GETVPN Questions
I am in the process of trying to implement GETVPN in order to encrypt all sensitive data across the telco provider network. Just
to give you a little background, we have approximately 500 1921 routers located at remote agencies. We also have a headend device
here that will act as the Key Server for all the GM's at the remote agencies. The router at the central/headquarters site will obviously be something a lot larger to function as the Key Server.
Some of the remote agencies use an IP subnet we assign from our network and others use their own subnet so they can interact with their local
network as well. For those that use their own private scheme's, we do either a static NAT or a PAT in the remote router in order to allow their
workstations access to appropriate applications. We were told that GETVPN would NOT work if we were PAT'ing addresses. Is this a true
statement? I'm a little confused by this statement as the order of operations happens AFTER NAT on outbound traffic and BEFORE NAT on
inbound traffic.
So I guess in short i'm just asking does NAT/PAT make a difference? If it works today without GETVPN, shouldn't it work with?
If someone could enlighten me a little bit, I'd appreciate it.
In addition, since we have about 500 remote users, how does GETVPN work during implementation? So lets say we apply the config to the headquarters
side and just one of the remotes, does this cause ALL the other remotes to go down because they haven't been set up yet or can we slowly config each remote router over time?
Thanks in advance,
Disclaimer: This is around year old knowledge, feel free to fact check me.
You are correct on the count on NAT and GETVPN on same device. It will work (with obvious due diligence).
What will not work is when a getvpn device is behind a NATing device.
For your second question, have a look at the GETVPN DIG
http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf
Particualrly, passive SA and receive-only SA is something that could be of interest.
FYI, config guide;
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-mt/sec-get-vpn-15-mt-book/sec-get-vpn.html
Similar Messages
-
GETVPN Question (error output)
Dear All,
I have question about getvpn, when i run getvpn , my getvpon (ks and gm) comes up but after a minutes comes down and star to register.i have some error output.
my configuration on KS :
crypto isakmp key cisco address x.x.10.2
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
crypto ipsec profile GET
set transform-set cisco
crypto gdoi group test
identity number xxxx
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa cisco
sa ipsec 1
profile GET
match address ipv4 112
replay counter window-size 64
Configuration on GM :
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address x.x.11.1
crypto gdoi group test
identity number xxxx
server address ipv4 x.x.10.2
crypto map GETVPN local-address ethe0/1
crypto map GETVPN 10 gdoi
set group test
=============================
Output error is :
%GDOI-4-GM_RE_REGISTER: The IPSec SA created for group test may have expired/been cleared, or didn't go through. Re-register to KS
how can i solve this problem.
ThanksHi,
Is this affecting one GM or multiple ones?
Is the GM reciving rekeys properly?
During problem is it visible on KS as GM?
You should be able to temporarily recover by doing "clear crypto gdoi".
M. -
Hello,
I have a couple of routers that are members of the same GETVPN group
and share the same network on which traffic is encrypted (same WAN network).
My access list from key server permits encryption for everything except eigrp
and ssh.
If I ping one router (his WAN interface) from other router (also his WAN interface,
same subnet) will this ping be encrypted?
List from key server would say yes but I don't know if this goes also for router originating
traffic (from interface on which I have crypto map).
Thanks,
ZoranZoran,
Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).
In theory almost everything hits crypto on the way out :-)
Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.
M. -
GETVPN and DMVPN equipment for 250 routers as GM
Hi,
I would like to know which router I should use as a key server for 250 GMs, and what router as DMVPN hub.
I found this deployment guide
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf
on site 24 it says that 2851 with AIM-VPM module has been tested with 200 GM with 15 sec registration time with one key server.
The problem is that there is a new generation of ISRs. I would like to use a 2900 router but don't know if the 2951 is necessary. 2951 has onboard IPSec acceleration but an adittional ISM-VPN-29 module can be installed.
In the data sheet (http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps12202/data_sheet_c78-682436.html)
I did not have found any info if this module is responsible for GETVPN rekeying. I don't want to buy it if it's not really necessary because it's not cheap.
So my question is which 2900 router should I use as a Key server for 250 GMs and what 2900 router as DMVPN hub?
I hope that somebody can help me with this.DMVPN provides two key advantages for extending MPLS VPNs to the branches, bulk encryption and, more importantly, a scalable overlay model. Since the assumption here is that the branches in this deployment are connected to the hub through a Layer 3 SP service, a tunneled model using GRE is needed to extend MPLS to the branches. Coupled with the fact that there is large number of existing DMVPN deployments, this solution becomes an attractive deployment option.
