Professional Documents
Culture Documents
GETVPN
GETVPN
-it is largely suited for an enterprise running over a private Multiprotocol Label
Switching (MPLS)/IP-based core network.
-It is also better suited to encrypt multicast traffic.
-It ensure low latency and jitter by enabling full-time/direct communications between
sites, without requiring transport through a central hub.
-It allows replication of the packets after encryption. This allows the multicast traffic to
be replicated at the core, thereby reducing the load and band width requirement on the
Customer Premises Equipment (CPE).
-IP Address Preservation enables encrypted packets carry the original source and
destination IP addresses in the outer IP header rather than replacing them with tunnel
endpoint addresses. This technique is known as IPSec Tunnel Mode with Address
Preservation.
-DMVPN using tunnels so implement QoS will be possible but with some limitations
since New IPsec ip header is added while GETVPN can make use of QoS without any
limitations since it keep the original IP Header
-KS is responsible for maintaining security policies, authenticating the GMs and
providing the session key for encrypting traffic.
-KS authenticates the individual GMs at the time of registration.
-KS verifies the group id number of the GM. If this id number is a valid and the GM has
provided valid Internet Key Exchange (IKE) credentials, the key server sends the SA
policy and the Keys to the group member.
Typically the KS is installed in the data center of the customer network. The CPE routers
connecting to the MPLS core is configured as GMs. The KS should be reachable from all GMs
through the core or the enterprise network.
The steps below explain protocol flows that are necessary for Group Members to participate in a
GETVPN group:
1. Once the GM boots up, it attempts to register with the KS using the GDOI protocol.
2. Registration goes through after successful mutual authentication.
3. After successful registration GM receives KEK and TEK keys.
4. GMs can now encrypt and decrypt the packets as specified by the SA.
5. KS keeps track of the SA life time. It sends rekey information when the current SA is about to
expire.
Rekey information includes the new SA and session key details. Rekey messages are sent in
advance of the SA expiration time to ensure that valid group keys are always available.
Remember, KS keep track SA life time , will send rekey information (new SA/new session key )
when current SA is about to expire
Note: VPN addresses must be routable in the transport network. This is because of the use of
the original IP header, and in most cases, it prevents GET VPNs from being used over the
Internet. Check the picture next page.
This Limitation is important to remember when use GETVPN especially when we use GETVPN
VRF Aware.
Basic Configuration
R2
int s1/0
ip add 10.1.24.2 255.255.255.0
no sh
int s1/1
ip add 10.1.25.2 255.255.255.0
no sh
int f0/0
ip add 10.1.12.2 255.255.255.0
no sh
R4
int s1/0
ip add 10.1.24.4 255.255.255.0
no sh
int loop 0
ip add 192.168.4.4 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.24.2
R5
int s1/1
ip add 10.1.25.5 255.255.255.0
no sh
int loop 0
ip add 192.168.5.5 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.25.2
R1
int f0/0
ip add 10.1.12.1 255.255.255.0
no sh
int loop0
ip add 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.12.2
Now Lets Configure GET VPN solution for traffic going between 192.168.0.0/16 networks
(LANs behind R4 and R5 , we represented here with loopbacks in both routers).
R1 will be Key Server and R5 and R4 are Group Members.
For KS configuration Parameters:
Group name: GETVPN
Server: Identity 1
IP address 10.1.12.1
Rekey: Unicast
2 retransmit, every 10 seconds
RSA key name R1.cbtme.com
Authorization: Only R5 and R4 GM routers
IPSec SA: Time-based anti replay window: 64
Policy: 192.168.0.0/16, do not encrypt GDOI
Encryption: AES-128
Integrity: SHA
ISAKMP Policy Authentication: PSK
Encryption: DES
Hashing: SHA
Pre-shared key: GETVPN-R5 (for R5), GETVPN-R4 (for R4)
Do not encrypt SSH traffic between 192.168.5.0/24 and 192.168.4.0/24 networks.
This exception must be configured on GMs only.
