Ensuring That GMs Are
Running Software Versions That Support Rekey Triggering
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to display the version of software on devices in the GET VPN
network and display whether they support rekey triggering after a policy
change:
Device# show crypto gdoi feature policy-replace
Key Server ID Version Feature Supported
10.0.8.1 1.0.2 Yes
10.0.9.1 1.0.2 Yes
10.0.10.1 1.0.2 Yes
10.0.11.1 1.0.2 Yes
Group Member ID Version Feature Supported
5.0.0.2 1.0.2 Yes
9.0.0.2 1.0.1 No
The following
example shows how to find only those devices that do not support rekey
triggering after policy replacement:
Device# show crypto gdoi feature policy-replace | include No
9.0.0.2 1.0.1 No
For these devices,
the primary KS sends only the triggered rekey without instructions for policy
replacement. Therefore, when a GM receives the rekey, it installs the new SAs
but does not shorten the lifetimes of the old SAs.
Triggering a Rekey
The following
example shows how to trigger a rekey after you have performed a policy change.
In this example, an IPsec policy change (for example, DES to AES) occurs with
the
profile
gdoi-p2 command:
Device# configure terminal
Device(config)# crypto gdoi group GET
Device(config-gdoi-group)# server local
Device(gdoi-local-server)# sa ipsec 1
Device(gdoi-sa-ipsec)# no profile gdoi-p
Device(gdoi-sa-ipsec)# profile gdoi-p2
Device(gdoi-sa-ipsec)# end
Device#
*Jan 28 09:15:15.527: %SYS-5-CONFIG_I: Configured from console by console
*Jan 28 09:15:15.527: %GDOI-5-POLICY_CHANGE: GDOI group GET policy has changed. Use
'crypto gdoi ks rekey' to send a rekey, or the changes will be send in the next scheduled
rekey
Device# crypto gdoi ks rekey
Device#
*Jan 28 09:17:44.363: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey with
policy-replace for group GET from address 10.0.8.1 with seq # 2
The following
example shows the error message that appears if you try to trigger a rekey on
the secondary KS:
Device# crypto gdoi ks rekey
ERROR for group GET: This command must be executed on Pri-KS
Note |
If time-based antireplay (TBAR) is set, the key server periodically
sends a rekey to the group members every 2 hours (7200 sec). In the following
example, even though the lifetime is set to 8 hours (28800 sec), the rekey
timer is set to 2 hours.
Device(config)# crypto ipsec profile atm-profile
Device(ipsec-profile)# set security-association lifetime seconds 28800
!
Device(ipsec-profile)# exit
Device(config)# crypto gdoi group ATM-DSL
Device(config-gdoi-group)# server local
Device(gdoi-sa-ipsec)# sa ipsec 1
!
Device(gdoi-sa-ipsec)# replay time window-size 100
The commands
show crypto gdoi gm replay and
show crypto gdoi ks replay displays TBAR
information.
|