Examples
The following
example shows how to display GET VPN group information for all groups. In this
example, the command was entered on a KS:
Device# show crypto gdoi
GROUP INFORMATION
Group Name : GETV6 (Unicast)
Group Identity : 1111
Crypto Path : ipv6
Key Management Path : ipv4
Group Members : 2
IPSec SA Direction : Both
Redundancy : Configured
Local Address : 192.0.2.1
Local Priority : 100
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.4
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86127 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : IPSEC_PROF_GETV6
Replay method : Time Based
Replay Window Size : 10
SA Rekey
Remaining Lifetime : 3328 secs
ACL Configured : access-list ACL_GETV6_MIX
Group Server list : Local
GROUP INFORMATION
Group Name : GETV4 (Unicast)
Group Identity : 2222
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 2
IPSec SA Direction : Both
Redundancy : Configured
Local Address : 192.0.2.1
Local Priority : 90
Local KS Status : Alive
Local KS Role : Secondary
Local KS Version : 1.0.4
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86127 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : IPSEC_PROF_GETV6
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 3328 secs
ACL Configured : access-list ACL_GETV4_HOST
Group Server list : Local
The following
example shows how to enter the command on a GM to display GET VPN group
information for all groups of which it is a member:
Device# show crypto gdoi
GROUP INFORMATION
Group Name : GETV6
Group Identity : 1111
Crypto Path : ipv6
Key Management Path : ipv4
Rekeys received : 0
IPSec SA Direction : Both
Group Server list : 192.0.2.1
192.0.2.11
Group member : 192.0.2.2 vrf: None
Version : 1.0.4
Registration status : Registered
Registered with : 192.0.2.1
Re-registers in : 3116 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 192.0.2.254
Last rekey seq num : 0
Unicast rekey received: 0
Rekey ACKs sent : 0
Rekey Received : never
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 0
After latest register : 0
Rekey Acks sents : 0
ACL Downloaded From KS 192.0.2.1:
access-list deny tcp host 2001:DB8:1::1 eq 0 host 2001:DB8:0:ABCD::1 eq 0 sequence 1
access-list permit ipv6 host 2001:DB8:1::1 host 2001:DB8:0:ABCD::1 sequence 2
access-list permit ipv6 host 2001:DB8:0:ABCD::1 host 2001:DB8:1::1 sequence 3
access-list deny udp 2001:DB8:0001::/48 eq 0 2001:DB8:0002::/48 eq 0 sequence 4
access-list deny udp 2001:DB8:0002::/48 eq 0 2001:DB8:0001::/48 eq 0 sequence 5
access-list permit icmp 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 6
access-list permit icmp 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 7
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86013
Encrypt Algorithm : AES
Key Size : 128
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
Ethernet2/0:
IPsec SA:
spi: 0x627E4B84(1652444036)
transform: esp-aes
sa timing:remaining key lifetime (sec): (3214)
Anti-Replay(Time Based) : 10 sec interval
tag method : cts sgt
alg key size: 24 (bytes)
sig key size: 20 (bytes)
encaps: ENCAPS_TUNNEL
GROUP INFORMATION
Group Name : GETV4
Group Identity : 2222
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 0
IPSec SA Direction : Both
Group Server list : 192.0.2.1
Group member : 192.0.2.2 vrf: None
Version : 1.0.4
Registration status : Registered
Registered with : 192.0.2.1
Re-registers in : 3058 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 192.0.2.254
Last rekey seq num : 0
Unicast rekey received: 0
Rekey ACKs sent : 0
Rekey Received : never
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 0
After latest register : 0
Rekey Acks sents : 0
ACL Downloaded From KS 192.0.2.1:
access-list permit icmp host 192.0.2.2 host 192.0.2.3
access-list permit icmp host 192.0.2.3 host 192.0.2.2
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86013
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
Ethernet2/0:
IPsec SA:
spi: 0xF6E6B597(4142314903)
transform: esp-aes
sa timing:remaining key lifetime (sec): (3214)
Anti-Replay : Disabled
tag method : cts sgt
alg key size: 24 (bytes)
sig key size: 20 (bytes)
encaps: ENCAPS_TUNNEL
The following
example shows how to enter the command on a GM to display GET VPN group
information for all groups of which it is a member. This is an example in which
Suite B is configured; it shows that when you are using GCM or GMAC, the TEK
POLICY section includes a separate IPsec SA with a unique security parameter
index (SPI) for each ACL entry downloaded:
Device# show crypto gdoi
GROUP INFORMATION
Group Name : diffint
Group Identity : 1234
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 0
IPSec SA Direction : Both
Group Server list : 10.0.8.1
Group member : 10.0.3.1 vrf: None
Version : 1.0.4
Registration status : Registered
Registered with : 10.0.8.1
.
.
.
