使用COOP密钥服务器和证书身份验证配置GETVPN

简介

本文档介绍如何配置组加密传输VPN(GETVPN)以使用数字证书进行身份验证和COOP密钥服务器。

先决条件

要求

Cisco 建议您了解以下主题：

— 组加密传输VPN(GETVPN) 

-公用密钥基础结构 (PKI)

-证书颁发机构 (CA)

使用的组件

本文档中的信息基于以下软件版本：

• CSR1000V - Cisco IOS® XE版本16.12.03 — 作为Cisco IOS® XE密钥服务器、组成员和CA服务器。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您的网络处于活动状态，请确保您了解所有命令的潜在影响。

背景信息

在GETVPN部署中，密钥服务器是最重要的实体，因为KS维护控制平面。使用单个设备管理完整的GETVPN组，会造成单点故障。

为了缓解这种情况，GETVPN支持多个称为合作(COOP)KS的密钥服务器，在密钥服务器不可达时提供冗余和恢复。

配置

网络图

GETVPN拓扑

配置

用于身份验证的PKI

PKI使用其基础设施来克服使用PSK时遇到的密钥管理困难。PKI基础设施充当颁发（然后维护）身份证书的证书颁发机构(CA)。

任何证书信息与ISAKMP身份匹配的组成员路由器都经过授权，可以注册到KS。

注意：证书可由任何CA颁发。在本指南中，CSR1000V被配置为CA，以向部署中的所有设备颁发证书以验证其身份。

CA# show crypto pki server

crypto pki server ca-server

数据库级别完成

database archive pkcs12 password 7 1511021F07257A767B73

issuer-name CN=Root-CA.cisco.com OU=LAB

grant auto hash sha255

生存期证书5000

lifetime ca-certificate 7300

eku server-auth client-auth

数据库url nvram

1. — 在基于PKI的部署中，必须获得来自每个设备的证书颁发机构(CA)的身份证书。在密钥服务器和组成员路由器中，创建在其信任点配置中使用的RSA密钥对。

注意：在本指南的演示中，此拓扑中的所有关键服务器和组成员路由器共享相同的配置。

密钥服务器

KS(config)# crypto key generate rsa modulus 2049 general-keys label pkikey The name for the keys will be: pkikey % The key modulus size is 2049 bits % Generating 2049 bit RSA keys, keys will be non-exportable...  [OK] (elapsed time was 0 seconds) KS(config)# crypto pki trustpoint GETVPN KS(config)# enrollment url http://10.191.61.120:80 KS(config)# subject-name OU=GETVPN_KS KS(config)# revocation-check none KS(config)# rsakeypair pkikey KS(config)# auto-enroll 70

注意：RSA密钥名称在所有设备上重复使用以保持一致性，它不会影响其他设置，因为每个RSA密钥的计算值都是唯一的。

2. — 必须首先在信任点中安装CA的证书。这可以通过验证信任点或直接注册来完成。由于之前未安装CA证书，因此首先会触发信任点身份验证过程。

密钥服务器

KS(config)# crypto pki enroll  GETVPN % You must authenticate the Certificate Authority before

you can enroll with it. % Attempting authentication first.

Certificate has the following attributes:         Fingerprint MD5: CD60821B 034ACFCF D1FD66D3 EA27D688      Fingerprint SHA1: 3F0C3A05 9BC786B4 8828007A 78A3973D B507F9C4  % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Start certificate enrollment ..  % Create a challenge password. You need to verbally provide this password to the CA Administrator in order to revoke your certificate.  For security reasons your password is not saved in the configuration.   Please make a note of it. Password:  Re-enter password:  % The subject name in the certificate includes: OU=GETVPN_KS % The subject name in the certificate includes: get-KS % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose GETVPN' command will show the fingerprint.

组成员

GM(config)# crypto pki enroll GETVPN % You must authenticate the Certificate Authority before

 you can enroll with it. % Attempting authentication first.

  Certificate has the following attributes:       Fingerprint MD5: E184D9EC 2D6499B3 D5D78E8A CD0B910C        Fingerprint SHA1: A31EE77D A4FFA2B7 90F39933 00337A6D 46CBE32E 

% Do you accept this certificate? [yes/no]: y % Trustpoint CA certificate accepted. % Start certificate enrollment ..  % Create a challenge password. You need to verbally provide this    

password to the CA Administrator in order to revoke your certificate.    

For security reasons your password is not saved in the configuration.    

Please make a note of it.