Answer:
R1 (KS)
ip domain-name cbtme.com
crypto key generate rsa modulus 1024
crypto isakmp policy 10
authentication pre-share
exit
(IPSec parameters must be configured in KS ,KS will not use it but will send to GM)
We use the identity command in GDOI group configuration mode to set the identity of the
group to either an IP address or a number. The identity distinguishes the specific group
configuration, because there can be multiple GET VPN groups on each key server or member.
if multicast was going to used to transport rekeys we was going to use the following commands :
access-list 100 permit udp host 10.1.12.1 host 239.1.1.1 eq 848
rekey address ipv4 100
authorization address ipv4 GM-LIST
sa ipsec 1
profile GETVPN-PROF
match address ipv4 LAN-LIST
replay counter window-size 64
address ipv4 10.1.12.1
exit
exit
Notice: nothing to apply under KS interfaces, all above IPSec SA will not be used by KS and will
be send to GMs only
R5 (GM)
crypto isakmp policy 10
authentication pre-share
exit
crypto isakmp key GETVPN-R5 address 10.1.12.1
crypto gdoi group GETVPN
identity number 1
server address ipv4 10.1.12.1 < KS ip address
exit
(Optionally we can exclude some traffic from flow , in question he ask to exclude ssh traffic
between 192.168.4.0/24 and 192.168.5.0/24 , when we create acl here we can deny traffic
only not use it for permit)
ip access-list ext dont-encrypt
deny tcp 192.168.4.0 0.0.0.255 eq 22 192.168.5.0 0.0.0.255
deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 22
deny tcp 192.168.5.0 0.0.0.255 eq 22 192.168.4.0 0.0.0.255
deny tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 22
crypto map CMAP-GETVPN 10 gdoi
set group GETVPN
match address dont-encrypt
exit
int s1/1
crypto map CMAP-GETVPN
(R4 will have same configuration as below but we change the key for pre-share to GETVPN-R4)
R4 (GM)
crypto isakmp policy 10
authentication pre-share
crypto isakmp key GETVPN-R4 address 10.1.12.1
crypto gdoi group GETVPN
identity number 1
server address ipv4 10.1.12.1
exit
crypto map CMAP-GETVPN 10 gdoi
set group GETVPN
match address dont-encrypt
int s1/0
crypto map CMAP-GETVPN
9
R2
ip route 192.168.4.0 255.255.255.0 10.1.24.4
ip route 192.168.5.0 255.255.255.0 10.1.25.5
Verification:
R1#sh crypto gdoi group GETVPN
Group Name
: GETVPN (Unicast)
Re-auth on new CRL
: Disabled
Group Identity
:1
Crypto Path
: ipv4
Key Management Path : ipv4
Group Members
:2
IPSec SA Direction
: Both
Group Rekey Lifetime : 86400 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
IPSec SA Number
:1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name
: GETVPN-PROF
Replay method
: Count Based
Replay Window Size : 64
Tagging method
: Disabled
SA Rekey
Remaining Lifetime : 3432 secs
Time to Rekey
: 3046 secs
ACL Configured
: access-list LAN-LIST
Group Server list
: Local
10
To verify the policy configured on GMs, you can enable SSH server on R4 and
R5 and configure local user database. Note that you must test SSH traffic between 192.168.[45].0/24 networks, so you need to inform the routers what interface use as SSH source.
R4
ip ssh source-interface lo0
ip domain-name cbtme.com
cry key gen rsa mod 1024
line vty 0 4
login local
R5
ip ssh source-interface lo0
ip domain-name cbtme.com
cry key gen rsa mod 1024
line vty 0 4
login local
username yasser password cisco123
R5#sh cry ips sa | in local|remot|enca|deca
Crypto map tag: CMAP-GETVPN, local addr 10.1.25.5
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
local crypto endpt.: 10.1.25.5, remote crypto endpt.: 0.0.0.0
R4#ssh -l yasser 192.168.4.4
Password:
R5#sh cry ips sa | in local|remot|enca|deca
Crypto map tag: CMAP-GETVPN, local addr 10.1.25.5
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
local crypto endpt.: 10.1.25.5, remote crypto endpt.: 0.0.0.0
Notice No encryption counters incremented because SSH between those networks is excluded
from encryption.