ACL Downloaded From KS 10.0.8.1:
access-list permit ip host 10.0.1.1 host 239.0.1.1
access-list permit ip host 10.0.100.2 host 238.0.1.1
access-list permit ip host 10.0.1.1 host 10.0.100.2
access-list permit ip host 10.0.100.2 host 10.0.1.1
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 85740
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA256
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
Ethernet3/0:
IPsec SA:
spi: 0x318846DE(831014622)
transform: esp-gcm
sa timing:remaining key lifetime (sec): (86350)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 24 (bytes)
sig key size: 20 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0xF367AEA0(4083658400)
transform: esp-gcm
sa timing:remaining key lifetime (sec): (86350)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 24 (bytes)
sig key size: 20 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0xE583A3F5(3850609653)
transform: esp-gcm
sa timing:remaining key lifetime (sec): (86350)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 24 (bytes)
sig key size: 20 (bytes)
encaps: ENCAPS_TUNNEL
IPsec SA:
spi: 0xE9AC04C(245022796)
transform: esp-gcm
sa timing:remaining key lifetime (sec): (86350)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 24 (bytes)
sig key size: 20 (bytes)
encaps: ENCAPS_TUNNEL
The following
example shows how to enter the command on a KS to display GET VPN group
information for a specific group:
Device# show crypto gdoi group diffint
GROUP INFORMATION
Group Name : diffint (Multicast)
Group Identity : 3333
Group Members : 1
IPSec SA Direction : Both
Group Rekey Lifetime : 300 secs
Group Rekey
Remaining Lifetime : 260 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 300 secs
Profile Name : gdoi-p
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 261 secs
ACL Configured : access-list 120
IPSec SA Number : 2
IPSec SA Rekey Lifetime: 300 secs
Profile Name : gdoi-p
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 261 secs
ACL Configured : access-list 122
Group Server list : Local
The following
example shows how to enter the command on a KS to display basic KS status and
parameters:
Device# show crypto gdoi ks
Total group members registered to this box: 2
Key Server Information For Group diffint:
Group Name : diffint
Group Identity : 3333
Group Members : 2
IPSec SA Direction : Both
Data Path : IPv6
Control Path : IPv4
ACL Configured : access-list 120
The following
example shows how to enter the command on a KS to display KS policy
information. This is an example in which Suite B is configured; it shows the
Selector field, which matches the IPsec SA SPI with the ACL that it downloaded:
Device# show crypto gdoi ks policy
Key Server Policy:
For group diffint (handle: 2147483650) server 10.0.8.1 (handle: 2147483650):
# of teks : 5 Seq num : 0
.
.
.
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0xE7994585
access-list : gcm-acl
Selector : permit ip host 10.0.1.1 host 239.0.1.1
transform : esp-gcm
alg key size : 16 sig key size : 0
orig life(sec) : 900 remaining life(sec) : 676
tek life(sec) : 900 elapsed time(sec) : 224
override life (sec): 0 antireplay window size: 64
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0x87CB1FA3
access-list : gcm-acl
Selector : permit ip host 10.0.100.2 host 238.0.1.1
transform : esp-gcm
alg key size : 16 sig key size : 0
orig life(sec) : 900 remaining life(sec) : 676
tek life(sec) : 900 elapsed time(sec) : 224
override life (sec): 0 antireplay window size: 64
The following
example shows how to enter the command on a KS to display the encryption ACLs
for groups. This example displays a numbered encryption ACL, which means that
it is an IPv4 ACL (because IPv6 allows only named ACLs):
Device# show crypto gdoi ks acl
Group Name : diffint
Configured ACL : access-list 101 permit gre any any
The following
example shows how to enter the command on a KS to display the encryption ACLs
for groups. This example displays named encryption ACLs for two groups (an IPv4
group and an IPv6 group):
Device# show crypto gdoi ks acl
Group Name: GETV6
Configured ACL:
access-list ACL_GETV6_MIX deny tcp host 2001:DB8:1::1 host 2001:DB8:0:ABCD::1 sequence 10
access-list ACL_GETV6_MIX permit ipv6 host 2001:DB8:1::1 host 2001:DB8:0:ABCD::1 sequence 20
access-list ACL_GETV6_MIX permit ipv6 host 2001:DB8:0:ABCD::1 host 2001:DB8:1::1 sequence 30
access-list ACL_GETV6_MIX deny udp 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 40
access-list ACL_GETV6_MIX deny udp 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 50
access-list ACL_GETV6_MIX permit icmp 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 60
access-list ACL_GETV6_MIX permit icmp 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 70
Group Name: GETV4
Configured ACL:
access-list ACL_GETV4_HOST permit icmp host 192.0.2.2 host 192.0.2.3
access-list ACL_GETV4_HOST permit icmp host 192.0.2.3 host 192.0.2.2
The following
example shows how to enter the command on a GM to display the encryption ACLs
for the groups to which it belongs. Even though a GM can be in any combination
of IPv4 and IPv6 groups, this example shows that the GM is a member of only one
group (in this case, an IPv6 group):
Device# show crypto gdoi gm acl
Group Name: GETV6
ACL Downloaded From KS 192.0.2.1:
access-list permit ipv6 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 1
access-list permit ipv6 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 2
The following
example shows how to enter the command on a GM to display the encryption ACLs
for the groups to which it belongs. In this case, the GM belongs to two groups
(an IPv4 group and an IPv6 group):
Device# show crypto gdoi gm acl
Group Name: GETV6
ACL Downloaded From KS 192.0.2.1:
access-list deny tcp host 2001:DB8:1::1 eq 0 host 2001:DB8:0:ABCD::1 eq 0 sequence 1
access-list permit ipv6 host 2001:DB8:1::1 host 2001:DB8:0:ABCD::1 sequence 2
access-list permit ipv6 host 2001:DB8:0:ABCD::1 host 2001:DB8:1::1 sequence 3
access-list deny udp 2001:DB8:0001::/48 eq 0 2001:DB8:0002::/48 eq 0 sequence 4
access-list deny udp 2001:DB8:0002::/48 eq 0 2001:DB8:0001::/48 eq 0 sequence 5
access-list permit icmp 2001:DB8:0001::/48 2001:DB8:0002::/48 sequence 6
access-list permit icmp 2001:DB8:0002::/48 2001:DB8:0001::/48 sequence 7
ACL Configured Locally:
Group Name: GETV4
ACL Downloaded From KS 192.0.2.1:
access-list permit icmp host 192.0.2.2 host 192.0.2.3
access-list permit icmp host 192.0.2.3 host 192.0.2.2
ACL Configured Locally:
The following
example shows how to enter the command on a KS to display KS sender ID (KSSID)
information (for Suite B):
Device# show crypto gdoi ks identifier
KS Sender ID (KSSID) Information for Group GETVPN:
Transform Mode : Counter (Suite-B)
Re-initializing : Yes
SID Length (Group Size) : 24 bits (MEDIUM)
Current KSSID In-Use : 25
Last GMSID Used : 108
KS Sender ID (KSSID) Information for Group GETVPN-NO-GCM:
Transform Mode : Non-Counter (Non-Suite-B)
If this KS is a
secondary cooperative KS, the configured group size (which you can view by
using the
show
running-config command) might differ from the size in the SID
Length (Group Size) field above if the primary cooperative KS has not yet
switched to using the new group size. (If the group size is being changed, all
secondary cooperative KSs must first configure the new group size, and then the
primary cooperative KS must configure the new group size before it is used by
all cooperative KSs.)
