GET VPN configuration example

 

In this configuration example, I’ll show you a complete GET VPN configuration example.

Here’s the topology for this demonstration:

topology

All addresses in this topology have a /24 subnet mask. Also Router “KeyServer” has a loopback interface(not shown in image) with an ip address of 10.1.1.1/24 – this is not required though.

All interfaces have been assigned the depicted IP addresses and OSPF routing protocol is used.

Download the running configuration of all routers

First we’ll configure the Key Server and then the Group Member’s. Lets get started.

Key Server Configuration:

Step 1: Create an ISAKMP profile and specify the pre-shared key

KeyServer(config)#crypto isakmp policy 100
KeyServer(config-isakmp)#encryption aes 128
KeyServer(config-isakmp)#authentication pre-share
KeyServer(config-isakmp)#group 5
KeyServer(config-isakmp)#lifetime 3600
KeyServer(config-isakmp)#exit
KeyServer(config)#
KeyServer(config)#crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
KeyServer(config)#

KeyServer_Step 1

Step 2: Create a transform-set and an IPSEC profile

KeyServer(config)#crypto ipsec transform-set TRANS esp-aes 128 esp-sha-hmac
KeyServer(cfg-crypto-trans)#exit
KeyServer(config)#
KeyServer(config)#crypto ipsec profile IPSEC
KeyServer(ipsec-profile)#set transform-set TRANS
KeyServer(ipsec-profile)#exit
KeyServer(config)#

KeyServer_Step 2

Step 3: Generate RSA keys that will be used for Rekey Authentication

KeyServer(config)#crypto key generate rsa label VPNKEYS mod 1024 exportable

KeyServer_Step 3

Step 4: Create an access-list specifying the traffic that needs to be protected

KeyServer(config)#ip access-list extended GETVPN-ACL
KeyServer(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
KeyServer(config-ext-nacl)#exit
KeyServer(config)#

KeyServer_Step 4

Step 5: Create a crypto GDOI group

KeyServer(config)#crypto gdoi group GDOI
KeyServer(config-gdoi-group)#identity number 1234
KeyServer(config-gdoi-group)#server local
KeyServer(gdoi-local-server)#rekey algorithm aes 256
KeyServer(gdoi-local-server)#rekey lifetime seconds 3600
KeyServer(gdoi-local-server)#rekey retransmit 10 number 2
KeyServer(gdoi-local-server)#rekey authentication mypubkey rsa VPNKEYS
KeyServer(gdoi-local-server)#rekey transport unicast
KeyServer(gdoi-local-server)#sa ipsec 10
KeyServer(gdoi-sa-ipsec)#profile IPSEC
KeyServer(gdoi-sa-ipsec)#match address ipv4 GETVPN-ACL
KeyServer(gdoi-sa-ipsec)#address ipv4 192.168.1.2
KeyServer(gdoi-local-server)#exit
KeyServer(config-gdoi-group)#exit
KeyServer(config)#

KeyServer_Step 5

Step 6: Create a crypto map and apply it to the interface

KeyServer(config)#crypto map CRYPTO 10 gdoi
KeyServer(config-crypto-map)#set group GDOI
KeyServer(config-crypto-map)#exit
KeyServer(config)#
KeyServer(config)#int serial 0/0
KeyServer(config-if)#crypto map CRYPTO
KeyServer(config-if)#exit
KeyServer(config)#

KeyServer_Step 6

 




Group Member Configuration:

Step 1: Create an ISAKMP profile and specify the pre-shared key

GM1(config)#crypto isakmp policy 100
GM1(config-isakmp)#encryption aes 128
GM1(config-isakmp)#authentication pre-share
GM1(config-isakmp)#group 5
GM1(config-isakmp)#lifetime 3600
GM1(config-isakmp)#exit
GM1(config)#
GM1(config)#crypto isakmp key 0 cisco address 192.168.1.2
GM1(config)#

GroupMember_Step 1

Step 2: Create a crypto GDOI group

GM1(config)#crypto gdoi group GDOI
GM1(config-gdoi-group)#identity number 1234
GM1(config-gdoi-group)#server address ipv4 192.168.1.2
GM1(config-gdoi-group)#exit
GM1(config)#

GroupMember_Step 2

Step 3: Create a crypto map and apply it to the interface

GM1(config)#crypto map CRYPTO 10 gdoi
GM1(config-crypto-map)#set group GDOI
GM1(config-crypto-map)#exit
GM1(config)#
GM1(config)#int serial 0/0
GM1(config-if)#crypto map CRYPTO
GM1(config-if)#exit
GM1(config)#

GroupMember_Step 3

Router GM2 can be configured in a similar manner.

KeyServer_Verification 1

 

KeyServer_Verification 2

KeyServer_Verification 3

GroupMember_Verification 1

 

Download the running configuration of all routers

7 Comments

Add a Comment

Your email address will not be published. Required fields are marked *