11
In lab 1 we had one KS and if it goes down we lost everything , a single KS is a single
point of failure for an entire GET VPN network.
So GET VPN supports multiple KS's serving the same group.
This is called COOP KS, and KS's use a COOP protocol to negotiate and synchronize with
each other.
Among a group of KS's, one is elected as primary and others are designated as
secondary.
The primary server is responsible for re-keying, but still GMs may register to any KS in
the group and obtain current keys. Which allows for load distribution plus the
redundancy.
The primary KS keep sends periodic GDOI messages to the secondaries; when a certain
number of messages are missing, the re-election process is started and a new primary is
elected.
The secondary KS taking the role of the primary will transparently continue to notify the
GM of the re-keys. And GM will not detect the loss of the original server.
12
Basic Configuration
KS1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 1
network 10.1.1.0 0.0.0.255 area 0
KS2
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
router ospf 2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 2
network 10.1.1.0 0.0.0.255 area 0
GM-Hub
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Loopback1
ip address 10.2.3.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
interface FastEthernet0/0
ip ospf priority 100
router ospf 3
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 3
network 10.1.1.0 0.0.0.255 area 0
network 10.2.3.0 0.0.0.255 area 3
GM-Spoke1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Loopback1
ip address 10.2.4.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.4 255.255.255.0
13
interface FastEthernet0/0
ip ospf priority 0
router ospf 4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 4
network 10.1.1.0 0.0.0.255 area 0
network 10.2.4.0 0.0.0.255 area 4
GM-Spoke2
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Loopback1
ip address 10.2.5.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.5 255.255.255.0
interface FastEthernet0/0
ip ospf priority 0
router ospf 5
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 5
network 10.1.1.0 0.0.0.255 area 0
network 10.2.5.0 0.0.0.255 area 5
Now lets configure our primary key server router first before we configure the second.
Notice the only different commands between Single KS and Multiple KS will be in Yellow
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.2
crypto isakmp key cisco123 address 10.1.1.3
crypto isakmp key cisco123 address 10.1.1.4
crypto isakmp key cisco123 address 10.1.1.5
crypto ipsec transform-set gvpn-ts esp-3des esp-sha-hmac
14
Now we will configure an ACL specifying what traffic will be encrypted using the GET VPN
services.
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.2.0.0 0.0.255.255
Finally we will configure GDOI on our Key Server to have an identity of "1"; this is required for
all sites to be configured for the same identity number.
crypto gdoi group gvpn1
identity number 1
server local
rekey lifetime seconds 10800
rekey retransmit 10 number 2
rekey authentication mypubkey rsa gvpn1-export-general
rekey transport unicast
We will associate our configured IPSec profile and ACL 101 policy configured under "sa ipsec
1" for our GDOI configuration.
sa ipsec 1
profile gdoi-profile-gvpn1
match address ipv4 101
replay counter window-size 64
Next we will specify the source IP address that will be used to identify this KS router. This is
the IP address the group member routers would use for peering with the KS router.
15
Similar to KS1, below is our configuration for the second key server router except under
"redundancy" our local priority is 1
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.1
crypto isakmp key cisco123 address 10.1.1.3
crypto isakmp key cisco123 address 10.1.1.4
crypto isakmp key cisco123 address 10.1.1.5
crypto ipsec transform-set gvpn-ts esp-3des esp-sha-hmac
crypto ipsec profile gdoi-profile-gvpn1
set security-association lifetime seconds 1800
set transform-set gvpn-ts
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.2.0.0 0.0.255.255
crypto gdoi group gvpn1
identity number 1
server local
rekey lifetime seconds 10800
rekey retransmit 10 number 2
rekey authentication mypubkey rsa gvpn1-export-general
rekey transport unicast
sa ipsec 1
profile gdoi-profile-gvpn1
match address ipv4 101
replay counter window-size 64
address ipv4 10.1.1.2
redundancy
local priority 1
peer address ipv4 10.1.1.1
We can use crypto isakmp keepalive command to verify mutual reachability of key servers.
crypto isakmp policy 10
lifetime 86400
crypto isakmp keepalive 10 periodic
16
18
19
We can use DMVPN without encryption (no IPsec profile applied at tunnel level) and
configure GET VPN to encrypt traffic between GRE tunnel headends.