Password: 

Re-enter password: 

% The subject name in the certificate will include: OU=GETVPN % The subject name in the certificate will include: get_GM % Include the router serial number in the subject name? [yes/no]: n % Include an IP address in the subject name? [no]: n Request certificate from CA? [yes/no]: y % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose GETVPN' commandwill show the fingerprint.

3 — 使用命令show crypto pki certificates verbose，在两台设备上验证新颁发的证书是否导入到其各自的已验证信任点中（CA证书也必须导入）。

组成员

GM# show crypto pki certificates verbose GETVPN Certificate Status: Available Version: 3 Certificate Serial Number (hex): 08 Certificate Usage: General Purpose Issuer: cn=Root-CA.cisco.com OU=LAB Subject: Name: get_GM hostname=get_GM ou=GETVPN Validity Date: start date: 12:05:19 UTC Sep 9 2025 end date: 12:05:19 UTC May 19 2039 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2049 bit) Signature Algorithm: SHA256 with RSA Encryption Fingerprint MD5: CA8AF53B B7424CD6 4C94F689 6FDD441F Fingerprint SHA1: 8ACE3BC0 5BC6BBF1 D9696805 2998AFDB 2A73A65E X509v3 extensions: X509v3 Key Usage: A0000000 Digital Signature Key Encipherment X509v3 Subject Key ID: F3C5E024 F93B09A0 4F99215E 34EB9C88 553C7CAD X509v3 Authority Key ID: 4F0F7126 6D21324A 585A0BF3 652EB561 17D18B2F Authority Info Access: Extended Key Usage: Client Auth Server Auth Associated Trustpoints: GETVPN Storage: nvram:Root-CAcisco#8.cer Key Label: pkikey CA Certificate Status: Available Version: 3 Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=Root-CA.cisco.com OU=LAB Subject: cn=Root-CA.cisco.com OU=LAB Validity Date: start date: 11:28:11 UTC Sep 9 2025 end date: 11:28:11 UTC Sep 4 2045 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Signature Algorithm: SHA256 with RSA Encryption Fingerprint MD5: E184D9EC 2D6499B3 D5D78E8A CD0B910C Fingerprint SHA1: A31EE77D A4FFA2B7 90F39933 00337A6D 46CBE32E X509v3 extensions: X509v3 Key Usage: 86000000 Digital Signature Key Cert Sign CRL Signature X509v3 Subject Key ID: 4F0F7126 6D21324A 585A0BF3 652EB561 17D18B2F X509v3 Basic Constraints: CA: TRUE X509v3 Authority Key ID: 4F0F7126 6D21324A 585A0BF3 652EB561 17D18B2F Authority Info Access: Associated Trustpoints: GETVPN Storage: nvram:Root-CAcisco#1CA.cer

注意：对于证书身份验证，请确保提供的证书具有用于验证设备身份的正确参数，如公用名(CN)、扩展密钥使用(EKU)和有效日期。

配置GETVPN

GETVPN的重要功能依赖于先前在ISAKMP和GDOI功能之前建议配置的配置。

4. — 在主密钥服务器上，使用标签“getKey”生成可导出RSA密钥。 此密钥在所有密钥服务器上都必须相同。因此，可导出功能对于后续步骤至关重要：

KS(config)# crypto key generate rsa general-keys label getKey modulus 1024 exportable  The name for the keys will be: getKey % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys are exportable. .. [OK]  (elapsed time was 0 seconds)

5. — 使用组成员路由器在通过时必须加密的相关流量定义扩展访问列表。在辅助密钥服务器上，使用相同的名称定义相同的访问列表。

主键服务器

KS(config)# ip access-list extended data_plane KS(config-ext-nacl)# 10 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255 KS(config-ext-nacl)# 20 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255

辅助密钥服务器

KS2(config)# ip access-list extended data_plane KS2(config-ext-nacl)# 10 permit ip 10.0.0 0.0.0.255 172.16.0.0 0.0.255.255 KS2(config-ext-nacl)# 20 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255

6 — 配置用于与GM建立安全连接的ISAKMP策略、IPsec转换集和IPsec配置文件，以从GDOI组消息交换开始。

KS(config)# crypto isakmp policy 10 KS(config-isakmp)# encryption aes 256 KS(config-iskamp)# hash sha256 KS(config-iskamp)# group 14 KS(config-iskamp)# lifetime 3600

