support@ntraas.com

GETVPN

When looking into the various VPN solutions provided by Cisco you may ask yourself why some are even necessary, especially when providing transport over shared services such as MPLS, VPLS, Carrier Ethernet, etc. Most VPN solutions are used for one particular reason: encryption, whether it's over those shared links or over the internet.

In this section we will be covering GETVPN and its solutions; from the differences between IKEv1 (ISAKMP) and IKEv2, differences using pre-shared-keys and certificate based authentication. GETVPN will work using 1-to-1 NAT.

The one thing to be aware when dealing with VPN connectivity over the internet and through client based NAT connectivity DMVPN will not work using multiple clients sharing an external NAT address, FLEXVPN works over shared external NAT addresses, GETVPN does not work with overloaded NAT or PAT connnectivity.

GETVPN is an IKE and IPSEC based communication mechnaism allowing for multiple group members to communicate dynamically in an authenticated and encrypted point to point VPN solution. The GETVPN Group Members only create IPSEC tunnels between one another but do not create an IPSEC tunnel to the Key Servers, hence when we create the access-list we pass the KS communication, UDP/848, in cleartext through the underlay.

There are many different items to remember about GETVPN, including: Key Servers, Group Members, and dynamic IPSEC connectivity between network devices utilizing crypto maps to create a full mesh style connectivity solution. Other solutions such as DMVPN use hub and spoke technology to create dynamic connectivity between a hub and spoke (Phase 1) and potentially spoke and spoke (Phase 2/3).

Normally crypto maps require a point to point style configuration, as in you must specify tunnels between each end point that requires communication, this style of VPN will cause the administrator to configure either point to point between hubs and spokes or in a full mush solution requiring a lot of configuration. GETVPN uses a centralized Key Server to dynamically assign IPSEC conenctivity between all members in its assigned group.

GETVPN provides keys and rekeying mechanisms between the GETVPN Group Members providing dynamic IPSEC communication. When dealing with rekeying GETVPN can be configured to use either unicast or multicast based rekeying, smaller deployments will work well with unicast communication as there are not going to be a lot of rekeying requireed; multicast is a much better solution for Group Member rekeying when there are many GETVPN GMs in the GDOI group.

GETVPN works based on the GDOI, Group Domain of Interpretation, protocol which is used for Group key and group Security Association, management. GDOI uses Internet IKEv1 (ISAKMP) for authenticating the Group Members and Key Servers. Both RSA Signature certificates and Pre-shared key can be used for GETVPN.

According to Cisco.com; here are the GETVPN features which make its deployment easier, more scalable and resilient.

  • Cooperative Key Server
  • Receive-only SA
  • Passive SA Mode
  • Fail Close mode
  • Local Exception ACL
  • Time-based Anti Replay
  • VRF-lite support on Group Member


As for routing and keys the key servers will provide a downloadable ACL, or dACL, that tell the Group Members which traffic should be encrypted. In the case of GETVPN we must pass the traffic: source and destination UDP/848 which starts the GDOI communcation and to exchange the crypto Keys, after that we must specify the traffic and protocols allowed through the IPSEC tunnel, as crypto maps are configured to encrypt what's called "interesting traffic."

In this case I am allowing the EIGRP protocol and the IP protocols. You must specify how the traffic flows, whether it's allowed to pass unencrypted on the underlay or encrypted through the tunnel overlay. You can potentially create an IPSEC tunnel between each of the GMs and the KSs to allow encrypted communication for the initial setup for UDP/848, EIGRP, etc.

Here is a good look at Cisco's Cisco IOS GETVPN Solution Deployment Guide

When configuring GETVPN as it's very basic we will have the following configuration:

Key Server configuration

host KS-1

crypto key generate rsa modulus 4096 label GETVPN-KEYS exportable

(config)#crypto key export rsa GETVPN-KEYS pem terminal 3des PaSSword!
(config)#crypto key import rsa GETVPN-KEYS exportable pem terminal PaSSword!
#After you create the RSA keys on the primary GDOI/GKM Key Server you have to export the keys on the primary and import on the secondary. These keys are used to provide the keying material for GETVPN to function. You can configure either terminal output that will be copied or you can export to a file.

ip access-list extended getvpn-acl
  deny udp any eq 848 any eq 848
  permit eigrp any any
  permit ip any any