GET VPN will be in charge with IPsec.
There is no need to negotiate a spoke-to-spoke IPsec tunnel on demand, so traffic no
longer passes through the hub. All traffic is routed over the DMVPN tunnel, and because
it is GRE encapsulated, it will be automatically encrypted.
Basic configuration
Internet
int f0/0
ip add 10.1.1.100 255.255.255.0
no sh
int f0/1
ip add 10.2.2.100 255.255.255.0
no sh
int f1/0
ip add 10.3.3.100 255.255.255.0
no sh
R1
int f0/0
ip add 10.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.1.1.100
int loop 0
ip add 136.1.11.1 255.255.255.0
21
R2
int f0/0
ip add 10.2.2.2 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.2.2.100
int loop 0
ip add 136.1.22.2 255.255.255.0
R3
int f0/0
ip add 10.3.3.3 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.3.3.100
int loop 0
ip add 136.1.33.3 255.255.255.0
Lets configure DMVPN Phase 2 with EIGRP AS 123
R2 will be Hub, R3 will be Spoke
R2
interface Tunnel0
ip address 100.100.100.2 255.255.255.0
no ip split-horizon eigrp 123
no ip next-hop-self eigrp 123
tunnel source f0/0
tunnel mode gre multipoint
ip nhrp network-id 123
ip nhrp map multicast dynamic
!
router eigrp 123
no auto-summary
network 100.100.100.0 0.0.0.255
network 136.1.22.0 0.0.0.255
R3
interface Tunnel0
ip address 100.100.100.3 255.255.255.0
tunnel source f0/0
tunnel mode gre multipoint
ip nhrp network-id 123
ip nhrp map 100.100.100.2 10.2.2.2
ip nhrp map multicast 10.2.2.2
ip nhrp nhs 100.100.100.2
!
router eigrp 123
no auto-summary
network 100.100.100.0 0.0.0.255
network 136.1.33.0 0.0.0.255
22
GM-DMVPN-Hub-R2#sh ip nhrp
100.100.100.3/32 via 100.100.100.3
Tunnel0 created 00:00:29, expire 01:59:36
Type: dynamic, Flags: unique registered used nhop
NBMA address: 136.1.33.3
(Claimed NBMA address: 10.3.3.3)
GM-DMVPN-Hub-R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----1 136.1.33.3
100.100.100.3 UP 00:00:26 DN
GM-DMVPN-Spoke-R3#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----1 10.2.2.2
100.100.100.2 NHRP 00:04:43 S
GM-DMVPN-Spoke-R3#sh ip nhrp
100.100.100.2/32 via 100.100.100.2
Tunnel0 created 00:04:52, never expire
Type: static, Flags: used
NBMA address: 10.2.2.2
23
24
R3
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp key CISCO address 10.1.1.1
crypto gdoi group GETVPN_GROUP_GM
identity number 123
server address ipv4 10.1.1.1
!
crypto map GETVPN_MAP local-address FastEthernet0/0
crypto map GETVPN_MAP 10 gdoi
set group GETVPN_GROUP_GM
!
interface FastEthernet0/0
crypto map GETVPN_MAP
Notice: no IPSec SA will be applied to tunnel interface
Verification
GM-DMVPN-Spoke-R3#sh crypto ipsec sa | i #pkts
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
GM-DMVPN-Spoke-R3#ping 136.1.22.2 source loop0 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 136.1.22.2, timeout is 2 seconds:
Packet sent with a source address of 136.1.33.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 288/337/380 ms
GM-DMVPN-Spoke-R3#sh crypto ipsec sa | i #pkts
#pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
#pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
25
It is possible to configure the VRFs for GET VPN deployment on the GM if the following
consideration kept in mind:
1. Each VRF will require a unique WAN interface/sub-interface to apply the crypto map
2. Crypto map applied to each VRF will require reference to a unique GET VPN group ID
Because the GET VPN KS is currently not VRF aware, GMs should register to a distinct set of KSs
per group. This means a KS set per VRF is recommended.
