives her generate a new key?] Y at - it drops in the path for the new keys generated? If necessary the qos parameters.

  3 - Select a small amount of sites to which you encrypt [of course that its reception only is deleted]

  Datacenter <->small site

  Datacenter <->average site

  Datacenter <->Big site

  Create an ACL includes only subnets of theses. Test the datapath [applications...]. If all goes well and all your sites are consistent in the flow of network they use, then you have pretty confident for the next step. This should work for a few days - weeks

  4 - Big bang...  Enable encryption for all sites. [amending accordingly the ACL KS------]

  If step 3 - was a success, and if all the routers are properly sized for encryption, it will manage, then you're ready for success.

  A good read:

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.PDF