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
  mode tunnel
crypto ipsec profile profile1
  set security-association lifetime seconds 7200
  set transform-set aes128
crypto gdoi group GDOI-GROUP1
 identity number 12345
  server local
   rekey algorithm aes 256
   rekey sig-hash algorithm sha512
   rekey lifetime seconds 14400
   rekey authentication mypubkey rsa GETVPN-KEYS
   rekey transport unicast
   group size large
   sa ipsec 1
    profile profile1
    match address ipv4 getvpn-acl
    replay counter window-size 64
    no tag
   address ipv4 10.0.0.1
   redundancy
    local priority 100
    peer address ipv4 10.0.0.2

crypto map gdoimap 1 gdoi
 set group GDOI-GROUP1

interface lo0
 ip address 10.0.0.1 255.255.255.255
interface e0/0
 ip address 172.16.0.1 255.255.255.0
 crypto map gdoimap

ip route 10.0.0.3 255.255.255.255 172.16.0.3
ip route 10.0.0.4 255.255.255.255 172.16.0.4
ip route 10.0.0.5 255.255.255.255 172.16.0.5
ip route 10.0.0.6 255.255.255.255 172.16.0.6


host KS-2

(config)#crypto key import rsa GETVPN-KEYS exportable pem terminal PaSSword!
#After you create the RSA keys on the primary GDOI/GKM Key Server you have to export the keys on the primary and import on the secondary. These keys are used to provide the keying material for GETVPN to function. You can configure either terminal output that will be copied or you can export to a file.

ip access-list extended getvpn-acl
  deny udp any eq 848 any eq 848
  permit eigrp any any
  permit ip any any

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
  mode tunnel
crypto ipsec profile profile1
  set security-association lifetime seconds 7200
  set transform-set aes128
crypto gdoi group GDOI-GROUP1
 identity number 12345
  server local
   rekey algorithm aes 256
   rekey sig-hash algorithm sha512
   rekey lifetime seconds 14400
   rekey authentication mypubkey rsa GETVPN-KEYS
   rekey transport unicast
   group size large
   sa ipsec 1
    profile profile1
    match address ipv4 getvpn-acl
    replay counter window-size 64
    no tag
   address ipv4 10.0.0.2
   redundancy
    local priority 99
    peer address ipv4 10.0.0.1

crypto map gdoimap 1 gdoi
 set group GDOI-GROUP1

interface lo0
 ip address 10.0.0.2 255.255.255.255
interface e0/0
 ip address 172.16.0.2 255.255.255.0
 crypto map gdoimap

ip route 10.0.0.3 255.255.255.255 172.16.0.3
ip route 10.0.0.4 255.255.255.255 172.16.0.4
ip route 10.0.0.5 255.255.255.255 172.16.0.5
ip route 10.0.0.6 255.255.255.255 172.16.0.6



Group Member Configurations, routers 3 - 6

router 3

host R3

crypto isakmp policy 1
 encr aes
 authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto gdoi group GDOI-GROUP1
  identity number 12345
  server address ipv4 10.0.0.1
  server address ipv4 10.0.0.2
crypto map gdoimap 1 gdoi
  set group GDOI-GROUP1

interface Loopback0
 ip address 10.0.0.3 255.255.255.255
interface Ethernet0/0
  ip address 172.16.0.3 255.255.255.0
  crypto map gdoimap

ip route 10.0.0.1 255.255.255.255 172.16.0.1

router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 172.16.0.0 0.0.0.255

router 4

host R4

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto gdoi group GDOI-GROUP1
  identity number 12345
  server address ipv4 10.0.0.1
crypto map gdoimap 1 gdoi
  set group GDOI-GROUP1

interface Loopback0
  ip address 10.0.0.4 255.255.255.255
interface Ethernet0/0
  ip address 172.16.0.4 255.255.255.0
  crypto map gdoimap

ip route 10.0.0.1 255.255.255.255 172.16.0.1

router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 172.16.0.0 0.0.0.255

router 5

host R5

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto gdoi group GDOI-GROUP1
  identity number 12345
  server address ipv4 10.0.0.1
crypto map gdoimap 1 gdoi
  set group GDOI-GROUP1

interface Loopback0
  ip address 10.0.0.5 255.255.255.255
interface Ethernet0/0
  ip address 172.16.0.5 255.255.255.0
  crypto map gdoimap