The following
example shows how to enter the command on a KS to display detailed KSSID
information (for Suite B):
Device# show crypto gdoi ks identifier detail
KS Sender ID (KSSID) Information for Group GETVPN:
Transform Mode : Counter (Suite-B)
Re-initializing : Yes
SID Length (Group Size) : 24 bits (MEDIUM)
Current KSSID In-Use : 25
Last GMSID Used : 108
KSSID(s) Assigned : 0, 10, 22-36, 95-103
KSSID(s) Used : 26-32
KSSID(s) Used (Old) : 0, 10, 22-25
Available KSSID(s) : 33-36, 95-103
KS Sender ID (KSSID) Information for Group GETVPN-NO-GCM:
Transform Mode : Non-Counter (Non-Suite-B)
If no KSSIDs are
in a set, the corresponding fields display a value of none:
KSSID(s) Assigned : none
KSSID(s) Used : none
KSSID(s) Used (Old) : none
Available KSSID(s) : none
The following
example shows how to enter the command on a primary cooperative KS to display
KSSID information for cooperative KSs (for Suite B):
Device# show crypto gdoi ks coop identifier
COOP-KS Sender ID (SID) Information for Group GETVPN:
Local KS Role: Primary , Local KS Status: Alive
Local Address : 10.0.5.2
Next SID Client Operation : NOTIFY
Re-initializing : No
KSSID Overlap : No
SID Length (Group Size) Cfg : 24 bits (MEDIUM)
SID Length (Group Size) Used : 24 bits (MEDIUM)
Current KSSID In-Use : 4
KSSID(s) Assigned : 0-4, 10
KSSID(s) Used : 2-4
Old KSSID(s) Used : none
The following
example shows how to enter the command on a primary cooperative KS to display
detailed KSSID information for cooperative KSs (for Suite B):
Device# show crypto gdoi ks coop identifier detail
COOP-KS Sender ID (SID) Information for Group GETVPN:
Local KS Role: Primary , Local KS Status: Alive
Local Address : 10.0.5.2
Next SID Client Operation : NOTIFY
Re-initializing : No
KSSID Overlap : No
SID Length (Group Size) Cfg : 24 bits (MEDIUM)
SID Length (Group Size) Used : 24 bits (MEDIUM)
Current KSSID In-Use : 4
KSSID(s) Assigned : 0-4, 10
KSSID(s) Used : 2-4
Old KSSID(s) Used : none
Peer KS Role: Secondary , Peer KS Status: Alive
Peer Address : 10.0.6.2
Next SID Client Operation : NOTIFY
Re-initializing : No
KSSID Overlap : No
SID Length (Group Size) Cfg : 32 bits (LARGE)
SID Length (Group Size) Used : 24 bits (MEDIUM)
Current KSSID In-Use : 6
KSSID(s) Assigned : 5-9
KSSID(s) Used : 5-6
Old KSSID(s) Used : none
Peer KS Role: Secondary , Peer KS Status: Dead
Peer Address : 10.0.7.2
Next SID Client Operation : NOTIFY
Re-initializing : No
KSSID Overlap : No
SID Length (Group Size) Cfg : 24 bits (MEDIUM)
SID Length (Group Size) Used : 24 bits (MEDIUM)
Current KSSID In-Use : 109
KSSID(s) Assigned : 100-110
KSSID(s) Used : 100-109
Old KSSID(s) Used : none
Only the primary
cooperative KS has information for all peer cooperative KSs. The secondary KS
has the SID information only for itself and for the primary KS.
Note that with the
SID Length (Group Size) fields, when changing the group size for S1 to S2 (for
any group size), all secondaries must be configured with S2 first, and then the
primary can configure S2. Only after the primary configures S2 will the primary
and secondaries begin to use S2. Therefore, when a secondary has configured the
new group size S2, the local
show command
still shows the old group size S1 being used, because S2 is not yet in use
(until the primary changes to S2). However, the
show command
when used on the cooperative KS will show that S2 is configured.