-
Hello
actually i have situation as discuss below and I'm confused about design and implement which VPN topology i have to choose DMVPN, GETVPN or DVTI
i have 4 branch and 1 main site, branches have 2 connectivity to HQ one via INTERNET an another via MPLS, so i want to have Fail-over on links and also have secure tunnel on both ways
Best Regards
John MayerJohn,
Contrary to what Karsten suggested, I think DMVPN would be a good way to go with 15 sites. Once you get everything up and working, it is extremely easy to add new sites with no changes needed on your Hub router. Here's a guide which discusses DMVPN configured in a dual Hub dual cloud scenario: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubdual
You could easily use EIGRP to exchange routes and configure failover if one of the Hubs or tunnels goes down. This document discusses having two physical Hubs, but you can easily configure both DMVPN clouds on a single Hub router.
Here's a document which has some DMVPN FAQs: https://supportforums.cisco.com/document/50111/dynamic-multipoint-vpn-dmvpn-design-and-positioning-questions-and-answers-live#Q._What_are_the_advantagesdisadvantages_of_using_DMVPN_or_VTI
HTH,
Frank -
Hi All
Quick question really, I have a new requirement i need to modify my network to compensate for the encryption of traffic between PE's.
I'm obviously going to use DMVPN which will require me to have MGRE deployed on the PE's.
Traffic will simply just traverse the core as plain old IP.
I may require VRF encryption DMVPN seems to be the best solution here, also for vrf traffic protection
CE's will be configured as spokes and PE's as Hubs. Do you think three PE's as hubs will be difficult to configure.
Topology can be found below.
The one VRF should be encrypted between the three sites.
------ PE-3 ---- CE-3
CE-1 --- PE-1 ----- P1 ---- P2 ------ PE-2 ----- CE-2hi Carl,
As Giuseppe wrote in the previous post, the right choice would be to implement an end-to-end VPN solution directly between the CEs. PEs dont have to participate in the VPN tunnel.The connectivity will look something like as shown in the topology on my blog - http://eminent-ccie.blogspot.com/2010/07/ip-multicast-over-dmvpn-in-mpls-vpn.html. (diagram)
Routing between CEs will be directly controlled by the CE. Any of the CE can be treated as Hub, rest as spokes. Tunnel endpoints should be reachable using the direct path via physical intterace (not via tunnel). LAN subnets across each CE should be routed via tunnel.
IF you are specifically interested for ONLY PE-CE encrypted tunnel, you can use static P2P IPSEC tunnels between PE-CE. Traffic across the MPLS core will be unencrypted in this case. You'll need multiple encrypted tunnels per PE-CE connection. This configuration is rarely used and needed.
For end-to-end encrypted solution, you can look for GETVPN solution as well, it has more advntages and recommened in these type of private MPLS scenarios.
HTH
Swap
#19804 x2 -
Hello Cisco Support Community Teams,
I am planning to implement GETVPN for my Client. i have several issues regarding the GETVPN failover behavior.
I have test the configuration on GNS3 using C3725 Router, and also tested on real C2800Series router, and the behavior result is the same.
1. I have 2 KS on the topology, is the GM only registered with one KS?
2. When primary KS down, the GM didn't change to Secondary KS, so i need to clear crypto gdoi on the GM, is there any configuration needed to make the GM auto change to others active KS?
3. i check on the GM that i got encap and decrypt, but never get the decaps and decrypt?
Please find the attachment for the topolgy and configuration example.
Thank you and have a nice day.
Sincerely Yours
RudyantoHi Marcin,
Thank you for your answers.
on the point 3, i got the show crypto ipsec :
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 3, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
i cannot see the decaps and decrypt counting on the ipsec, i am also suspect the limit of gns3. i will try later on the real network.
and last question:
for the best practice, do i need to configure specific traffic access-list for the data? from my configuration, i am using permit ip any any.
ip access-list extended GETVPN-POLICY-ACL
{some access-list configuration remove}
permit ip any any
example i have traffic from branch data ip 10.10.10.0/24 to datacenter 20.20.20.0/24
ip access-list extended GETVPN-POLICY-ACL
{some access-list configuration, and change the any any to spesific}
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Thank you -
Hi, I need to deploy hardware for future GETVPN configuration. This is to encrypt voice traffic over the MPLS network.