KS(config)# crypto ipsec transform-set get-ts esp-aes esp-sha-hmac  KS(config)# crypto ipsec profile gdoi-profile KS(ipsec-profile)# set security-association lifetime seconds 7200 KS(ipsec-profile)# set transform-set get-ts

配置COOP 

7. — 在协作实施中，涉及的关键服务器必须具有相同的配置。从主密钥服务器导出以前创建的可导出RSA密钥，并将专用密钥和公用密钥导入辅助密钥服务器(KS2)。 在主密钥服务器无响应的情况下，辅助密钥服务器继续控制重新生成密钥到组内的所有GM设备。 

主键服务器

KS(config)# crypto key export rsa  getKey pem  terminal 3des cisco123 % Key name: getKey Usage: General Purpose Key Key data: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFtHBAdGV3ZPaGQcsAqO 1H9gmJWJNEeQvTND/oSrhN+jSSm+8f27RvDnIMYLDl9MndZ+rPqCPM/3NXE07 5bOsrT7B2uOpCBmAJK9iiTsfr01Qc4Izu5fwWcK2CN5OvLhyR2pKPviqwkSmGS zbaErQCH7evvjutYHE6DhOTTLubxQIDAQAB -----END PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,AA98923B28E00DCCto1Wym6cRvqEXBlt97UZdGyusf3cW/iumb7oD9/09q5if4ouoE

brPykL3No0WMI7h56WQPiAHzLu5IZ+CTQHwwgYvXwHNpOHjmTMOgf9FG856GosM3kjP58QDupSc1W70+C9

zsCM3QmwbRs6JGBP5Rb36f+895xoyqzWA8G5sQlizE1oP4lM3Zx5DukgTXLzIDL7w0dPEYBd1aDhAJQf8dB/Zu

GvQWxad4gL6SssEyzigbzdSdRwBS+0DLOm05hOUU8rNiWit1TCsTPflwuTjlyxgRbyKvtXdoURvuTP3M6/DOppe2

n26bXC2DcURk8nMtIrIHAPvvh5KbxdyHtBrvgmlZH/ryKfx33fPoVu/TaYggMoWFTizfBgr643UoFOIcFgdhasQsn8Lb

AI286GHqCOw2AxDcoMzcanQYw1VNgHG7SUsbaday7enuJtwbf2Pjkf9u0vo7bw2y8OiIXgrhQ9FOugNVqL+Ik7C

2PkLiQvQwuYi8J9SgM+391aFrf0NRXFHrM7T9MQcBBIcbo0BtfG4ICBuIltpG+BpCty/XW99dvuhqh9hjqfy2sKqF4H

K3EGAmhHSTV2wqxTvK/UQbNt7zbXwLGy326tDdYg6BSQYNjcaTADwPzd1PBa5JJJ1v9ZIRJSy42l7wWcuYAZpJ

9CRnKpLvW1CGhNqk5kmJzypqmurWtuzxJQiJhysp5halOicdjEKVVr1SHLOxxmCJ09rJe27degR2iwvvWQjewrA0K

5Bu+jzxSeQAxbUAXGiIfp9hCL8jq4ac/g+OafCqyHETJd8m5Yr6W9/0bGLnsEzNLbhgPR7A==

-----END RSA PRIVATE KEY-----

辅助密钥服务器

KS2(config)# crypto key import rsa getKey pem exportable terminal cisco123

% Enter PEM-formatted public General Purpose key or certificate.

% End with a blank line or "quit" on a line by itself. -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFtHBAdGV3ZPaGQcsAqO 1H9gmJWJNEeQvTND/oSrhN+jSSm+8f27RvDnIMYLDl9MndZ+rPqCPM/3NXE07 5bOsrT7B2uOpCBmAJK9iiTsfr01Qc4Izu5fwWcK2CN5OvLhyR2pKPviqwkSmGSz baErQCH7evvjutYHE6DhOTTLubxQIDAQAB -----END PUBLIC KEY----- quit % Enter PEM-formatted encrypted private General Purpose key.