The following
example shows how to enter the command on a secondary cooperative KS to display
KSSID information for cooperative KSs (for Suite B):
Device# show crypto gdoi ks coop identifier
COOP-KS Sender ID (SID) Information for Group GETVPN:
Local KS Role: Secondary , Local KS Status: Alive
Local Address : 10.0.6.2
Next SID Client Operation : NOTIFY
Re-initializing : No
KSSID Overlap : No
SID Length (Group Size) Cfg : 32 bits (LARGE)
SID Length (Group Size) Used : 24 bits (MEDIUM)
Current KSSID In-Use : 6
KSSIDs Assigned : 5-9
KSSIDs Used : 5-6
Old KSSIDs Used : none
The following
example shows how to enter the command on a secondary cooperative KS to display
detailed KSSID information for cooperative KSs (for Suite B):
Device# show crypto gdoi ks coop identifier detail
COOP-KS Sender ID (SID) Information for Group GETVPN:
Local KS Role: Secondary , Local KS Status: Alive
Local Address : 10.0.6.2
Next SID Client Operation : NOTIFY
Re-initializing : No
KSSID Overlap : No
SID Length (Group Size) Cfg : 32 bits (LARGE)
SID Length (Group Size) Used : 24 bits (MEDIUM)
Current KSSID In-Use : 6
KSSIDs Assigned : 5-9
KSSIDs Used : 5-6
Old KSSIDs Used : none
Peer KS Role: Primary , Peer KS Status: Alive
Peer Address : 10.0.5.2
Next SID Client Operation : NOTIFY
Re-initializing : No
KSSID Overlap : No
SID Length (Group Size) Cfg : 24 bits (MEDIUM)
SID Length (Group Size) Used : 24 bits (MEDIUM)
Current KSSID In-Use : 4
KSSIDs Assigned : 0-4, 10
KSSIDs Used : 2-4
Old KSSIDs Used : none
The following
example shows how to enter the command on a KS to display cooperative KS and
client GET VPN software versions:
Device# show crypto gdoi ks coop version
Cooperative key server infra Version : 1.0.2
Client : KS_POLICY_CLIENT Version : 1.0.1
Client : GROUP_MEMBER_CLIENT Version : 1.0.1
Client : SID_CLIENT Version : 1.0.1
The following
example shows how to enter the command on a GM to display the SID information
for each registered GM in the group to which the GM belongs (for Suite B):
Device# show crypto gdoi gm identifier
GM Sender ID (SID) Information for Group diffint:
Group Member: 10.0.1.2 vrf: None
Transform Mode : Counter (Suite-B)
# of SIDs Last Requested : 2
CURRENT SIDs:
SID Length (Group Size) : 24 bits (MEDIUM)
# of SIDs Downloaded : 2
First SID Downloaded : 0x00000D
Last SID Downloaded : 0x00000E
Group Member: 10.0.3.1 vrf: None
Transform Mode : Counter (Suite-B)
# of SIDs Last Requested : 2
CURRENT SIDs:
SID Length (Group Size) : 24 bits (MEDIUM)
# of SIDs Downloaded : 2
First SID Downloaded : 0x00000F
Last SID Downloaded : 0x000010
The following
example shows how to enter the command on a GM to display detailed SID
information for each registered GM in the group to which the GM belongs (for
Suite B):
Device# show crypto gdoi gm identifier detail
GM Sender ID (SID) Information for Group diffint:
Group Member: 10.0.1.2 vrf: None
Transform Mode : Counter (Suite-B)
# of SIDs Last Requested : 2
CURRENT SIDs:
SID Length (Group Size) : 24 bits (MEDIUM)
# of SIDs Downloaded : 2
First SID Downloaded : 0x00000D
Last SID Downloaded : 0x00000E
CM Interface Bandwidth (Kbps) MTU (Bytes) # SIDs
============ ================ =========== ======
Gi0/1 10000 1500 1
Gi0/2 10000 1000 1
OLD SIDs:
SID Length (Group Size) : 24 bits (MEDIUM)
# of SIDs Downloaded : 2
First SID Downloaded : 0x00000B
Last SID Downloaded : 0x00000C
NEXT SID REQUEST:
TEK Lifetime : 7200 sec
SID Length (Group Size) : 24 bits (MEDIUM)
Group Member: 10.0.3.1 vrf: None
Transform Mode : Counter (Suite-B)
# of SIDs Last Requested : 2
CURRENT SIDs:
SID Length (Group Size) : 24 bits (MEDIUM)
# of SIDs Downloaded : 2
First SID Downloaded : 0x00000F
Last SID Downloaded : 0x000010
CM Interface Bandwidth (Kbps) MTU (Bytes) # SIDs
============ ================ =========== ======
Gi1/0 10000 1500 1
Gi1/1 10000 1000 1
OLD SIDs: none
NEXT SID REQUEST:
TEK Lifetime : 7200 sec
SID Length (Group Size) : 24 bits (MEDIUM)
The following
example shows how to enter the command on a KS to display KS status and
parameters for a specific GDOI group:
Device# show crypto gdoi group diffint ks
Group Information
Group Name : diffint
Group Identity : 3333
Group Members Registered : 1
Group Server : Local
Group Rekey Lifetime : 300 secs
Group Rekey
Remaining Lifetime : 84 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime : 120 secs
Profile Name : gdoi-p
SA Rekey
Remaining Lifetime : 64 secs
access-list 120 permit ip host 10.0.1.1 host 192.168.1.1
access-list 120 permit ip host 10.0.100.2 host 192.168.1.1
Group Member List for Group diffint :
Member ID : 10.0.3.1
Group Name : test
Group Identity : 4444
Group Members Registered : 0
Group Server : Local
Group Rekey Lifetime : 600 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime : 120 secs
Profile Name : gdoi-p
access-list 120 permit ip host 10.0.1.1 host 192.168.1.1
access-list 120 permit ip host 10.0.100.2 host 192.168.1.1
The following
example shows how to enter the command on a GM to display brief status
information for a specific GDOI group:
Device# show crypto gdoi group diffint gm
Group Member Information For Group diffint:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_diffint_temp_acl
Group member : 10.0.3.1 vrf: None
Version : 1.0.2
Registration status : Registered
Registered with : 10.0.5.2
Re-registers in : 77 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 10.0.5.2
Last rekey seq num : 0
Multicast rekey rcvd : 9
The following
example shows how to enter the command on a KS to display KS information for
registered GMs:
Device# show crypto gdoi ks members
Group Member Information :
Detail :
Number of rekeys sent for group diffint : 10
Group Member ID : 10.0.0.1
Group ID : 3333
Group Name : diffint
Key Server ID : 192.0.2.253
Rekeys sent : 10
Rekeys retries : 0
Rekey Acks Rcvd : 10
Rekey Acks missed : 0
Sent seq num : 2 3 1 2
Rcvd seq num : 2 3 1 2
Group Member ID : 192.0.2.251
Group ID : 3333
Group Name : diffint
Key Server ID : 192.0.2.252
Rekeys sent : 10
Rekeys retries : 0
Rekey Acks Rcvd : 10
Rekey Acks missed : 0
Sent seq num : 2 3 1 2
Rcvd seq num : 2 0 0 0
The following
example shows how to enter the command on a GM to verify the RSA public key
that is downloaded from the KS:
Device# show crypto gdoi gm pubkey
GDOI Group: diffint
KS IP Address: 10.0.9.1
conn-id: 1020 my-cookie:BFC164DB his-cookie:3F2C75D9
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B508E9 EDD36AE1
B7AFEB96 74AAD793 4AAA549B 91809707 25AE59E7 E7359CB3 6C938C82 5ED17AC3
9E1B1611 DF3791DD FBAC8C4B EEEDC4F5 46C4472A BAAE0870 69020301 0001
For RSA public
keys, the KS sends the GM the RSA public key when the GM registers. When the KS
sends a rekey, it signs it using the RSA private key. After the GM receives
this rekey, it verifies the signature using the public key that it downloaded
from the KS (therefore, the GM knows that it received the rekey from the KS).