Lets assume GM's had two vrf (BLUE/GREEN)
In this case in KS we will create two of the following one for each vrf:
crypto ipsec profile
crypto gdoi group ( with different identity number ,Must be Different GET VPN Group)
In GM we will create two of the following one for each vrf:
crypto gdoi group ( with different identity number ,Must be Different GET VPN Group)
crypto map [crypto map name] 10 gdoi
26
Basic Configuration
R4
interface e0/1.1
encapsulation dot1Q 4
ip address 4.4.4.4 255.255.255.0
!
interface e0/1.2
encapsulation dot1Q 44
ip address 44.44.44.44 255.255.255.0
router ospf 100
net 0.0.0.0 255.255.255.255 area 0
R2
ip vrf BLUE
rd 19:110
route-target export 19:110
route-target import 19:110
!
ip vrf GREEN
rd 19:120
route-target export 19:120
route-target import 19:120
interface Loopback1
ip vrf forwarding BLUE
ip address 109.10.1.1 255.255.255.0
!
interface Loopback2
27
28
R3
ip vrf BLUE
rd 19:110
route-target export 19:110
route-target import 19:110
!
ip vrf GREEN
rd 19:120
route-target export 19:120
route-target import 19:120
interface Loopback1
ip vrf forwarding BLUE
ip address 109.10.3.3 255.255.255.0
!
interface Loopback2
ip vrf forwarding GREEN
ip address 109.10.3.3 255.255.255.0
interface e0/0.1
encapsulation dot1Q 110
ip vrf forwarding BLUE
ip address 172.16.110.3 255.255.255.248
!
interface e0/0.2
encapsulation dot1Q 120
ip vrf forwarding GREEN
ip address 172.16.120.3 255.255.255.248
interface e0/1.1
encapsulation dot1Q 3
ip address 3.3.3.3 255.255.255.0
!
interface e0/1.2
encapsulation dot1Q 33
ip address 33.33.33.33 255.255.255.0
router bgp 109
bgp router-id 3.3.3.3
address-family ipv4 vrf BLUE
network 109.10.3.0 mask 255.255.255.0
neighbor 172.16.110.1 remote-as 109
neighbor 172.16.110.1 activate
address-family ipv4 vrf GREEN
network 109.10.3.0 mask 255.255.255.0
neighbor 172.16.120.1 remote-as 109
neighbor 172.16.120.1 activate
29
int vlan 22
ip add 22.22.22.100 255.255.255.0
no sh
router ospf 100
net 0.0.0.0 255.255.255.255 area 0
Verify Basic configuration
R2#ping vrf BLUE 109.10.3.3 source 109.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 109.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 109.10.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/168/208 ms
R2#ping vrf GREEN 109.10.3.3 source 109.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 109.10.3.3, timeout is 2 seconds:
Packet sent with a source address of 109.10.1.1
!!!!!