% End with "quit" on a line by itself. -----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,AA98923B28E00DCCto1Wym6cRvqEXBlt97UZdGyusf3cW/iumb7oD9/09q5if4ouoE

brPykL3No0WMI7h56WQPiAHzLu5IZ+CTQHwwgYvXwHNpOHjmTMOgf9FG856GosM3kjP58QDupSc1W70+C9

zsCM3QmwbRs6JGBP5Rb36f+895xoyqzWA8G5sQlizE1oP4lM3Zx5DukgTXLzIDL7w0dPEYBd1aDhAJQf8dB/Zu

GvQWxad4gL6SssEyzigbzdSdRwBS+0DLOm05hOUU8rNiWit1TCsTPflwuTjlyxgRbyKvtXdoURvuTP3M6/DOppe2

n26bXC2DcURk8nMtIrIHAPvvh5KbxdyHtBrvgmlZH/ryKfx33fPoVu/TaYggMoWFTizfBgr643UoFOIcFgdhasQsn8Lb

AI286GHqCOw2AxDcoMzcanQYw1VNgHG7SUsbaday7enuJtwbf2Pjkf9u0vo7bw2y8OiIXgrhQ9FOugNVqL+Ik7C

2PkLiQvQwuYi8J9SgM+391aFrf0NRXFHrM7T9MQcBBIcbo0BtfG4ICBuIltpG+BpCty/XW99dvuhqh9hjqfy2sKqF4H

K3EGAmhHSTV2wqxTvK/UQbNt7zbXwLGy326tDdYg6BSQYNjcaTADwPzd1PBa5JJJ1v9ZIRJSy42l7wWcuYAZpJ

9CRnKpLvW1CGhNqk5kmJzypqmurWtuzxJQiJhysp5halOicdjEKVVr1SHLOxxmCJ09rJe27degR2iwvvWQjewrA0K

5Bu+jzxSeQAxbUAXGiIfp9hCL8jq4ac/g+OafCqyHETJd8m5Yr6W9/0bGLnsEzNLbhgPR7A==

-----END RSA PRIVATE KEY----- 

quit

% Key pair import succeeded.

8 — 必须为市场合作基金KS配置定期ISAKMP。这样，主KS可以监控辅助密钥服务器

主键服务器

KS(config)# crypto isakmp keepalive 15 periodic

辅助密钥服务器

KS2(config)# crypto isakmp keepalive 15 periodic

COOP密钥服务器从主交换单向通信。如果辅助KS在30秒的间隔内没有从主KS听到消息，则辅助KS尝试联系主KS并请求更新信息。如果辅助KS在60秒的间隔内没有从主KS听到消息，则触发COOP重新选择过程并选举新的主KS。

注意：GM和KS之间不需要定期DPD。

密钥服务器之间的选择基于配置的最高优先级值。如果相同，则基于最高IP地址。在每个密钥服务器上使用相同的加密策略、扩展访问列表配置相同的GDOI组。

主键服务器

KS(config)# crypto gdoi group GETVPN KS(config-gkm-group)# identity number 484 KS(config-gkm-group)# server local KS(gkm-local-server)# rekey lifetime seconds 86400 KS(gkm-local-server)# rekey retransmit 40 number 2 KS(gkm-local-server)#rekey authentication mypubkey rsa getKey KS(gkm-local-server)# rekey transport unicast

9. — 在同一本地服务器设置中，启用用于数据平面流量和先前配置的访问列表的加密策略。

KS(gkm-local-server)# sa ipsec 10 KS(gkm-sa-ipsec)# profile gdoi-profile KS(gkm-sa-ipsec)# match address ipv4 data_plane

本地服务器设置是启用COOP密钥服务器功能的配置级别，定义的优先级决定此密钥服务器的角色。  必须明确配置辅助密钥服务器，以便所有KS都能相互识别。

KS(gkm-sa-ipsec)# exit KS(gkm-local-server)# redundancy  KS(gdoi-coop-ks-config)# local priority 100 KS(gdoi-coop-ks-config)# peer  address ipv4 172.18.5.2

COOP密钥服务器配置的最后一部分是定义密钥数据包的源IP地址，它是密钥服务器路由器的一个接口中配置的IP地址。

KS(gdoi-coop-ks-config)# exit KS(gkm-local-server)# address ipv4 172.16.4.2

在辅助密钥服务器上复制相同的配置步骤，配置较低的优先级以将路由器标识为辅助服务器并注册主KS地址。

辅助密钥服务器

KS2(config)# crypto gdoi group  GETVPN KS2(config-gkm-group)# identity number 484 KS2(config-gkm-group)# server local KS2(gkm-local-server)# rekey lifetime seconds 86400 KS2(gkm-local-server)# rekey retransmit 40 number 2 KS2(gkm-local-server)# rekey authentication mypubkey rsa getKey KS2(gkm-local-server)# rekey transport unicast  KS2(gkm-local-server)# sa ipsec 10 KS2(gkm-sa-ipsec)# profile gdoi-profile KS2(gkm-sa-ipsec)# match address ipv4 data_plane KS2(gkm-sa-ipsec)# exit KS2(gkm-local-server)# redundancy  KS2(gdoi-coop-ks-config)# local priority 78 KS2(gdoi-coop-ks-config)# peer address ipv4 172.16.4.2 KS2(gdoi-coop-ks-config)# exit  KS2(gkm-local-server)# address ipv4 172.18.5.2

