Well on the 642-637 syllabus the GET (Group Encrypted Transport) VPN seems like a pretty important part, so I’ll be creating a test network with my 3 Cisco 1811 routers. The GET VPN seems to provide a pretty nice encryption solution to MPLS VPNs which we provide here at Gconnect and, as bit of the bonus the Key Server can be multi-tennanted, which makes it more bearable. On with the tests, I’ll use R1 as my Key Server and R2 and R3 as Group members. We are assuming that the MPLS VN is using the 172.16.0.0/24 network and the internal networks all fall within the 192.168.0.0 /16 network.
Configuring the Key Server
Task 1 – Create a Customer IKE Policy
R1(config)#crypto isakmp policy 10 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 14 R1(config-isakmp)#encryption aes R1(config-isakmp)#exit
Task 2 – Create PSKs for all the Group Members (I’ll cheat and use the same simple password)
R1(config)#crypto isakmp key mysimplekey address 172.16.0.2 R1(config)#crypto isakmp key mysimplekey address 172.16.0.3
Task 3 – Generate some RSA Keys for the Rekey process
crypto key generate rsa label GETKEYS modulus 2048 exportable
Task 4 – Create a transform set, IPSec profile and define the protected traffic
R1(config)#crypto ipsec transform-set GETSET esp-aes esp-sha-hmac R1(cfg-crypto-trans)#exit R1(config)#crypto ipsec profile GET_PROFILE R1(ipsec-profile)#set transform-set GETSET R1(ipsec-profile)#exit R1(config)#ip access-list exte GETVPN_TRAFFIC R1(config-ext-nacl)#permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 R1(config-ext-nacl)#exit
Task 5 – Enable and Config The GET VPN server
R1(config)#crypto gdoi group GET_GDOI_GROUP R1(config-gdoi-group)#identity number 12345 R1(config-gdoi-group)#server local R1(gdoi-local-server)#address ipv4 172.16.0.1 R1(gdoi-local-server)#sa ipsec 10 R1(gdoi-sa-ipsec)#profile GET_PROFILE R1(gdoi-sa-ipsec)#match address ipv4 GET_VPN_TRAFFIC R1(gdoi-sa-ipsec)#exit R1(gdoi-local-server)#exit R1(config-gdoi-group)#exit
Task 6 – Arranging the deck chairs (well, assigning the keys and setting the rekey transport)
R1(config)#crypto gdoi group GET_GDOI_GROUP R1(config-gdoi-group)#server local R1(gdoi-local-server)#rekey authentication mypubkey rsa GETKEYS R1(gdoi-local-server)#rekey transport unicast R1(gdoi-local-server)#exit R1(config-gdoi-group)#exit
Task 7 – Finally! Create the Crypto Map and slap it on an interface
R1(config)#crypto map GET_CRYPTO_MAP 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured. R1(config-crypto-map)#set group GET_GDOI_GROUP R1(config-crypto-map)#exit R1(config)#int fa0 R1(config-if)#crypto map GET_CRYPTO_MAP
Verification with:
R1#sh crypto gdoi GROUP INFORMATION Group Name : GET_GDOI_GROUP (Unicast) Group Identity : 12345 Group Members : 2 IPSec SA Direction : Both Group Rekey Lifetime : 86400 secs Group Rekey Remaining Lifetime : 82160 secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts: 2 Group Retransmit Remaining Lifetime : 0 secs IPSec SA Number : 10 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GET_PROFILE Replay method : Count Based Replay Window Size : 64 SA Rekey Remaining Lifetime : 2213 secs ACL Configured : access-list GETVPN_TRAFFIC Group Server list : Local
Configuration of the Group Members
Task 1 – Configure the custom IKE policy
R2(config)#crypto isakmp policy 10 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#encryption aes R2(config-isakmp)#group 14 R2(config-isakmp)#exit
Task 2 – Add the pre shared keys
R2(config)#crypto isakmp key mysimplekey address 172.16.0.1 R2(config)#crypto isakmp key mysimplekey address 172.16.0.2
Task 3 – Enable GET
R2(config)#crypto gdoi group GET_GDOI_GROUP R2(config-gdoi-group)#identity number 12345 R2(config-gdoi-group)#server address ipv4 172.16.0.1 R2(config-gdoi-group)#exit
Task 4 – Create the crypto map and apply it
R2(config)#crypto gdoi group GET_GDOI_GROUP R2(config-gdoi-group)#identity number 12345 R2(config-gdoi-group)#server address ipv4 172.16.0.1 R2(config-gdoi-group)#exit R2(config)#crypto map GET_CRYPTO_MAP 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured. R2(config-crypto-map)#set group GET_GDOI_GROUP R2(config-crypto-map)#exit R2(config)#int fa0 R2(config-if)#crypto map GET_CRYPTO_MAP
So you can verify the Group Member with the same command as the Key Server
R2#sh crypt gdoi GROUP INFORMATION Group Name : GET_GDOI_GROUP Group Identity : 12345 Rekeys received : 0 IPSec SA Direction : Both Group Server list : 172.16.0.1 Group member : 172.16.0.2 vrf: None Registration status : Registered Registered with : 172.16.0.1 Re-registers in : 1810 sec Succeeded registration: 2 Attempted registration: 5 Last rekey from : 0.0.0.0 Last rekey seq num : 3 Unicast rekey received: 0 Rekey ACKs sent : 0 Rekey Received : never allowable rekey cipher: any allowable rekey hash : any allowable transformtag: any ESP Rekeys cumulative Total received : 0 After latest register : 0 Rekey Acks sents : 0 ACL Downloaded From KS 172.16.0.1: access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 83342 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 2048 TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0: IPsec SA: spi: 0xEA1A7149(3927601481) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (1936) Anti-Replay : Disabled
The ping tests work fine, but as this is tunnel-less they would have worked anyway. You can prevent data moving from site to site without encryption with a policy if its part of your requirement.