GETVPN (Group Encrypted Transport VPN) Config (Commands)

GETVPN is not used on public internet rather on a closed network e.g. MPLS where all the IP routing works becasue the header has the original internal source and destination IPs even after the ESP encrypted header.

GM (Group Member): Encrypts and Forwards on the Data Plane
KS (Key Server): Control Plane for IPSec (IKEv1 policy, IPsec transform set, IPsec Profile, Crypto ACL, Re-keying policy)
TEK:Traffic Encryption Key (Encryption key between GMs for data traffic encryption
KEK: Key Encryption Key (Encryption Key between GMs and KS using UDP port 848)
GDOI (Group Domain Of Interpretation): Group Members Common Agreement
COOP: Protocol used between primary and secondary key servers

(Routing should needs to work fully before starting to configure GET VPN)

KeyServer (R4):
crypto isakmp policy 10
enc aes 128
hash sha256
group 14
authen pre-share
exit

crypto isakmp key Cisco123 address 0.0.0.0

crypto ipsec transform-set Our-Transform-Set esp-aes esp-sha-hmac
crypto ipsec profile Our-IPSec-Profile
set transform-set Our-Transform-Set
set security=association lifetime seconds 3600
exit

KS Key-Pair generation:
crypto key generate rsa general-keys label KS-Keys mod 2048
exportable

ip access-list extended Our-List
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip any any
exit

crypto gdoi group Our-GETVPN-Group
identity number 6783

server local
address ipv4 4.4.4.4 (this is the loopback ip address)
reley lifetime seconds 1800 (rekey the GMs)
rekey retransmit 40 number 2
rekey authentication mypubkey rsa KS-Keys
rekey transport unicast
sa ipsec 777 (it can be any number)

profile Our-IPSec-Profile
match address ipv4 Our-List
replay time window-size 5
end

Group Member R1 (similar config except apply it to the correct exit interface):
crypto isakmp policy 10
enc aes 128
hash sha256
gruop 14
authen pre-share
exit

crypto isakmp key Cisco123 address 0.0.0.0

crypto gdoi group Our-GETVPN-Group
identity number 6783
server address ipv4 4.4.4.4

crypto map GM-Map 10 gdoi
set group Our-GETVPN-Group

interface g0/1
crypto map GM-Map

Verification:
ping x.x.x.x
show ip route
show crypto gdoi
show crypto gdoi gm

show crypto gdoi ks

show crypto ipsec sa

show crypto isakmp sa

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s