The following
example shows how to use the command on a GM to display information about the
IPsec SA for each group to which the GM belongs (this command cannot be used on
a KS):
Device# show crypto gdoi ipsec sa
SA created for group GETV6:
Ethernet2/0:
protocol = ip
local ident = 2001:DB8:0001::/48, port = 0
remote ident = 2001:DB8:0002::/48, port = 0
direction: Both, replay(method/window): Time/6 sec
protocol = ip
local ident = 2001:DB8:0002::/48, port = 0
remote ident = 2001:DB8:0001::/48, port = 0
direction: Both, replay(method/window): Time/6 sec
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to check whether all the devices in the GET VPN network support the
GM removal feature:
Device# show crypto gdoi feature gm-removal
Group Name: GET
Key Server ID Version Feature Supported
10.0.8.1 1.0.2 Yes
10.0.9.1 1.0.2 Yes
10.0.10.1 1.0.2 Yes
10.0.11.1 1.0.2 Yes
Group Member ID Version Feature Supported
10.0.0.2 1.0.2 Yes
10.0.0.3 1.0.1 No
The following
example shows how enter the command on the KS (or primary KS) to find only
those devices that do
not support
GM removal:
Device# show crypto gdoi feature gm-removal | include No
10.0.0.3 1.0.1 No
The above example
shows that the GM with IP address 10.0.0.3 is running older software version
1.0.1 (which does not support GM removal) and should be upgraded. You can also
enter the above command on a GM.
The following
example shows how to use the GET VPN software versioning command on a GM to
check whether it supports the GM removal feature:
Device# show crypto gdoi feature gm-removal
Version Feature Supported
1.0.2 Yes
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to check whether devices in the GET VPN network support rekey
triggering after KS policy replacement:
Device# show crypto gdoi feature policy-replace
Group Name: GET
Key Server ID Version Feature Supported
10.0.8.1 1.0.2 Yes
10.0.9.1 1.0.2 Yes
10.0.10.1 1.0.2 Yes
10.0.11.1 1.0.2 Yes
Group Member ID Version Feature Supported
192.0.2.2 1.0.2 Yes
10.0.0.3 1.0.1 No
You can also enter
the above command on a GM.
The following
example shows how to enter the command on the KS (or primary KS) to find only
those devices that do
not support
rekey triggering after policy replacement:
Device# show crypto gdoi feature policy-replace | include No
10.0.0.3 1.0.1 No
For these devices,
the primary KS sends only the triggered rekey without instructions for policy
replacement. Therefore, when a GM receives the rekey, it installs the new SAs
but does not shorten the lifetimes of the old SAs. This behavior is the same as
the old rekey method and ensures backward compatibility. You can also enter the
above command on a GM.
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to check whether all the devices in the GET VPN network support the
GDOI MIB:
Device# show crypto gdoi feature gdoi-mib
Group Name: GET
Key Server ID Version Feature Supported
10.0.8.1 1.0.2 Yes
10.0.9.1 1.0.2 Yes
10.0.10.1 1.0.2 Yes
10.0.11.1 1.0.2 Yes
Group Member ID Version Feature Supported
192.0.2.2 1.0.2 Yes
10.0.0.3 1.0.1 No
You can also enter
the above command on a GM.
The following
example shows how to enter the command on the KS (or primary KS) to find only
those devices that do
not support
the GDOI MIB:
Device# show crypto gdoi feature gdoi-mib | include No
10.0.0.3 1.0.1 No
You can also enter
the above command on a GM.
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to check whether all the devices in each group support GET VPN for
IPv6 in the Data Plane (and thus can be added to an IPv6 group):
Device# show crypto gdoi feature ipv6-crypto-path
Group Name: GET
Key Server ID Version Feature Supported
10.0.8.1 1.0.3 Yes
10.0.9.1 1.0.3 Yes
10.0.10.1 1.0.3 Yes
10.0.11.1 1.0.3 Yes
Group Member ID Version Feature Supported
192.0.2.2 1.0.3 Yes
10.0.0.3 1.0.1 No
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following
example shows how to enter the command on the KS (or primary KS) to find only
those devices in the GET VPN network that do
not support
GET VPN for IPv6 in the Data Plane:
Device# show crypto gdoi feature ipv6-crypto-path | include No
10.0.0.3 1.0.1 No
All devices in the
same GDOI group (including the KS, cooperative KSs, and GMs) must support the
GET VPN for IPv6 in the Data Plane feature before the group’s KS can enable the
feature. To enable the feature for a group, you must ensure that all devices in
the group are running compatible versions of the GET VPN software.
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to check whether all the devices in each group support Suite B
cryptography:
Device# show crypto gdoi feature suite-b
Group Name: GETVPN
Key Server ID Version Feature Supported
10.0.5.2 1.0.4 Yes
10.0.6.2 1.0.4 Yes
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
Group Member ID Version Feature Supported
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
10.0.3.1 1.0.4 Yes
10.0.3.2 1.0.4 Yes
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following
example shows how to enter the command on the KS (or primary KS) to find only
those devices in the GET VPN network that do
not support
Suite B:
Device# show crypto gdoi feature suite-b | include No
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
All devices in the
same GDOI group (including the KS, cooperative KSs, and GMs) must support the
Suite B feature before the group’s KS can enable the feature. To enable the
feature for a group, you must ensure that all devices in the group are running
compatible versions of the GET VPN software.
