GETVPN - GKM
This is the GETVPN topology with Dual Key-Servers and two Group-Members
Key Servers
KEY SERVER 1 | Config (GDOI)
hostname KS-1
ip domain name WQNET.LAB
no ip domain look
!
crypto key generate rsa general-keys label WQNET-GDOI-KEYS mod 4096 export
!crypto key export rsa WQNET-GDOI-KEYS pem terminal aes this15THEWAY
!crypto key import rsa WQNET-GDOI-KEYS exportable pem terminal this15THEWAY
!
crypto isakmp policy 10
encryption aes 256
hash sha512
authentication pre-share
group 21
crypto isakmp key this15THEWAY address 0.0.0.0
!
crypto ipsec transform-set WQNET-GDOI-IPSEC-TS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile WQNET-GDOI-IPSEC-PROFILE
set security-association lifetime seconds 120
set transform-set WQNET-GDOI-IPSEC-TS
exit
!
ip access-list extended WQNET-GDOI-ACL
20 permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
exit
!
!
crypto gdoi group WQNET-GODI-KS
identity number 777
server local
rekey transport unicast
rekey lifetime seconds 86400
rekey retransmit 15 number 3
rekey authentication mypubkey rsa WQNET-GDOI-KEYS
sa ipsec 1
profile WQNET-GDOI-IPSEC-PROFILE
match address ipv4 WQNET-GDOI-ACL
replay counter window-size 64
no tag
address ipv4 192.0.0.8
no pfs
redundancy
local priority 10
peer address ipv4 192.0.0.9
no pfs
!
interface Ethernet0/0
no shutdown
ip address 192.0.0.8 255.255.255.0
ip ospf 1 area 0
!
exit
exit
wr
!KEY SERVER 1 | Config (GKM)
!
crypto key generate rsa general-keys label WQNET-GKM-KEYS mod 4096 export
!
crypto ikev2 proposal WQNET-IKEV2-PROPOSAL
encryption aes-gcm-256
prf sha512
group 21
!
crypto ikev2 policy WQNET-IKEV2-POLICY
proposal WQNET-IKEV2-PROPOSAL
!
crypto ikev2 profile WQNET-IKEV2-PROFILE
match identity remote any
authentication remote pre-share key this15THEWAY
authentication local pre-share key this15THEWAY
exit
!
crypto ipsec transform-set WQNET-GKM-IPSEC-TS esp-gcm 256
mode tunnel
crypto ipsec profile WQNET-GKM-IPSEC-PROFILE
set transform-set WQNET-GKM-IPSEC-TS
set security-association lifetime seconds 43200
set security-association lifetime kilobytes disable
exit
!
!
ip access-list extended WQNET-GKM-ACL
10 deny udp any eq 848 any eq 848
15 deny ospf any any
20 deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
60 permit ip any any
exit
!
!
crypto gkm group WQNET-GKM-G1
identity number 787
server local
no gdoi
gikev2 WQNET-IKEV2-PROFILE
rekey algorithm aes 256
rekey sig-hash algorithm sha512
rekey authentication mypubkey rsa WQNET-GKM-KEYS
rekey transport unicast
rekey lifetime seconds 86400
rekey retransmit 10 number 2
group size large
identifier
value 10
sa ipsec 1
profile WQNET-GKM-IPSEC-PROFILE
match address ipv4 WQNET-GKM-ACL
replay counter window-size 64
no tag
address ipv4 192.0.0.8
redundancy
local priority 10
peer address ipv4 192.0.0.9
no pfs
end
wr
!KS-1 - Export RSA-KEY (GDOI)
Export the Certificate from KS-1.
KS-1#crypto key export rsa WQNET-GDOI-KEYS pem terminal aes this15THEWAYKS-2 - Import RSA-KEY (GDOI)
Import the Certificate to KS-2.
KS-2#crypto key import rsa WQNET-GDOI-KEYS exportable pem terminal this15THEWAY
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
quit
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
quitKS-1 - Export RSA-KEY (GKM)
KS-1#crypto key export rsa WQNET-GKM-KEYS pem terminal aes this15THEWAYKS-2 - Import RSA-KEY (GKM)
KS-2#crypto key import rsa WQNET-GKM-KEYS exportable pem terminal this15THEWAY
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
quit
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
quitKEY SERVER 2 | Config (GDOI)
hostname KS-2
ip domain name WQNET.LAB
no ip domain look
!
crypto isakmp policy 10
encryption aes 256
hash sha512
authentication pre-share
group 21
crypto isakmp key this15THEWAY address 0.0.0.0
!