ip route 10.0.0.1 255.255.255.255 172.16.0.1

router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 172.16.0.0 0.0.0.255

router 6

host R6

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto gdoi group GDOI-GROUP1
  identity number 12345
  server address ipv4 10.0.0.1
crypto map gdoimap 1 gdoi
  set group GDOI-GROUP1

interface Loopback0
 ip address 10.0.0.6 255.255.255.255
interface Ethernet0/0
 ip address 172.16.0.6 255.255.255.0
 crypto map gdoimap

ip route 10.0.0.1 255.255.255.255 172.16.0.1

router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 172.16.0.0 0.0.0.255

crypto key generate rsa modulus 2048 label GETVPN-KEYS - Generates the rsa keys for rekeying, this is similar to the SSH keys

ip access-list extended getvpn-acl - This is the creation of the access-list to pass unencrypted traffic (deny) and encrypted traffic (permit)

deny udp any eq 848 any eq 848 - Allows all traffic sourcing with the UDP port 848 from any source and any destination, unencrypted

permit eigrp any any - Allows EIGRP to be passed, encrypted, by the crypto map IPSEC tunnel

permit ip any any - Allows all IP traffic, TCP/UDP, to be sent encrypted through the tunnel


crypto isakmp policy 1 - Creates the IKEv1 isakmp policy with an ID of 1, you can have multiple isakmp policies configured

encryption aes - Specifies that isakmp use the aes 128 encryption for IKEv1 confidentiality

authentication pre-share - Specifies that the authentication mechanism will use the configured pre-shared-key for peer authentication

group 2 - Specifies the Diffie-Hellman, DH, group to use for the creation of symmetric keys

lifetime 300 - Specifies a 5 minute lifetime for the isakmp keys


crypto isakmp key tempkey1 address 0.0.0.0 - Specifies a pre-shared-key of tempkey1 to authenticate ALL isakmp requests, 0.0.0.0 means all. You can specify keys for each peer if necessary

crypto ipsec transform-set aes128 esp-aes esp-sha-hmac - Specified that the IKEv1 phase 2 IPSEC uses the transform-set named "aes256" encryption aes-esp and the hash esp-sha-hmac. Advanced Encryption Standard, Encapsulating Security Payload, Secure Hash Algorithm, Hashed Message Authentication Code

mode tunnel - Specifies the tunnel mode to "tunnel," some tunneling like DMVPN will use mode transport

crypto ipsec profile profile1 - Creates the phase 2 IPSEC profile named "profile1"

set security-association lifetime seconds 7200 - Sets the lifetime of the SA to 120 minutes

set transform-set aes128 - Calls to the pre-configured transform-set named "aes128"


crypto gdoi group GDOI-GROUP1 - Starts the GDOI configuration group named "GDOI-GROUP1"

identity number 12345 - You must provide an identity for the GDOI group, this can also be an ipv4 address

server local - For the KSs you must specify that it looks to itself as the KS

rekey algorithm aes 256 - Specified that the KEK, Key Encryption Key, will use the encryption algorithm aes256

rekey sig-hash algorithm sha512 - Specifies that the KEK will use the hashing authentication algorithm sha512

rekey lifetime seconds 14400 - Specifies that all GMs need to be rekeyed every 4 days

rekey authentication mypubkey rsa GETVPN-KEYS - The initial rekey authentication will use the rsa keys created at the beginning

rekey transport unicast - You only specify this command if unicast is chosen for rekeying rather than multicast

group size large - Set Group Size for Suite-B counter transforms (SID length), in this case large is 32-bit Sender ID (FIPS 140-2 Operating Mode)


sa ipsec 1 - Configure an IPsec SA list, can also use receive-only

profile profile1 - Calls back to the crypto ipsec profile "profile1" specified above

match address ipv4 getvpn-acl - Sends the access-list "getvpn-acl" to the GMs for the interesting traffic, unencrypted or encrypted

replay counter window-size 64 - Sets the replay method to counter and the size to 64

no tag - Disables the inline tagging method

address ipv4 10.0.0.1 - Sets the local IP address to be used as the GDOI source


crypto map gdoimap 1 gdoi - Creates the crypto map for assignment to an interface

set group GDOI-GROUP1 - Sets the crypto gdoi group to the crypto map


interface e0/0 - Choose the interface to enable gdoi with crypto map

ip address 172.16.0.1 255.255.255.0 - Specifies the IP address assigned to the gdoi crypto interface

crypto map gdoimap - Assigns and starts the crypto gdoi process on the e0/0 interface.