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to check whether all the devices in each group support IPsec inline
tagging for Cisco TrustSec:
Device# show crypto gdoi feature cts-sgt
Group Name: GETVPN
Key Server ID Version Feature Supported
10.0.5.2 1.0.5 Yes
10.0.6.2 1.0.5 Yes
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
Group Member ID Version Feature Supported
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
10.0.3.1 1.0.5 Yes
10.0.3.2 1.0.5 Yes
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following
example shows how to enter the command on the KS (or primary KS) to find only
those devices in the GET VPN network that do
not support
IPsec inline tagging for Cisco TrustSec:
Device# show crypto gdoi feature cts-sgt | include No
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
All devices in the
same GDOI group (including the KS, cooperative KSs, and GMs) must support the
IPsec inline tagging for Cisco TrustSec feature before the group’s KS can
enable the feature. To enable the feature for a group, you must ensure that all
devices in the group are running compatible versions of the GET VPN software.
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following
example shows how to use the GET VPN software versioning command on the KS (or
primary KS) to check whether all the devices in each group support long SA
lifetimes (from 24 hours to 30 days):
Device# show crypto gdoi feature long-sa-lifetime
Group Name: GETVPN
Key Server ID Version Feature Supported
10.0.5.2 1.0.5 Yes
10.0.6.2 1.0.5 Yes
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
Group Member ID Version Feature Supported
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
10.0.3.1 1.0.5 Yes
10.0.3.2 1.0.5 Yes
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following
example shows how to enter the command on the KS (or primary KS) to find only
those devices in the GET VPN network that do
not support
long SA lifetimes:
Device# show crypto gdoi feature long-sa-lifetime | include No
10.0.7.2 1.0.3 No
10.0.8.2 1.0.2 No
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
All devices in the
same GDOI group (including the KS, cooperative KSs, and GMs) must support long
SA lifetimes before the group’s KS can enable the feature. To enable the
feature for a group, you must ensure that all devices in the group are running
compatible versions of the GET VPN software.
You can also enter
the above command on a GM (which will display the information for the GM but
not for the KS or other GMs).
The following sample output shows detailed information about the SAs:
Router# show crypto gdoi rekey sa detail
KEK SA DB STATS:
num_active = 2
num_malloc = 46014
num_free = 46011
KEK POLICY (transport type : Unicast)
Local addr/port : 1.2.20.32/848
Remote addr/port : 10.1.2.1/848
spi : 0x72C3C67E7B15BF701C30A0C22E1A1A7E
management alg : disabled encrypt alg : 3DES
crypto iv length : 8 key size : 24
orig life(sec) : 0
sig hash algorithm : enabled sig key length : 94
sig size : 64 conn_id : 33957
seq num : 0 prev seq num : 0
handle : 80009EFE Interface : GigabitEthernet
group name : gdoi-group1
KEK POLICY (transport type : Unicast)
Local addr/port : 1.2.20.32/848
Remote addr/port : 10.1.2.1/848
spi : 0xFCD0DD8333235B1652FA922BE85FAD65
management alg : disabled encrypt alg : 3DES
crypto iv length : 8 key size : 24
orig life(sec) : 0
sig hash algorithm : enabled sig key length : 94
sig size : 64 conn_id : 33956
seq num : 0 prev seq num : 0
handle : 80009E4D Interface : GigabitEthernet
group name : gdoi-group1
The table below
describes the significant fields shown in the displays.
Table 9. show crypto gdoi Field
Descriptions
|
Field
|
Description
|
|
Group Name
|
Name of
the GDOI group.
|
|
Group
Identity
|
GDOI group
identity number or address.
|
|
Crypto
Path
|
IP version
for the data plane. IPv6 shows that group policies are defined in IPv6.
|
|
Key
Management Path
|
IP version
for the control plane. IPv4 shows that the control path for this group is in
IPv4.
|
|
Group
Members
|
Number of
GMs that are registered to the KS.
|
|
IPSec SA
Direction
|
Direction
of the IPsec SA. Direction can be inbound (Receive Only) or bidirectional
(Both).
|
|
Redundancy
|
Indicates
whether KS redundancy is configured (meaning whether there are cooperative
KSs).
|
|
Local
Address
|
IP address
of the local KS.
|
|
Local
Priority
|
Priority
of the local KS among the group of cooperative KSs.
|
|
Local KS
Status
|
Indicates
whether the local KS is active (alive).
|
|
Local KS
Role
|
Indicates
whether the local KS is the primary KS or a cooperative KS.
|
|
Local KS
Version
|
Version of
the GET VPN software running on the local KS.
|
|
Group
Rekey Lifetime
|
Time
between rekeys that is configured for the group.
|
|
Group
Rekey Remaining Lifetime
|
Remaining
time before the next rekey for the group.
|
|
Rekey
Retransmit Period
|
Period
between retransmissions of the rekey (in seconds).
|
|
Rekey
Retransmit Attempts
|
Number of
rekey retransmission attempts.
|
|
Group
Retransmit Remaining Lifetime
|
Number of
seconds until the next rekey retransmission.
|
|
IPSec SA
Number
|
Number of
the IPsec SA.
|
|
IPSec SA
Rekey Lifetime
|
Lifetime
that is configured for group IPSec SAs (rekey SAs).
|
|
Profile
Name
|
IPsec
profile that is defined for the group.
|
|
Replay
method
|
Type of
anti-replay that is configured (Count Based or Time Based).
|
|
Replay
Window Size
|
Window
size for the replay counter.
|
|
SA Rekey
Remaining Lifetime
|
Remaining
lifetime of the current group IPSec SA (rekey SA).
|
|
ACL
Configured
|
Name of
the ACL that is configured for the group.
|
|
Group
Server list
|
Location
of the list of group servers (Local if the command is issued on a KS or a list
of IP addresses if issued on a GM).
|
|
Rekeys
received
|
Number of
rekeys received by the group.
|
|
Group
member
|
IP address
of the local GM.
|
|
vrf
|
Indicates
whether virtual routing and forwarding (VRF) is configured on the GM.
|
|
Version
|
Version of
the GET VPN software running on the GM.
|
|
Registration status
|
Indicates
whether the GM is registered with a KS.
|
|
Registered
with
|
IP address
of the KS to which the GM is registered.
|
|
Re-registers in
|
Number of
seconds until the GM reregisters with a KS.