crypto ipsec transform-set WQNET-GDOI-IPSEC-TS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile WQNET-GDOI-IPSEC-PROFILE
set security-association lifetime seconds 120
set transform-set WQNET-GDOI-IPSEC-TS
!
ip access-list extended WQNET-GDOI-ACL
20 permit ip 14.14.0.0 0.0.255.255 14.14.0.0 0.0.255.255
exit
!
crypto gdoi group WQNET-GODI-KS
identity number 777
server local
rekey transport unicast
rekey lifetime seconds 86400
rekey retransmit 15 number 3
rekey authentication mypubkey rsa WQNET-GDOI-KEYS
sa ipsec 1
profile WQNET-GDOI-IPSEC-PROFILE
match address ipv4 WQNET-GDOI-ACL
replay counter window-size 64
no tag
address ipv4 192.0.0.9
no pfs
redundancy
local priority 5
peer address ipv4 192.0.0.8
no pfs
!
!
interface Ethernet0/0
no shutdown
ip address 192.0.0.9 255.255.255.0
ip ospf 1 area 0
!
exit
exit
wr
!KEY SERVER 2 | Config (GKM)
!
crypto ikev2 proposal WQNET-IKEV2-PROPOSAL
encryption aes-gcm-256
prf sha512
group 21
!
crypto ikev2 policy WQNET-IKEV2-POLICY
proposal WQNET-IKEV2-PROPOSAL
!
crypto ikev2 profile WQNET-IKEV2-PROFILE
match identity remote any
authentication remote pre-share key this15THEWAY
authentication local pre-share key this15THEWAY
dpd 10 2 periodic
exit
!
!
crypto ipsec transform-set WQNET-GKM-IPSEC-TS esp-gcm 256
mode tunnel
crypto ipsec profile WQNET-GKM-IPSEC-PROFILE
set transform-set WQNET-GKM-IPSEC-TS
set security-association lifetime seconds 43200
set security-association lifetime kilobytes disable
exit
!
!
ip access-list extended WQNET-GKM-ACL
10 deny udp any eq 848 any eq 848
15 deny ospf any any
20 deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
60 permit ip any any
exit
!
!
crypto gkm group WQNET-GKM-G1
identity number 787
server local
no gdoi
gikev2 WQNET-IKEV2-PROFILE
rekey algorithm aes 256
rekey sig-hash algorithm sha512
rekey authentication mypubkey rsa WQNET-GKM-KEYS
rekey transport unicast
rekey lifetime seconds 86400
rekey retransmit 10 number 2
group size large
identifier
value 5
sa ipsec 1
profile WQNET-GKM-IPSEC-PROFILE
match address ipv4 WQNET-GKM-ACL
replay counter window-size 64
no tag
address ipv4 192.0.0.9
redundancy
local priority 5
peer address ipv4 192.0.0.8
no pfs
end
wr
!KS-1 och och KS-2 | ACL
This is ACL that will be pushed out to Group Members from the Key Server, so the know what to protect. Only the Primary Key Server push out policys and do rekeying.
!
ip access-list extended WQNET-GKM-ACL
10 deny udp any eq 848 any eq 848
15 deny ospf any any
20 deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
60 permit ip any any
!Verify KS-1 och och KS-2 | show crypto gdoi ks coop
Take an extra look at:
- Peer KS Role: Secondary Peer KS Status: Alive
- IKE status: Established
- Crypto Gdoi Group Name :WQNET-GODI-KS
- Crypto Gdoi Group Name :WQNET-GKM-G1
KS-1#show crypto gkm ks coop
Crypto Gdoi Group Name :WQNET-GODI-KS
Group handle: 1073741826, Local Key Server handle: 1073741826
Local Address: 192.0.0.8
Local Priority: 10
Local KS Role: Primary , Local KS Status: Alive
Local KS version: 1.0.27
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 2
Per-user timer remaining time: 0
Antireplay Sequence Number: 25924
Peer Sessions:
Session 1:
Server handle: 1073741827
Peer Address: 192.0.0.9
Peer Version: 1.0.27
Peer Priority: 5
Peer KS Role: Secondary , Peer KS Status: Alive
Antireplay Sequence Number: 0
IKE status: Established
Counters:
Ann msgs sent: 5847
Ann msgs sent with reply request: 1
Ann msgs recv: 4
Ann msgs recv with reply request: 1
Packet sent drops: 20075
Packet Recv drops: 0
Total bytes sent: 8078654
Total bytes recv: 7319
Crypto Gdoi Group Name :WQNET-GKM-G1
Group handle: 1073741827, Local Key Server handle: 1073741828
Local Address: 192.0.0.8
Local Priority: 10
Local KS Role: Primary , Local KS Status: Alive