10. — 在组成员路由器上，与密钥服务器相比，GDOI组设置包含的配置较少。组成员只需要配置ISAKMP策略，使用相同的身份验证方法GDOI组，并具有GM路由器能够向其注册的密钥服务器的IP地址。                                                                                                                                                                                                                                                           

组成员

GM(config)# crypto isakmp policy 10 GM(config-isakmp)# encryption aes 256 GM(config-isakmp)# hash sha256 GM(config-isakmp)# group 14 GM(config-isakmp)# lifetime 3600

GM(config)# crypto gdoi group GETVPN GM(config-gkm-group)# identity number 484 GM(config-gkm-group)# server address ipv4 172.18.5.2 

GM(config)# crypto map getvpn 10 gdoi GM(config-crypto-map)# set group GETVPN

GM(config)# interface GigabitEthernet1 GM(config-if)# crypto map getvpn  

组成员2

GM2(config)# crypto isakmp policy 10 GM2(config-isakmp)# encryption aes 256 GM2(config-isakmp)# hash sha256 GM2(config-isakmp)# group 14 GM2(config-isakmp)# lifetime 3600  GM2(config)# crypto gdoi group GETVPN GM2(config-gkm-group)# identity number 484 GM2(config-gkm-group)# server address ipv4 172.16.4.2 GM2(config-gkm-group)# server address ipv4 172.18.5.2  GM2(config)# crypto map getvpn 10 gdoi GM2(config-crypto-map)# set group GETVPN GM2(config)# interface GigabitEthernet1 GM2(config-if)# crypto map getvpn

验证

按如下所示验证配置每个阶段的设置：

关键服务器上数据平面流量的ACL

此show命令用于验证所定义的相关流量是否无错误。

KS# show ip access-lists data_plane Extended IP access list data_plane 10 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255 20 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255  KS2# show ip access-lists data_plane Extended IP access list data_plane 10 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255 20 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255

COOP注册状态：

show crypto gkm ks coop命令显示密钥服务器之间的当前COOP状态，指示主密钥服务器是谁、它们所属的GDOI组、它们的单独优先级和对等优先级，以及有关从主服务器发送到辅助服务器的下一消息的计时器。

主键服务器

KS# show crypto gkm ks coop Crypto Gdoi Group Name :GETVPN Group handle: 1073741826, Local Key Server handle: 1073741826 Local Address: 10.191.61.114 Local Priority: 100 Local KS Role: Primary , Local KS Status: Alive Local KS version: 1.0.27 Primary Timers: Primary Refresh Policy Time: 20 Remaining Time: 5 Per-user timer remaining time: 0 Antireplay Sequence Number: 63046 Peer Sessions: Session 1: Server handle: 1073741827 Peer Address: 10.191.61.115 Peer Version: 1.0.23 Peer Priority: 75 Peer KS Role: Secondary , Peer KS Status: Alive Antireplay Sequence Number: 0 IKE status: Established Counters: Ann msgs sent: 63040 Ann msgs sent with reply request: 3 Ann msgs recv: 32 Ann msgs recv with reply request: 4 Packet sent drops: 3 Packet Recv drops: 0 Total bytes sent: 42550002 Total bytes recv: 22677

辅助密钥服务器

KS2# show crypto gkm ks coop Crypto Gdoi Group Name :GETVPN Group handle: 1073741829, Local Key Server handle: 1073741827 Local Address: 10.191.61.115 Local Priority: 75 Local KS Role: Secondary , Local KS Status: Alive Local KS version: 1.0.23 Secondary Timers: Sec Primary Periodic Time: 30 Remaining Time: 11, Retries: 0 Invalid ANN PST recvd: 0 New GM Temporary Blocking Enforced?: No Per-user timer remaining time: 0 Antireplay Sequence Number: 4 Peer Sessions: Session 1: Server handle: 1073741828 Peer Address: 10.191.61.114 Peer Version: 1.0.27 Peer Priority: 100 Peer KS Role: Primary , Peer KS Status: Alive Antireplay Sequence Number: 30 IKE status: Established Counters: Ann msgs sent: 2 Ann msgs sent with reply request: 1 Ann msgs recv: 28 Ann msgs recv with reply request: 1 Packet sent drops: 1 Packet Recv drops: 0 Total bytes sent: 468 Total bytes recv: 16913