|
|
Succeeded
registration
|
Indicates
whether the GM successfully registered with the KS.
|
|
Attempted
registration
|
Number of
times the GM attempted to register with the KS.
|
|
Last rekey
from
|
IP address
of the KS from which the GM received its last rekey.
|
|
Last rekey
seq num
|
Anti-replay sequence number of the last rekey the GM received
from the KS.
|
|
Unicast
rekey received
|
Number of
unicast rekeys received by the GM.
|
|
Rekey ACKs
sent
|
Number of
rekey acknowledgments sent by the GM to the KS.
|
|
Rekey
Received
|
Indicates
whether the GM has received a rekey from the KS.
|
|
allowable
rekey cipher
|
Type of
cipher that is acceptable for a rekey.
|
|
allowable
rekey hash
|
Type of
hash algorithm that is acceptable for a rekey.
|
|
allowable
transformtag
|
Type of
transform set that is acceptable for a rekey.
|
|
Rekeys
cumulative
|
List of
statistics for cumulative rekeys for the GM.
|
|
Total
received
|
Total
number of rekeys received by the GM.
|
|
After
latest register
|
Total
number of rekeys received by the GM since the most recent registration.
|
|
Rekey Acks
sents
|
Total
number of rekey acknowledgments sent by the GM.
|
|
ACL
Downloaded From KS
|
List of
ACLs that the GM has downloaded from the KS.
|
|
access-list
|
ACL
configuration (policy) or configurations (policies) for the GMs.
|
|
KEK POLICY
|
List of
details for the KEK policy.
|
|
Rekey
Transport Type
|
Type of
transport for rekey messages (Unicast or Multicast).
|
|
Lifetime
(secs)
|
Lifetime
of the rekey (in seconds).
|
|
Encrypt
Algorithm
|
Encryption
algorithm of the KEK policy.
|
|
Key Size
|
Encryption
key size (in bits).
|
|
Sig Hash
Algorithm
|
Type of
algorithm for the signature key (hash).
|
|
Sig Key
Length (bits)
|
Key length
(in bits) for the signature key (hash).
|
|
TEK POLICY
for the current KS-Policy ACEs Downloaded
|
List of
details for the TEK policy for the current KS policy ACEs that were downloaded.
|
|
IPsec SA
|
List of
details for the IPsec SA.
|
|
spi
|
Security
parameter index (SPI) ID that is associated with the TEK.
|
|
transform
|
Transform
set for the IPsec SA for the GM.
|
|
sa
timing:remaining key lifetime (sec)
|
Remaining
lifetime of the TEK (in seconds).
|
|
Anti-Replay(Time Based)
|
Interval
duration for time-based anti-replay.
|
|
tag
method
|
Method
used for GET VPN inline tagging. The possible values are cts sgt (for Cisco
TrustSec security group tags) or disabled.
|
|
alg key
size
|
Length of
the key (in bytes) for the encryption algorithm that is configured in the TEK
policy. The possible key lengths are as follows:
-
16
(AES)
-
24
(AES-192)
-
32
(AES-256)
-
8
(DES)
-
24
(3DES)
-
16
(GCM)
-
24
(GCM-192)
-
32
(GCM-256)
-
16
(GMAC)
-
24
(GMAC-192)
-
32
(GMAC-256)
|
|
sig key
size
|
Length of
the key (in bytes) for the signature that is configured in the TEK policy. The
possible key lengths are as follows:
-
16
(MD5)
-
20
(SHA)
-
32
(SHA-256)
-
48
(SHA-384)
-
64
(SHA-512)
|
|
encaps
|
Type of
IPsec encapsulation that is configured in the TEK policy. The possible values
are ENCAPS_TUNNEL or ENCAPS_TRANSPORT.
|
|
Configured
ACL
|
ACL that
is configured on the KS for the group.
|
|
ACL
Configured Locally
|
Details
for any ACLs that are configured locally for the GM.
|
|
Group
Member Information
|
List of
details about the group to which the GM belongs.
|
|
Detail
|
List of
details about the GMs registered to the KS.
|
|
Number of
rekeys sent for group
|
Number of
rekeys sent for the group.
|
|
Group
Member ID
|
IP
address of the GM.
|
|
KS IP
Address
|
Address of
the KS from which the GM received the RSA public key during registration.
|
|
Group ID
|
ID of the
group to which the GM belongs.
|
|
Group Name
|
Name of
the group to which the GM belongs.
|
|
Key Server
ID
|
IP address
of the KS for the group.
|
|
Rekeys
sent
|
Number of
unique rekeys sent to the group.
|
|
Rekeys
retries
|
Number of
rekeys resent after not being acknowledged by the group.
|
|
Rekey Acks
Rcvd
|
Total
number of rekeys acknowledged by the group.
|
|
Rekey Acks
missed
|
Number of
rekeys sent to the group but not acknowledged.
|
|
Sent seq
num
|
Sequence
number sent to protect against replay attacks.
|
|
Rcvd seq
num
|
Sequence
number received.
|
|
conn-id
|
Connection
ID.
|
|
my-cookie
|
Identifier on the local device (the KS or a GM) that, when paired with the
his-cookie identifier on another device (the KS or a GM), identifies a unique
SA between the KS and GM. You can use this pair of identifiers to check that an
RSA rekey has been properly received on a specific GM.
|
|
his-cookie
|
Identifier
on the remote device (the KS or a GM) that, when paired with the my-cookie
identifier on the local device (the KS or a GM), identifies a unique SA between
the KS and GM.
|
|
Key Data
|
Contents
of the key itself.
|
|
Version
|
Version
of the GET VPN software that is running on the KS or GM.
|
|
Feature
Supported
|
Indicates
whether the specified feature (GM removal, policy replacement, GDOI MIB, and so
on) is supported by the software version running on the KS or GM.
|
|
Data Path
|
IPv6
shows that group policies are defined in IPv6.
|
|
Control
Path
|
IPv4 shows
that the control path for this group is in IPv4.