Local KS version: 1.0.27
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 10
Per-user timer remaining time: 0
Antireplay Sequence Number: 59
Peer Sessions:
Session 1:
Server handle: 1073741829
Peer Address: 192.0.0.9
Peer Version: 1.0.27
Peer Priority: 5
Peer KS Role: Secondary , Peer KS Status: Alive
Antireplay Sequence Number: 1
IKE status: Established
Counters:
Ann msgs sent: 57
Ann msgs sent with reply request: 2
Ann msgs recv: 1
Ann msgs recv with reply request: 1
Packet sent drops: 0
Packet Recv drops: 0
Total bytes sent: 84644
Total bytes recv: 1700KS-2#show crypto gkm ks coop
Crypto Gdoi Group Name :WQNET-GODI-KS
Group handle: 1073741826, Local Key Server handle: 1073741826
Local Address: 192.0.0.9
Local Priority: 5
Local KS Role: Secondary , Local KS Status: Alive
Local KS version: 1.0.27
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 21, Retries: 0
Invalid ANN PST recvd: 0
New GM Temporary Blocking Enforced?: No
Per-user timer remaining time: 0
Antireplay Sequence Number: 31039
Peer Sessions:
Session 1:
Server handle: 1073741827
Peer Address: 192.0.0.8
Peer Version: 1.0.27
Peer Priority: 10
Peer KS Role: Primary , Peer KS Status: Alive
Antireplay Sequence Number: 25926
IKE status: Established
Counters:
Ann msgs sent: 4
Ann msgs sent with reply request: 5481
Ann msgs recv: 368
Ann msgs recv with reply request: 1
Packet sent drops: 20075
Packet Recv drops: 0
Total bytes sent: 7940026
Total bytes recv: 511835
Crypto Gdoi Group Name :WQNET-GKM-G1
Group handle: 1073741827, Local Key Server handle: 1073741828
Local Address: 192.0.0.9
Local Priority: 5
Local KS Role: Secondary , Local KS Status: Alive
Local KS version: 1.0.27
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 18, Retries: 0
Invalid ANN PST recvd: 0
New GM Temporary Blocking Enforced?: No
Per-user timer remaining time: 0
Antireplay Sequence Number: 2
Peer Sessions:
Session 1:
Server handle: 1073741829
Peer Address: 192.0.0.8
Peer Version: 1.0.27
Peer Priority: 10
Peer KS Role: Primary , Peer KS Status: Alive
Antireplay Sequence Number: 60
IKE status: Established
Counters:
Ann msgs sent: 1
Ann msgs sent with reply request: 1
Ann msgs recv: 59
Ann msgs recv with reply request: 0
Packet sent drops: 0
Packet Recv drops: 0
Total bytes sent: 1700
Total bytes recv: 87148Verify KS-1 och och KS-2 | show crypto gki detail
Take an extra look at:
- Group Type : GDOI (ISAKMP)
- KS-1
- Local Priority : 10
- Local Priority : 10
- KS-2
- Local Priority : 5
- Local Priority : 5
KS-1#show crypto gkm
GROUP INFORMATION
Group Name : WQNET-GODI-KS (Unicast)
Re-auth on new CRL : Disabled
Group Identity : 777
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 0
IPSec SA Direction : Both
IP D3P Window : Disabled
PFS : Disabled
Split Resiliency Factor : 0
CKM status : Disabled
Redundancy : Configured
Local Address : 192.0.0.8
Local Priority : 10
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.27
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86287 secs
Time to Rekey : 43087 secs
Acknowledgement Cfg : Cisco
Rekey Retransmit Period : 15 secs
Rekey Retransmit Attempts: 3
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 120 secs
Profile Name : WQNET-GDOI-IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
Tagging method : Disabled
SA Rekey
Remaining Lifetime : 98 secs
Time to Rekey : 7 secs
ACL Configured : access-list WQNET-GDOI-ACL
Group Server list : Local
GROUP INFORMATION
Group Name : WQNET-GKM-G1 (Unicast)
Re-auth on new CRL : Disabled
Group Identity : 787
Group Type : GDOI (ISAKMP), G-IKEv2 (IKEv2)
IKEv2 Profile : WQNET-IKEV2-PROFILE
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 2
GDOI Group Members : 0
G-IKEv2 Group Members : 2
IPSec SA Direction : Both
IP D3P Window : Disabled