显示组GETVPN的信息以及有关协作密钥服务器的版本信息。

KS# show crypto gdoi group GETVPN ks coop version Cooperative key server infra Version : 2.0.0 Client : KS_POLICY_CLIENT Version : 2.0.0 Client : GROUP_MEMBER_CLIENT Version : 2.0.1 Client : SID_CLIENT Version : 1.0.1

组成员注册 

GM# show crypto gkm group GETVPN Group Name : GETVPN Group Identity : 484 Group Type : GDOI (ISAKMP) Crypto Path : ipv4 Key Management Path : ipv4 Rekeys received : 0 IPSec SA Direction : Both Group Server list : 10.191.61.115 Group Member Information For Group GETVPN: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GETVPN_temp_acl Group member : 10.191.61.116 vrf: None Local addr/port : 10.191.61.116/848 Remote addr/port : 10.191.61.115/848 fvrf/ivrf : None/None Version : 1.0.25 Registration status : Registered Registered with : 10.191.61.115 Re-registers in : 5642 sec Succeeded registration: 1 Attempted registration: 1 Last rekey from : UNKNOWN Last rekey seq num : 0 Unicast rekey received: 0 Rekey ACKs sent : 0 Rekey Received : never PFS Rekey received : 0 DP Error Monitoring : OFF IPSEC init reg executed : 0 IPSEC init reg postponed : 0 Active TEK Number : 1 SA Track (OID/status) : disabled Fail-Close Revert : Disabled allowable rekey cipher: any allowable rekey hash : any allowable transformtag: any ESP Rekeys cumulative Total received : 0 After latest register : 0 Rekey Acks sents : 0 ACL Downloaded From KS 10.191.61.115: access-list permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 85185 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1296 TEK POLICY for the current KS-Policy ACEs Downloaded: GigabitEthernet1: IPsec SA: spi: 0x535F673B(1398761275) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (5988) Anti-Replay(Counter Based) : 64 tag method : disabled alg key size: 16 (bytes) sig key size: 20 (bytes) encaps: ENCAPS_TUNNEL KGS POLICY: REG_GM: local_addr 10.191.61.116 overall chech P2P POLICY: REG_GM: local_addr 10.191.61.116


故障排除

COOP密钥服务器选举 

系统日志消息有助于跟踪和识别COOP流程的问题。在COOP密钥服务器上启用GDOI调试，仅显示与此进程相关的信息。

KS# debug crypto gdoi ks coop

当COOP选举过程开始时，所有关键服务器上都会显示下一条系统日志消息。

 %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GETVPN (Previous Primary = NONE)

完成选举过程后，消息“COOP_KS_TRANS_TO_PRI”显示有关新的主密钥服务器的信息，该消息在主密钥服务器和辅助密钥服务器上可见。在选举过程的第一天，上一个Primary预计将显示“NONE”。

%GDOI-5-COOP_KS_TRANS_TO_PRI: KS 172.16.4.2 in group GETVPN transitioned to Primary (Previous Primary = NONE)

如果有密钥服务器重新选择，则消息包括先前主服务器的IP地址。

%GDOI-5-COOP_KS_TRANS_TO_PRI: KS 172.18.5.2 in group GETVPN transitioned to Primary (Previous Primary = 172.16.4.2)

当COOP辅助密钥服务器失去连接时，将显示“COOP_KS_UNREACH”消息。主KS跟踪所有辅助KS的状态，并使用此消息表示与辅助KS的连接丢失。辅助KS仅跟踪主KS的状态。辅助KS上的此消息表示与主KS失去连接。

%GDOI-3-COOP_KS_UNREACH: Cooperative KS 172.18.5.2 Unreachable in group GETVPN

当COOP KS之间的连接恢复时，将显示“COOP_KS_REACH”消息。

%GDOI-5-COOP_KS_REACH: Reachability restored with Cooperative KS 172.18.5.2 in group GETVPN.

PKI注册问题

在调试信任点注册或身份验证问题时，请使用PKI调试。

debug crypto pki messages debug crypto pki transactions debug crypto pki validation debug crypto pki api debug crypto pki callback