Group Key Management, GKM, is a consolidation of G-IKEv2 & GDOI. G-IKEv2 is not included with GDOI thus GKM is used to refer to both GDOI & IKEv2.

With GKM configuration you can configure either GDOI, G-IKEv2 or both. GETVPN-IKEv2 has specific requirements when it comes to using counter based IPsec connectivity rather than ISAKMP that uses CBC, Cipher Block Chains, as opposed to AES-GCM (Galois Counter Mode).
The configuration syntax for GKM was implemented in IOS version 15.5(1)T where both crypto gdoi & crypto gkm are now available. *The GDOI command has been deprecated as of 15.5(3)T/M and replaced by crypto GKM, however you can still use gdoi in the command structure.

You can configure both gdoi (ISAKMP) and G-IKEv2 using the GKM configuration syntax that is listed below in the G-IKEv2 Configuration section with video.

Additionally there are specific requirements to run G-IKEv2:
Both KS & GM must specify an IKEv2 profile which you will see in the configuration section
Pre-Shared Key and Public Key Infrastructure both work with G-IKEv2
IKEv2 Smart Defaults also works with G-IKEv2 and we will discuss this later

Migrating to GKM with G-IKEv2 requires careful planning and details in order to come out successful:
The IOS version you are running must support both GDOI and G-IKEv2
Upgrade a secondary key server while maintaining Key Server Session IDs, KS SID; then the primary key servers, then the Group Members

Suite-B support with GETVPN has a few things to remember:
AES-GCM or AES-GMAC using 128 and 256 bit keys
Elliptic-Curve Digital Signature Algorithm (ECDSA) for Digital Signatures
Elliptic-Curve Diffie-Hellman (ECDH) for key agreement
Secure Hash Algorithm 2, SHA-256 and SHA-384, for message digest & integrity

GETVPN with Suite-B support allows these algorithms to be used with GKM: SHA-2/HMAC-SHA-2 and AES-GCM/AES-GMAC.

I am using the following topology when moving forward with GKM & G-IKEv2:

Here is a good look at Cisco's Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide, august 2008.

When configuring G-IKEv2 it's a little more complex and you have to worry more about what you configure as oppoed to GDOI (ISAKMP):

In this configuration we will be creating two Key Servers that attach directly to our MPLS-type environment so we don't have to worry about underlay routing and each GETVPN Group Member can talk directly with the Key Servers. In this configuration EIGRP and route advertisement will be encrypted with the rest of the traffic rather than unencrypted through the underlay.

Key Server configuration

host KS-1

crypto key generate rsa modulus 4096 label GETVPN-KEYS exportable

(config)#crypto key export rsa GETVPN-KEYS pem terminal 3des PaSSword!
(config)#crypto key import rsa GETVPN-KEYS exportable pem terminal PaSSword!
#After you create the RSA keys on the primary GDOI/GKM Key Server you have to export the keys on the primary and import on the secondary. These keys are used to provide the keying material for GETVPN to function. You can configure either terminal output that will be copied or you can export to a file.

ip access-list extended GETVPN-ACL-- the ACL used in conjunction with the crypto map, what's encrypted and what's not
 deny udp any eq 848 any eq 848 -- KS talk over UDP/848
 permit eigrp any any -- keep in mind you should deny eigrp if you need to provide underlay connectivity, this will pass your routes in clear text
 permit ip any any
 permit icmp any any

crypto ikev2 proposal ikev2-proposal
  encryption aes-gcm-256
  prf sha512
  group 21
crypto ikev2 policy ikev2-policy
  proposal ikev2-proposal
crypto ikev2 profile ikev2-profile
  match identity remote any -- an easy way to allow ALL remotes
  authentication remote pre-share key CISCO -- you must specify a remote PSK for authencation
  authentication local pre-share key CISCO -- you must specify a local PSK for authentication
crypto ipsec security-association lifetime kilobytes disable -- an SA can't be limited to traffic amount, I like to disable this
crypto ipsec security-association seconds 86400 -- I like to extend the SA to 86400 seconds considering this is "internal" connectivity
crypto ipsec transform-set ipsec-tset esp-gcm 256
  mode tunnel
crypto ipsec profile ipsec-profile
  set security-association lifetime kilobytes disable
  set security-association seconds 86400
  set transform-set ipsec-tset

