I'm trying to do what should be at heart a simple configuration. I have three routers: A, the keyserver, B, the local client, and C, the remote. B and C are connected via their serial ports. I've used the examples in the "Cisco IOS Security Configuration guide to configure all three (all running IOS v.12.4(13r)T).
On the keyserver /show crypto gdoi/ shows me a KS in "Alive" mode, a unicast group, but no group members. On the clients I see an active group server (router A) and a group name and identity that matches what's on the keyserver. Rekeys are all 0 and ACLs and TEK Policy for Serial 0/0/0 are blank. If I try to show SAs on any of the three, they all come up blank.
Here are the configs, redacted a bit. Let's call A 1.1, B 2.1, and C
3.1. Keyserver (A): crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key keykey address 1.1.2.1 crypto isakmp key keykey address 1.1.3.1crypto ipsec transform-set gdoi-trans-group1 esp-3des esp-sha-hmac ! crypto ipsec profile gdoi-profile-branches set security-association lifetime seconds 1800 set transform-set gdoi-trans-group1 ! crypto gdoi group branches identity number 1 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa branchkeys rekey transport unicast sa ipsec 1 profile gdoi-profile-branches match address ipv4 198 replay counter window-size 64 address ipv4 1.1.1.1 redundancy local priority 10 peer address ipv4 1.1.1.2
access-list 198 permit ip any any (I got desperate on the ACL).
Here's Router B: crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key keykey address 1.1.1.1 ! crypto gdoi group branches identity number 1 server address ipv4 1.1.1.1 ! ! crypto map map-group1 10 gdoi set group branches interface Serial0/0/0
interface Serial0/0/0 description connected to RouterC ip unnumbered FastEthernet0/0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp encapsulation ppp ip ospf network point-to-point no fair-queue crypto map map-group1
And last, Router C: crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key keykey address 1.1.1.1 ! ! crypto ipsec transform-set gdoi-trans-group1 esp-3des esp-sha-hmac crypto gdoi group branches identity number 1 server address ipv4 1.1.1.1 ! ! crypto map map-group1 10 gdoi set group branches
interface Serial0/0/0 description connected to RouterB backup delay 5 120 backup interface Dialer1 ip unnumbered FastEthernet0/0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp encapsulation ppp no fair-queue crypto map map-group1
Some statuses Keyserver: RouterA#show crypto gdoi ipsec sa
SA created for group branches:
RouterA#show crypto ipsec profile IPSEC profile gdoi-profile-branches Security association lifetime: 4608000 kilobytes/1800 seconds PFS (Y/N): N Transform sets={ gdoi-trans-group1, }
Both the clients look like: RouterB#show crypto gdoi GROUP INFORMATION
Group Name : branches Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 1.1.1.1 Group Server list : 1.1.1.1
GM Reregisters in : 0 secs Rekey Received : never
Rekeys received Cumulative : 0 After registration : 0
ACL Downloaded From KS 1.1.1.1
TEK POLICY: Serial0/0/0:
So I'm about as lost as a piggy looking for its mammy in a sausage factory. Anything obvious I'm missing here?