R2# sh ip bgp vpnv4 vrf GREEN
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 19:120 (default for vrf GREEN)
*> 109.10.1.0/24 0.0.0.0
0
32768 i
*>i 109.10.3.0/24 172.16.120.3
0 100 0 i
R2# sh ip bgp vpnv4 vrf BLUE
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 19:110 (default for vrf BLUE)
*> 109.10.1.0/24 0.0.0.0
0
32768 i
*>i 109.10.3.0/24 172.16.110.3
0 100 0 i
31
34
R4
crypto key generate rsa label R4.ccie.com modulus 1024
ip access-list ext BLUE
permit ip 109.10.0.0 0.0.255.255 109.10.0.0 0.0.255.255
ip access-list ext GREEN
permit ip 109.10.0.0 0.0.255.255 109.10.0.0 0.0.255.255
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 600
crypto isakmp key ccie address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
crypto ipsec profile PRO1
set security-association lifetime seconds 600
set transform-set TRANS
crypto gdoi group GET-GROUP1
identity number 1
server local
rekey algorithm aes 256
rekey lifetime seconds 600
rekey authentication mypubkey rsa R4.ccie.com
rekey transport unicast
sa ipsec 1
profile PRO1
match address ipv4 BLUE
address ipv4 44.44.44.44
35
R2
crypto keyring BLUE vrf BLUE
pre-shared-key address 44.44.44.44 key ccie
crypto keyring GREEN vrf GREEN
pre-shared-key address 44.44.44.44 key ccie
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile BLUE
vrf BLUE
keyring BLUE
match identity address 44.44.44.44 255.255.255.255 BLUE
crypto isakmp profile GREEN
vrf GREEN
keyring GREEN
match identity address 44.44.44.44 255.255.255.255 GREEN
crypto gdoi group GET-GROUP1
identity number 1
server address ipv4 44.44.44.44
crypto gdoi group GET-GROUP2
identity number 2
server address ipv4 44.44.44.44
crypto map BLUE isakmp-profile BLUE
crypto map BLUE 10 gdoi
set group GET-GROUP1
36
R3
crypto keyring BLUE vrf BLUE
pre-shared-key address 44.44.44.44 key ccie
crypto keyring GREEN vrf GREEN
pre-shared-key address 44.44.44.44 key ccie
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile BLUE
vrf BLUE
keyring BLUE
match identity address 44.44.44.44 255.255.255.255 BLUE
crypto isakmp profile GREEN
vrf GREEN
keyring GREEN
match identity address 44.44.44.44 255.255.255.255 GREEN
crypto gdoi group GET-GROUP1
identity number 1
server address ipv4 44.44.44.44
crypto gdoi group GET-GROUP2
identity number 2
server address ipv4 44.44.44.44
crypto map BLUE isakmp-profile BLUE
crypto map BLUE 10 gdoi
set group GET-GROUP1
37
: 44.44.44.44
: 44.44.44.44
vrf: GREEN
39
40
R4#ping 172.16.120.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.120.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/242/404 ms
And finally the word registered appears
R1# sh crypto gdoi group GET-GROUP1
Group Name
: GET-GROUP1
Group Identity
:1
Crypto Path
: ipv4
Key Management Path : ipv4
Rekeys received
:0
IPSec SA Direction
: Both
Group Server list
: 44.44.44.44
vrf: BLUE
41
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs)
: 588
Encrypt Algorithm
: AES
Key Size
: 256
Sig Hash Algorithm
: HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet1/0.1:
IPsec SA:
spi: 0xFCFD286B(4244449387)
transform: esp-256-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (590)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 32 (bytes)
sig key size: 20 (bytes)
encaps: ENCAPS_TUNNEL
: 44.44.44.44
vrf: BLUE
42
: Local
We should apply all above commands for group GET-GROUP2 as well for verification.
Now lets verify that our interested traffic is encrypted
R3#sh cry ips sa | in local|remot|enca|deca
Crypto map tag: BLUE, local addr 172.16.110.3
local ident (addr/mask/prot/port): (109.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (109.10.0.0/255.255.0.0/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
local crypto endpt.: 172.16.110.3, remote crypto endpt.: 0.0.0.0
Crypto map tag: GREEN, local addr 172.16.120.3
local ident (addr/mask/prot/port): (109.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (109.10.0.0/255.255.0.0/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
local crypto endpt.: 172.16.120.3, remote crypto endpt.: 0.0.0.0
R3#Ping VRF GREEN 109.10.1.1 source 109.10.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 109.10.1.1, timeout is 2 seconds:
Packet sent with a source address of 109.10.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms
44
45
Good Luck
CCIE & CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasserramzy/content
https://www.youtube.com/user/yasserramzyauda
46