crypto gkm group GDOI-GROUP1
  identity number 1 -- the group must have a unique number or address
  server local
   no gdoi -- show running-config all to see the configuration
   gikev2 ikev2-profile -- this allows the use of IKEv2
   rekey algorithm aes 256 -- the encryption used to secure the confidentiality of the TEK
   rekey sig-hash algorithm sha512 -- hash level for the rekey
   rekey authentication mypubkey rsa GETVPN-KEYS -- this is the RSA key generated for each Key Server
   rekey transport unicast -- can use unicast or multicast functionality for rekey to GMs
   group size large -- check for the group size description in the previous section
   identifier -- the Key Server must have a unique identifier and be allowed a unique range of KSSID to provide to GMs
    value 0 -- must be unique within the GROUP
    range 0 - 254 -- with multiple Key Servers you must specify unique KSSID range and cannot overlap between Key Servers
   sa ipsec 1
    profile ipsec-profile -- match the ipsec profile created
    match address ipv4 GETVPN-ACL -- specify the crypto map "interesting traffic"
    replay counter window-size 64
    no tag
   address ipv4 172.17.0.1 -- specify the IPv4 address to use for the Key Server

crypto gkm group GDOI-GROUP2
  identity number 2 -- the group must have a unique number or address
  server local
   no gdoi -- show running-config all to see the configuration
   gikev2 ikev2-profile -- this allows the use of IKEv2
   rekey algorithm aes 256 -- the encryption used to secure the confidentiality of the TEK
   rekey sig-hash algorithm sha512 -- hash level for the rekey
   rekey authentication mypubkey rsa GETVPN-KEYS -- this is the RSA key generated for each Key Server
   rekey transport unicast -- can use unicast or multicast functionality for rekey to GMs
   group size large -- check for the group size description in the previous section
   identifier -- the Key Server must have a unique identifier and be allowed a unique range of KSSID to provide to GMs
    value 0 -- must be unique within the GROUP
    range 0 - 254 -- with multiple Key Servers you must specify unique KSSID range and cannot overlap between Key Servers
   sa ipsec 1
    profile ipsec-profile -- match the ipsec profile created
    match address ipv4 GETVPN-ACL -- specify the crypto map "interesting traffic"
    replay counter window-size 64
    no tag
   address ipv4 172.17.1.1 -- specify the IPv4 address to use for the Key Server


interface e0/0.4000
  encapsulation dot1Q 4000
  ip address 172.17.0.1 255.255.255.0

interface e0/0.4001
  encapsulation dot1Q 4001
  ip address 172.17.1.1 255.255.255.0


host KS-2

(config)#crypto key import rsa GETVPN-KEYS exportable pem terminal PaSSword!
#After you create the RSA keys on the primary GDOI/GKM Key Server you have to export the keys on the primary and import on the secondary. These keys are used to provide the keying material for GETVPN to function. You can configure either terminal output that will be copied or you can export to a file.

ip access-list extended GETVPN-ACL
 deny udp any eq 848 any eq 848
 permit eigrp any any -- keep in mind you should deny eigrp if you need to provide underlay connectivity, this will pass your routes in clear text
 permit ip any any
 permit icmp any any

crypto ikev2 proposal ikev2-proposal
  encryption aes-gcm-256
  prf sha512
  group 21
crypto ikev2 policy ikev2-policy
  proposal ikev2-proposal
crypto ikev2 profile ikev2-profile
  match identity remote any
  authentication remote pre-share key CISCO
  authentication local pre-share key CISCO
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association seconds 86400
crypto ipsec transform-set ipsec-tset esp-gcm 256
  mode tunnel
crypto ipsec profile ipsec-profile
  set security-association lifetime kilobytes disable
  set security-association seconds 86400
  set transform-set ipsec-tset