5 sites with 1,000 IP Phone users each site.
I am planning to deploy 2951 as KeyServer in hub1.
In hub2 I would deploy a second 2951 as KeyServer for redundancy.
Question:
If I have 5 sites setup with C3925 as MPLS CE, I would make 2 MPLS CE as GM.
Therefore I need to buy (2) 2951 as Key Server to make account for failover in my scenario.
Is my understanding correct?Hi Harish....thanks for the reply. Not being familiar with GETVPN, I realized what was wrong. I totally spaced on preventing the routing traffic from being encrypted! Added the necessary deny statements to my GDIO KS ACL to deny the routing protocols in use (RIPv2, OSPF, EIGRP in my case)...and all is good now!! Lesson learned!
KS-R13#show crypto gdoi ks acl
Group Name: DTECHGDOI
Configured ACL:
access-list GETVPN-ACL deny eigrp any any
access-list GETVPN-ACL deny ospf any any
access-list GETVPN-ACL deny udp any any port = 520
access-list GETVPN-ACL deny tcp any any port = 179
access-list GETVPN-ACL deny tcp any any port = 22
access-list GETVPN-ACL deny tcp any port = 22 any
access-list GETVPN-ACL deny udp any any port = 161
access-list GETVPN-ACL deny udp any any port = 162
access-list GETVPN-ACL deny udp any port = 161 any
access-list GETVPN-ACL deny udp any port = 514 any
access-list GETVPN-ACL deny udp any any port = 514
access-list GETVPN-ACL deny udp any any port = 123
access-list GETVPN-ACL deny udp any port = 123 any
access-list GETVPN-ACL deny tcp any any port = 49
access-list GETVPN-ACL deny tcp any port = 49 any
access-list GETVPN-ACL permit ip any any -
Problem with key Server in GETVPN
I had a problem with my key servers in GETVPN, I could not understand well so far. My two key servers had problems with being a key issue of inspiration and had other physical problems. I have configured the OPEN and CLOSED in my understanding communication between GM should continue with the same problem with key servers, but went more than 24 hours and ended up falling all GETVPN network. My question is as follows: after the fall of the keys, primary and secondary servers in more than 24 hours while the TEK keys no longer work and the whole network goes down and it even?
Eduardo Severo
[email protected]Those fields should be on top of the view's field list. Also, the join conditions must be complete, e.g. also include MANDT, as far as I know.
The system defines all view fields as key fields, if it cannot otherwise determine a unique key based on the join conditions and the primary keys of the joined tables.
If that's not it, I have no further idea.
Thomas -
GETVPN Group Member and Netflow
Hi,
We've recently migrated some remote sites on to new WAN links, and configured GETVPN on these remote Routers. Connectivity is working as expected, I'm just having issues in getting netflow working correctly. It appears that the spoke router is attempting to send the Netflow data, but when it's hitting the Hub Router, I'm seeing %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet within the logs.
Having seem some similar issues flagged, I've modified the Netflow configuration to replicate the below (which now includes the output features command within the flow exporter) but the IPSEC-3-RECVD_PKT_NOT_IPSEC log messages still persist. The ipsec config is currently set so that the Netflow traffic should be encrypted.
flow exporter Test
description Netflow export to Netflow-Server
destination *.*.*.*
source Loopback0
output-features
transport udp 2055
flow monitor Test
record netflow-original
exporter Test
Am I missing something within the configuration - Router in question is a Cisco 3845, running 15.1(4)M5
TIAHi Daniel,
Well know feature - netflow was not supported with ipsec (netflow packets not encrypted even when hitting ipsec policy).
But for flexible netflow it works when you enable "output feature":
https://supportforums.cisco.com/docs/DOC-13452
Michal -
Questions on Print Quote report
Hi,
I'm fairly new to Oracle Quoting and trying to get familiar with it. I have a few questions and would appreciate if anyone answers them
1) We have a requirement to customize the Print Quote report. I searched these forums and found that this report can be defined either as a XML Publisher report or an Oracle Reports report depending on a profile option. Can you please let me know what the name of the profile option is?