|
|
Transform
Mode
|
Indicates
whether the configured transform mode for the KS or GM is counter (Suite B) or
non-counter (non-Suite-B). If it is non-counter, GCM-AES or GMAC-AES is not
configured (and no identifier information is displayed).
|
|
Re-initializing
|
Indicates
whether the KS is reinitializing.
|
|
SID
Length (Group Size)
|
SID length
(group size) in bits for the KS or GM. The possible values are 8 bits
(SMALL-8), 12 bits (SMALL-12), 16 bits (SMALL-16), 24 bits (MEDIUM), 32 bits
(LARGE), or 4 bits (UNKNOWN).
|
|
Current
KSSID In-Use
|
KSSID
that is currently being used to assign SIDs to GMs during registration. If no
KSSIDs are configured or assigned to a KS, the field displays a value of none.
|
|
Last
GMSID Used
|
Group
member SID (GMSID) that was last assigned to a registered GM as part of a SID.
If no GMs have registered or no GMs have been assigned any SID yet, the field
displays a value of none.
|
|
KSSID(s)
Assigned
|
KSSIDs
that have been configured and synchronized to the cooperative KS SID clients.
|
|
KSSID(s)
Used
|
KSSIDs
that have been previously used (including the current KSSID) with the current
TEK or TEKs.
|
|
Old
KSSID(s) Used
|
KSSIDs
that were used with the previous set of TEKs after a reinitialization (and the
lowered or adjusted lifetimes of the previous set of TEKs that have not yet
expired).
|
|
Available
KSSID(s)
|
KSSIDs
that are assigned but are unused (or are old).
|
|
Local KS
Role
|
Indicates
whether the cooperative KS is the primary KS or a secondary KS.
|
|
Local KS
Status
|
Indicates
whether the local cooperative KS is alive.
|
|
Local
Address
|
IP address
of the local cooperative KS.
|
|
Next SID
Client Operation
|
Next SID
client operation. The possible values are QUERY, NOTIFY, OR UPDATE.
For the
local KS:
-
QUERY:
Has not received the previous SID information for the local KS from
any peer KS
-
NOTIFY: Has received the previous SID information for the local
KS and is up to date
-
UPDATE: Needs to send an update to all peers (because something
changed locally)
For the
peer KS:
-
QUERY:
Has not received any SID information for the peer KS from
the peer KS
-
NOTIFY: Has received the latest SID information for the peer KS
and is up to date
-
UPDATE: The peer needs to merge (old) used KSSID sets and use
the next KSSID
|
|
KSSID
Overlap
|
Indicates
whether two or more KSs are using the same KSSID.
|
|
SID
Length (Group Size) Cfg
|
Configured
SID length (group size) in bits for the cooperative KS.
|
|
SID
Length (Group Size) Used
|
Actual SID
length (group size) in bits for the cooperative KS.
|
|
Current
KSSID In-Use
|
KSSID that
is in use.
|
|
Old
KSSID(s) Used
|
KSSIDs
that were used with the previous set of TEKs after a reinitialization (and the
lowered or adjusted lifetimes of the previous set of TEKs have not yet
expired).
|
|
Peer
Address
|
IP address
of the peer cooperative KS.
|
|
COOP-KS
Sender ID (SID) Information for Group
groupname
|
SID
details for cooperative KSs for the group. If no redundancy is configured for
the group, the following message is displayed:
*NO* redundancy configured for this group.
|
|
Cooperative key server infra Version
|
Version of
the cooperative KS Protocol Infrastructure for the current GET VPN software
version.
|
|
Client :
KS_POLICY_CLIENT
|
Version of
the cooperative KS Policy Client for the current GET VPN software version.
|
|
Client :
GROUP_MEMBER_CLIENT
|
Version of
the cooperative KS Group Member Database Client for the current GET VPN
software version.
|
|
Client :
SID_CLIENT
|
Version of
the cooperative KS Sender Identifier (SID) Client for the current GET VPN
software version.
|
|
# of SIDs
Last Requested
|
Number of
SIDs that were last requested.
|
|
CURRENT
SIDs
|
List of
details for the current SIDs used by the GM. If a GM has not yet received any
SIDs or has no SIDs associated with the old TEK or TEKs, the display will show
None.
|
|
OLD SIDs
|
SIDs that
exist after a GM receives a rekey or reregisters and receives the new TEK or
TEKs. The current SIDs become old SIDs (associated with the old TEKs).
|
|
# of SIDs
Downloaded
|
Number of
SIDS downloaded by the GM. The number of downloaded SIDs should always match
the number of SIDs in the range of SIDs downloaded between the first downloaded
SID and the last downloaded SID (inclusively). Also, the range of SIDs between
the first and last SIDs should be continuous (no skipped values).
|
|
First SID
Downloaded
|
First SID
downloaded by the GM.
|
|
Last SID
Downloaded
|
Last SID
downloaded by the GM.
|
|
CM
Interface
|
Statistics
for the CM interfaces for the group (Bandwidth in Kbps, MTUs in bytes, and
number of SIDs).
|
|
NEXT SID
REQUEST
|
Statistics
for the next SID request.
|
|
TEK
Lifetime
|
TEK
lifetime. The TEK lifetime might not match the configured TEK lifetime on the
KS for two reasons:
-
The
GM receives the
remaining TEK lifetime in the TEK SA payload. If a GM
registers in the middle of a TEK lifetime, it will not calculate SIDs based on
the full TEK lifetime, but rather based only on the TEK lifetime remaining. On
a rekey, the GM will store the full TEK lifetime, because the KS will send the
full TEK lifetime (or as close to the full TEK lifetime as possible) and use
that lifetime on the next registration (if necessary).
-
Using
G-IKEv2 or GKM, there is no way to know the TEK lifetime before requesting
SIDs. Therefore, the first registration assumes a default lifetime of 7200
seconds (to be displayed) and stores the actual TEK lifetime to use for the
next registration.
Also, the
SID length (group size) on the first registration will always be 24 bits
(MEDIUM) and will update after the first registration.
|
Feedback