crypto gkm group GDOI-GROUP1
  identity number 1
  server local
   no gdoi -- show running-config all to see the configuration
   gikev2 ikev2-profile
   rekey algorithm aes 256
   rekey sig-hash algorithm sha512
   rekey authentication mypubkey rsa GETVPN-KEYS
   rekey transport unicast
   group size large
   identifier
    value 255 -- must be unique within the GROUP
    range 255 - 511 -- with multiple Key Servers you must specify unique KSSID range and cannot overlap between Key Servers
   sa ipsec 1
    profile ipsec-profile
    match address ipv4 GETVPN-ACL
    replay counter window-size 64
    no tag
   address ipv4 172.17.0.2

crypto gkm group GDOI-GROUP2
  identity number 2
  server local
   no gdoi -- show running-config all to see the configuration
   gikev2 ikev2-profile
   rekey algorithm aes 256
   rekey sig-hash algorithm sha512
   rekey authentication mypubkey rsa GETVPN-KEYS
   rekey transport unicast
   group size large
   identifier
    value 255 -- must be unique within the GROUP
    range 255 - 511 -- with multiple Key Servers you must specify unique KSSID range and cannot overlap between Key Servers
   sa ipsec 1
    profile ipsec-profile
    match address ipv4 GETVPN-ACL
    replay counter window-size 64
    no tag
   address ipv4 172.17.1.2

interface e0/0.4000
  encapsulation dot1Q 4000
  ip address 172.17.0.2 255.255.255.0

interface e0/0.4001
  encapsulation dot1Q 4001
  ip address 172.17.1.2 255.255.255.0



Group Member Configurations, routers 3 - 10

Router 3

host R3

crypto ikev2 proposal IKEv2-proposal
  encryption aes-gcm-256
  prf sha512
  group 21
crypto ikev2 policy IKEv2-policy
  proposal IKEv2-proposal
crypto ikev2 profile IKEv2-profile   match identity remote any
  authentication remote pre-share key CISCO
  authentication local pre-share key CISCO
crypto ipsec transform-set IPSEC-TSET esp-gcm 256
  mode tunnel

crypto gkm group GKM-GROUP1
  identity number 1
  server address ipv4 172.17.0.1
  server address ipv4 172.17.0.2
  client recovery-check interval 100
  client rekey encryption aes 256
  client rekey hash sha512
  client protocol gikev2 IKEv2-profile

crypto gkm group GKM-GROUP2
  identity number 2
  server address ipv4 172.17.1.1
  server address ipv4 172.17.1.2
  client recovery-check interval 100
  client rekey encryption aes 256
  client rekey hash sha512
  client protocol gikev2 IKEv2-profile

crypto map GKM_MAP1 1 gdoi
  set group GKM_GROUP1
crypto map GKM_MAP2 1 gdoi
  set group GKM_GROUP2

interface Ethernet0/0.4000
  encapsulation dot1Q 4000
  ip address 172.16.0.3 255.255.255.0
  crypto map GKM_MAP1
interface Ethernet0/0.4001
  encapsulation dot1Q 4001
  ip address 172.16.1.3 255.255.255.0
  crypto map GKM_MAP2

router eigrp 1
  network 172.17.0.0 0.0.0.255
  network 172.17.1.0 0.0.0.255

Router 4

host R4

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto gdoi group GDOI-GROUP1
  identity number 12345
  server address ipv4 10.0.0.1
crypto map gdoimap 1 gdoi
  set group GDOI-GROUP1

interface Loopback0
  ip address 10.0.0.4 255.255.255.255
interface Ethernet0/0
  ip address 172.16.0.4 255.255.255.0
  crypto map gdoimap

ip route 10.0.0.1 255.255.255.255 172.16.0.1

router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 172.16.0.0 0.0.0.255

router 5

host R5

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto gdoi group GDOI-GROUP1
  identity number 12345
  server address ipv4 10.0.0.1
crypto map gdoimap 1 gdoi
  set group GDOI-GROUP1

interface Loopback0
  ip address 10.0.0.5 255.255.255.255
interface Ethernet0/0
  ip address 172.16.0.5 255.255.255.0
  crypto map gdoimap

ip route 10.0.0.1 255.255.255.255 172.16.0.1

router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 172.16.0.0 0.0.0.255

router 6

host R6

crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 300
crypto isakmp key tempkey1 address 0.0.0.0
crypto gdoi group GDOI-GROUP1
  identity number 12345
  server address ipv4 10.0.0.1
crypto map gdoimap 1 gdoi
  set group GDOI-GROUP1