2) When I select the 'Print Quote' option from the Actions drop down in the quoting page and click Submit I get the report printed and see the following URL in my browser.
http://<host>:<port>/dev60cgi/rwcgi60?PROJ03_APPS+report=/proj3/app/appltop/aso/11.5.0/reports/US/ASOPQTEL.rdf+DESTYPE=CACHE+P_TCK_ID=23731428+P_EXECUTABLE=N+P_SHOW_CHARGES=N+P_SHOW_CATG_TOT=N+P_SHOW_PRICE_ADJ=Y+P_SESSION_ID=c-RAuP8LOvdnv30grRzKqUQs:S+P_SHOW_HDR_ATTACH=N+P_SHOW_LINE_ATTACH=N+P_SHOW_HDR_SALESUPP=N+P_SHOW_LN_SALESUPP=N+TOLERANCE=0+DESFORMAT=RTF+DESNAME=Quote.rtf
Does it mean that the profile in our case is set to call the rdf since it has reference to ASOPQTEL.rdf in the above url?
3) When you click on submit button do we have something like this in the jsp code: On click call ASOPQTEL.rdf. Is the report called using a concurrent program? I want to know how the report is getting invoked?
4) If we want to customize the jsp pages can you please let me know the steps involved in making the customizations and testing them.
Thanks and Appreciate your patience
-PC1) We have a requirement to customize the Print Quote report. I searched these forums and found that this report can be defined either as a XML Publisher report or an Oracle Reports report depending on a profile option. Can you please let me know what the name of the profile option is?
I think I posted it in one of the threads2) When I select the 'Print Quote' option from the Actions drop down in the quoting page and click Submit I get the report printed and see the following URL in my browser.
http://<host>:<port>/dev60cgi/rwcgi60?PROJ03_APPS+report=/proj3/app/appltop/aso/11.5.0/reports/US/ASOPQTEL.rdf+DESTYPE=CACHE+P_TCK_ID=23731428+P_EXECUTABLE=N+P_SHOW_CHARGES=N+P_SHOW_CATG_TOT=N+P_SHOW_PRICE_ADJ=Y+P_SESSION_ID=c-RAuP8LOvdnv30grRzKqUQs:S+P_SHOW_HDR_ATTACH=N+P_SHOW_LINE_ATTACH=N+P_SHOW_HDR_SALESUPP=N+P_SHOW_LN_SALESUPP=N+TOLERANCE=0+DESFORMAT=RTF+DESNAME=Quote.rtf
Does it mean that the profile in our case is set to call the rdf since it has reference to ASOPQTEL.rdf in the above url?
Yes, your understanding is correct.3) When you click on submit button do we have something like this in the jsp code: On click call ASOPQTEL.rdf. Is the report called using a concurrent program? I want to know how the report is getting invoked?
No, there is no conc program getting called, you can directly call a report in a browser window, Oracle reports server will execute the report and send the HTTP response to the browser.4) If we want to customize the jsp pages can you please let me know the steps involved in making the customizations and testing them.
This is detailed in many threads.Thanks
Tapash -
Satellite P300D-10v - Question about warranty
HI EVERYBODY
I have these overheating problems with my laptop Satellite P300D-10v.
I did everything I could do to fix it without any success..
I get the latest update of the bios from Toshiba. I cleaned my lap with compressed air first and then disassembled it all and cleaned it better.(it was really clean insight though...)
BUT unfortunately the problem still exists...
So i made a research on the internet and I found out that most of Toshiba owners have the same exactly problem with their laptop.
Well i guess this is a Toshiba bug for many years now.
Its a really nice lap, cool sound (the best in laptop ever) BUT......
So I wanted to make a question. As i am still under warranty, can i return this laptop and get my money back or change it with a different one????
If any body knows PLS let me know.
chears
Thanks in advanceHi
I have already found you other threads.
Regarding the warranty question;
If there is something wrong with the hardware then the ASP in your country should be able to help you.
The warranty should cover every reparation or replacement.
But I read that you have disasembled the laptop at your own hand... hmmm if you have disasembled the notebook then your warrany is not valid anymore :(
I think this should be clear for you that you can lose the warrany if you disasemble the laptop!
By the way: you have to speak with the notebook dealer where you have purchased this notebook if you want to return the notebook
The Toshiba ASP can repair and fix the notebook but you will not get money from ASP.
Greets -
Question regarding NULL and forms
Hi all, i have a survey that im working on that will be sent via email.