PFS : Disabled
Split Resiliency Factor : 0
CKM status : Disabled
Redundancy : Configured
Local Address : 192.0.0.8
Local Priority : 10
Local KS Status : Alive
Local KS Role : Primary
Local KS Version : 1.0.27
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85677 secs
Time to Rekey : 42477 secs
Acknowledgement Cfg : Cisco
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 43200 secs
Profile Name : WQNET-GKM-IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
Tagging method : Disabled
SA Rekey
Remaining Lifetime : 42478 secs
Time to Rekey : 38132 secs
ACL Configured : access-list WQNET-GKM-ACL
Group Server list : LocalKS-2#show crypto gdoi detail
GROUP INFORMATION
Group Name : WQNET-GODI-KS (Unicast)
Re-auth on new CRL : Disabled
Group Identity : 777
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Group Members : 0
IPSec SA Direction : Both
IP D3P Window : Disabled
PFS : Disabled
Split Resiliency Factor : 0
CKM status : Disabled
Redundancy : Configured
Local Address : 192.0.0.9
Local Priority : 5
Local KS Status : Alive
Local KS Role : Secondary
Local KS Version : 1.0.27
Local COOP Version : 1.0.8
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85787 secs
Time to Rekey : 42587 secs
Acknowledgement Cfg : Cisco
Rekey Retransmit Period : 15 secs
Rekey Retransmit Attempts: 3
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 120 secs
Profile Name : WQNET-GDOI-IPSEC-PROFILE
Replay method : Count Based
Replay Window Size : 64
Tagging method : Disabled
SA Rekey
Remaining Lifetime : 109 secs
Time to Rekey : 18 secs
ACL Configured : access-list WQNET-GDOI-ACL
Group Server list : LocalGroup Members
The Group Members have a fully new GKM-config, insted of GDOI-config. All the Group Members share this config, excl Hostname,IP-addresses/Subnets.
Group Member 1 | Config
!
host GM-1
ip domain name WQNET.LAB
no ip domain look
!
!
crypto ikev2 proposal WQNET-IKEV2-PROPOSAL
encryption aes-gcm-256
prf sha512
group 21
crypto ikev2 policy WQNET-IKEV2-POLICY
proposal WQNET-IKEV2-PROPOSAL
crypto ikev2 profile WQNET-IKEV2-PROFILE
match identity remote any
authentication remote pre-share key this15THEWAY
authentication local pre-share key this15THEWAY
lifetime 600
crypto ipsec transform-set WQNET-IKEV2-PROPOSAL esp-gcm 256
mode tunnel
crypto gkm group WQNET-GKM-GROUP-01
identity number 787
server address ipv4 192.0.0.8
server address ipv4 192.0.0.9
client recovery-check interval 100
client rekey encryption aes 256
client rekey hash sha512
client protocol gikev2 WQNET-IKEV2-PROFILE
crypto map WQNET-CMAP-GKM-01 10 gdoi
set group WQNET-GKM-GROUP-01
!
interface loopback14
ip address 14.14.1.1 255.255.255.0
ip ospf 1 area 0
!
interface loopback15
ip address 15.15.1.1 255.255.255.0
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.0.0.10 255.255.255.0
ip ospf 1 area 0
no shutdown
crypto map WQNET-CMAP-GKM-01
!Group Member 2 | Config
!
host GM-2
ip domain name WQNET.LAB
no ip domain look
!
!
crypto ikev2 proposal WQNET-IKEV2-PROPOSAL
encryption aes-gcm-256
prf sha512
group 21
crypto ikev2 policy WQNET-IKEV2-POLICY
proposal WQNET-IKEV2-PROPOSAL
crypto ikev2 profile WQNET-IKEV2-PROFILE
match identity remote any
authentication remote pre-share key this15THEWAY
authentication local pre-share key this15THEWAY
lifetime 600
crypto ipsec transform-set WQNET-IKEV2-PROPOSAL esp-gcm 256
mode tunnel
crypto gkm group WQNET-GKM-GROUP-01
identity number 787
server address ipv4 192.0.0.8
server address ipv4 192.0.0.9
client recovery-check interval 100
client rekey encryption aes 256
client rekey hash sha512
client protocol gikev2 WQNET-IKEV2-PROFILE
crypto map WQNET-CMAP-GKM-01 10 gdoi
set group WQNET-GKM-GROUP-01
!
interface loopback14
ip address 14.14.2.1 255.255.255.0
ip ospf 1 area 0
!