interface Loopback0
 ip address 10.0.0.6 255.255.255.255
interface Ethernet0/0
 ip address 172.16.0.6 255.255.255.0
 crypto map gdoimap

ip route 10.0.0.1 255.255.255.255 172.16.0.1

router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 172.16.0.0 0.0.0.255

crypto key generate rsa modulus 2048 label GETVPN-KEYS - Generates the rsa keys for rekeying, this is similar to the SSH keys

ip access-list extended getvpn-acl - This is the creation of the access-list to pass unencrypted traffic (deny) and encrypted traffic (permit)

deny udp any eq 848 any eq 848 - Allows all traffic sourcing with the UDP port 848 from any source and any destination, unencrypted

permit eigrp any any - Allows EIGRP to be passed, encrypted, by the crypto map IPSEC tunnel

permit ip any any - Allows all IP traffic, TCP/UDP, to be sent encrypted through the tunnel


crypto isakmp policy 1 - Creates the IKEv1 isakmp policy with an ID of 1, you can have multiple isakmp policies configured

encryption aes - Specifies that isakmp use the aes 128 encryption for IKEv1 confidentiality

authentication pre-share - Specifies that the authentication mechanism will use the configured pre-shared-key for peer authentication

group 2 - Specifies the Diffie-Hellman, DH, group to use for the creation of symmetric keys

lifetime 300 - Specifies a 5 minute lifetime for the isakmp keys


crypto isakmp key tempkey1 address 0.0.0.0 - Specifies a pre-shared-key of tempkey1 to authenticate ALL isakmp requests, 0.0.0.0 means all. You can specify keys for each peer if necessary

crypto ipsec transform-set aes128 esp-aes esp-sha-hmac - Specified that the IKEv1 phase 2 IPSEC uses the transform-set named "aes256" encryption aes-esp and the hash esp-sha-hmac. Advanced Encryption Standard, Encapsulating Security Payload, Secure Hash Algorithm, Hashed Message Authentication Code

mode tunnel - Specifies the tunnel mode to "tunnel," some tunneling like DMVPN will use mode transport

crypto ipsec profile profile1 - Creates the phase 2 IPSEC profile named "profile1"

set security-association lifetime seconds 7200 - Sets the lifetime of the SA to 120 minutes

set transform-set aes128 - Calls to the pre-configured transform-set named "aes128"


crypto gdoi group GDOI-GROUP1 - Starts the GDOI configuration group named "GDOI-GROUP1"

identity number 12345 - You must provide an identity for the GDOI group, this can also be an ipv4 address

server local - For the KSs you must specify that it looks to itself as the KS

rekey algorithm aes 256 - Specified that the KEK, Key Encryption Key, will use the encryption algorithm aes256

rekey sig-hash algorithm sha512 - Specifies that the KEK will use the hashing authentication algorithm sha512

rekey lifetime seconds 14400 - Specifies that all GMs need to be rekeyed every 4 days

rekey authentication mypubkey rsa GETVPN-KEYS - The initial rekey authentication will use the rsa keys created at the beginning

rekey transport unicast - You only specify this command if unicast is chosen for rekeying rather than multicast

group size large - Set Group Size for Suite-B counter transforms (SID length), in this case large is 32-bit Sender ID (FIPS 140-2 Operating Mode)


sa ipsec 1 - Configure an IPsec SA list, can also use receive-only

profile profile1 - Calls back to the crypto ipsec profile "profile1" specified above

match address ipv4 getvpn-acl - Sends the access-list "getvpn-acl" to the GMs for the interesting traffic, unencrypted or encrypted

replay counter window-size 64 - Sets the replay method to counter and the size to 64

no tag - Disables the inline tagging method

address ipv4 10.0.0.1 - Sets the local IP address to be used as the GDOI source


crypto map gdoimap 1 gdoi - Creates the crypto map for assignment to an interface

set group GDOI-GROUP1 - Sets the crypto gdoi group to the crypto map


interface e0/0 - Choose the interface to enable gdoi with crypto map

ip address 172.16.0.1 255.255.255.0 - Specifies the IP address assigned to the gdoi crypto interface

crypto map gdoimap - Assigns and starts the crypto gdoi process on the e0/0 interface.

© Copyright nTRaaS. All Rights Reserved