I'm having an issue though. if i have a multiple choice question, and the user only selects one of the choices, all the unselected choices return as NULL. is there a way i can filter out anytihng that says "NULL" so it only shows the selected options?
thanks.
here is the page that retrieves all the data. thanks
<body>
<p>1) Is this your first visit to xxxxxxx? <b><%=request.getParameter("stepone") %></b>
</p>
<p> </p>
<p>2) How did You Learn About xxxxxxx?</p>
<p><b><%=request.getParameter("steptwoOne") %></b>
<br>
<b><%=request.getParameter("steptwoTwo") %></b>
<br>
<b><%=request.getParameter("steptwoThree") %></b>
<br>
<b><%=request.getParameter("steptwoFour") %></b>
<br>
<b><%=request.getParameter("steptwoOther") %></b>
</p>
<p> </p>
<p>3) What was your main reason for visiting xxxxx?</p>
<p><b><%=request.getParameter("stepthreeOne") %></b>
<br>
<b><%=request.getParameter("stepthreeTwo") %></b>
<br>
<b><%=request.getParameter("stepthreeThree") %></b>
<br>
<b><%=request.getParameter("stepthreeFour") %></b>
<br>
<b><%=request.getParameter("stepthreeOther") %></b>
</p>
<p>4) did you find the information you were looking for on this site?</p>
<p><b><%=request.getParameter("stepfour") %>
<br>
<b><%=request.getParameter("stepfourOther") %></b>
</b></p>
<p>5) Do you plan on using this website in the future?</p>
<p><b><%=request.getParameter("stepfive") %></b></p>
<p>6) What is your gender</p>
<p><b><%=request.getParameter("stepsix") %></b></p>
<p>7) What is your age group</p>
<p><b><%=request.getParameter("stepseven") %></b></p>
8) Would you like to take a moment and tell us how we can improve your experience on xxxxxxxxxx?
<p><b><%=request.getParameter("stepeightFeedback") %></b></p>i was messing around and came up with this. it doesnt remove the null, but if it is null it adds ABC beside it. so i think i might be getting close. i just need to figure out how to replace the null.
code]
<b><%=request.getParameter("steptwoFour") %></b>
<% if (request.getParameter("steptwoFour") == null ) {
%>
<% out.print("abc"); %>
<% }
%> -
How do I remove Overdrive books from the library that were downloaded onto my computer then transferred to my iphone? The problem is that they do not show up in iTunes.
I see this question asked a lot when I google, but they always give answers that assumes you can find the books in iTunes either under the books tab, or the audio books tab or in the music. They do not show up anywhere for me. They do not remove from the app like the ones I downloaded directly onto my iphone.the related archived article does not answer it either. I even asked a guy working at an apple store and he could not help either. Anybody...?
Thanks!there is an app called daisydisk on mac app store which will help you see exactly where the memory is focused and consumed try using that app and see which folders are using more memory
-
Hello, i have a basic question. if i have defined 2 fields in a cube or a dso:
Name Quantity
and from the external flat file i get some characters for my quantity field. would my load fail? for standard dso and for write optimized?
NOTE: quantity field is a keyfigure defined as numeric.
and the load coming in has "VIKPATEL" for Quantity field and not numbers.
thanksHi Vik,
Yes, the load will fail.
May be you coud first load this data into BW (into PSA) and set both fields as characters fields. Then you can create DSO, do transformation from this PSA to the DSO, and put your logic as to what do you want to do with those Quantity that is not number (e.g. convert to 0, or 'Not assgined', etc).
You can use transfer rule, or a clean up ABAP code in the start routine.
Hope this helps.
Maybe you are looking for
-
I installed a new hard drive and partitioned it into 2, P: Pictures: and M: Music: . I moved all my iTunes Files and Folders to the M: drive. Then when I connected my iPhone4 to iTunes it asked if I wanted to create a new sync, I said no but I seemed
-
Cant get it to charge or come on
I cannot get my Ipod classic to charge or turn on
-
Best way to archive a project when it's "finished"
I was wondering what the best way is to store a project that is finished, but you still want the option of going back and modifying for other purposes. Do you create one high quality movie and save it? Do you create separate clips of everything used
-
Reset keyboard dictionary won't work! HELP!
hi, I wanted to erase some words that keep showing up when i type on my keyboard. I went to reset the keyboard dictionary and when i did the words still came up! What do i have to do? Is there another way to do this? PLEASE HELP! THANK YOU!! -cobras7
-
hi kings i created tow user form...the first form data also come in second form.for example i have choose item code.The link button comes.but link button is not working when i linked in user form.