interface loopback15
ip address 15.15.2.1 255.255.255.0
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.0.0.11 255.255.255.0
ip ospf 1 area 0
no shutdown
crypto map WQNET-CMAP-GKM-01
!
exit
exit
wr Group Member 1 & 2 | gdoi fail-close
Take an extra look at:
!
ip access-list extended WQNET-GETVPN-FAIL-CLOSE
10 deny ospf any any
20 deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
!
crypto map WQNET-CMAP-GKM-01 gdoi fail-close
match address WQNET-GETVPN-FAIL-CLOSE
activate
!If Group Member dosen't have a connection to a Key Server, only this traffic in ACL-is allowed. The command gdoi fail-close is still used for this GKM-setup, it would been more clear if it was gkm fail-close.
- Deny in this ACL = traffic pass without protection.
Use the feature fail-close caution, it may lock you out!
Group Member 1 & 2 | show crypto gkm
Take an extra look at:
- Group Type : G-IKEv2 (IKEv2)
- ACL Received From KS :
- gdoi_group_WQNET-GKM-GROUP-01_temp_acl
- gdoi_group_WQNET-GKM-GROUP-01_temp_acl
- ACL Downloaded From KS 192.0.0.8:
- access-list deny udp any port = 848 any port = 848
- access-list deny ospf any any
- access-list deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
- access-list permit ip any any
- access-list deny udp any port = 848 any port = 848
GM-1#show crypto gkm
GROUP INFORMATION
Group Name : WQNET-GKM-GROUP-01
Group Identity : 787
Group Type : G-IKEv2 (IKEv2)
IKEv2 Profile : WQNET-IKEV2-PROFILE
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 0
IPSec SA Direction : Both
Group Server list : 192.0.0.8
192.0.0.9
Group Member Information For Group WQNET-GKM-GROUP-01:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_WQNET-GKM-GROUP-01_temp_acl
Group member : 192.0.0.10 vrf: None
Local addr/port : 192.0.0.10/848
Remote addr/port : 192.0.0.8/848
fvrf/ivrf : None/None
Version : 1.0.26
Registration status : Registered
Registered with : 192.0.0.8
Re-registers in : 40724 sec
Succeeded registration: 1
Attempted registration: 7
Last rekey from : UNKNOWN
Last rekey seq num : 0
Unicast rekey received: 0
Rekey ACKs sent : 0
Rekey Received : never
PFS Rekey received : 0
DP Error Monitoring : ON
Interval (sec) : 100
Registration Count : 0
IPSEC init reg executed : 0
IPSEC init reg postponed : 0
Active TEK Number : 1
SA Track (OID/status) : disabled
Fail-Close Revert : Disabled
allowable rekey cipher: aes 256
allowable rekey hash : sha512
allowable transformtag: any ESP
Rekeys cumulative
Total received : 0
After latest register : 0
Rekey Acks sents : 0
ACL Downloaded From KS 192.0.0.8:
access-list deny udp any port = 848 any port = 848
access-list deny ospf any any
access-list deny icmp 15.15.0.0 0.0.255.255 15.15.0.0 0.0.255.255
access-list permit ip any any
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86309
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA512
Sig Key Length (bits) : 4400
TEK POLICY for the current KS-Policy ACEs Downloaded:
Ethernet0/0:
IPsec SA:
spi: 0x7B9B5704(2073777924)
transform: esp-gcm 256
sa timing:remaining key lifetime (sec): (43111)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 0 (bytes)
encaps: ENCAPS_TUNNEL
KGS POLICY:
REG_GM: local_addr 192.0.0.10
P2P POLICY:
REG_GM: local_addr 192.0.0.10
TEST and TSHOOT-commands
TEST | Ping-test
Data from 14.14.1.0/24 to 14.14.2.0/24 is protected in a ESP-datagram with orignal IP-header.
Data from 15.15.1.0/24 to 15.15.2.0/24 is not protected in a ESP-datagram and send in plain-text with orignal IP-header.
GM-1#ping 14.14.2.1 source loopback 14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.2.1, timeout is 2 seconds:
Packet sent with a source address of 14.14.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
"
GM-1#ping 15.15.2.1 source loopback 15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.2.1, timeout is 2 seconds:
Packet sent with a source address of 15.15.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TSHOOT | Commands
KS
show crypto gkm ks coop | beg Session
show crypto gkm
show crypto gkm detail
show crypto gkm ks coop identifier
show crypto gkm ks members
show crypto gkm ks members summary
show crypto gkm ks rekey
show crypto gkm ks policy
GM
show crypto gkm
show crypto gkm detail
show crypto gkm rekey sa