cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
195
Views
1
Helpful
2
Comments
Blue_Bird
VIP
VIP

                                                               Implementing Group Encrypted Transport VPN (GETVPN)

   

                                      Blue_Bird_0-1751714941349.png

All router's are configured with ip addresses and configured ospf as routing protocol and have the full reachability.

Key Server Configuration

Step-1: Define Interesting Traffic using ACL

The first step would be to create the interesting traffic access list. These access lists tell routers which traffic has to be encrypted, and the permit statement tells the router which traffic to encrypt, and a deny statement tells the router which traffic not to encrypt.

Now all data traffic that's going from the headquarters to the branch must be encrypted. However, we have to remember when creating GETVPN interesting traffic ACLs, we have to deny GDOI management 115 traffic routing protocols or NTP requests as if we encrypt these, it can break the network and GETVPN will not work.

So the first traffic we're going to deny is UDP and it's any equal to and it's port 848, which is GDOI, to any equal to 848. Okay, then we need to make sure we don't encrypt SSH. So we say deny tcp any any equal to 22. Then NTP, which used UDP port 123.

 KS1(config)# ip access-list extended GETVPN_ACL

KS1(config-ext-nacl)# deny udp any eq 848 any eq 848

KS1(config-ext-nacl)# deny tcp any any eq 22

KS1(config-ext-nacl)# deny tcp any eq 22 any

KS1(config-ext-nacl)# deny ospf any any

KS1(config-ext-nacl)# deny udp any any eq 123

KS1(config-ext-nacl)# deny udp any eq 123 any

KS1(config-ext-nacl)# permit ip any any

KS1(config-ext-nacl)# exit

Step-2: Define ISAKMP Policy

KS1(config)# crypto isakmp policy 1

KS1(config-isakmp)# encryption aes

KS1(config-isakmp)# authentication pre-share

KS1(config-isakmp)# group 14

KS1(config-isakmp)# lifetime 86400

KS1(config-isakmp)# exit

Step-3: Define Transform Set

KS1(config)# crypto ipsec transform-set TSET esp-aes esp-sha-hmac

KS1(cfg-crypto-trans)# exit

Step-4: Define IPSec Profile

Next, we have to configure the IPsec profile, and we'll call this IPSEC‑PROFILE. Then under here, we need to say set security‑association lifetime and in seconds. And we're going to specify a lifetime of 7200, and this number is important so we need to remember this a bit later on.

KS1(config)# crypto ipsec profile IPSEC-PROFILE

KS1(ipsec-profile)# set transform-set TSET

KS1(ipsec-profile)# set security-association lifetime seconds 7200

KS1(ipsec-profile)# exit

Step-5: create a ISAKMP preshared key

KS1(config)# crypto isakmp key Password1 address 192.168.1.1

KS1(config)# crypto isakmp key Password1 address 192.168.1.2

Step-6: Generate RSA Key Pair for ssh session

KS1(config)# crypto key generate rsa modulus 1024 label KS_PAIR

Step-7: Create a GDOI Profile

Finally, we need to create a GDOI profile . With in this along with identity number, rekey algorithm we need to specify a lifetime, so rekey lifetime in seconds. And the lifetime we specify here needs to be three times the lifetime we set when we created our IPsec profle. Our IPsec profle has a lifetime of 7200. So 3 x 7200 is 21,600.

KS1(config)# crypto gdoi group GDOI-GROUP

KS1(config-gkm-group)# identity number 1

KS1(config-gkm-group)# server local

KS1(gkm-local-server)# rekey algorithm aes 128

KS1(gkm-local-server)# rekey lifetime seconds 21600

KS1(gkm-local-server)# rekey authentication mypubkey rsa KS_PAIR

KS1(gkm-local-server)#sa ipsec 1

KS1(gkm-sa-ipsec)# profile IPSEC-PROFILE

KS1(gkm-sa-ipsec)# match address ipv4 GETVPN_ACL

KS1(gkm-sa-ipsec)# replay time window-size 5

KS1(gkm-sa-ipsec)# exit

KS1(gkm-local-server)# address ipv4 10.0.0.1

KS1(gkm-local-server)# exit

KS1(config-gkm-group)#exit

Group Member Configuration

When it comes to configuring the group members, they actually require a lot less configuration. So on both routers, we're going to create an ISAKMP policy, but we're going to configure it with a very low lifetime. We're then going to set an ISAKMP preshared key of Password1. And the IP address of the preshared key will be the loopback interface of the key server. We're then going to create a GDOI profile. We're going to add this profile to a crypto map. Then, we're going to assign this crypto map to the WAN interface on our routers.

Step-1: Create ISAKMP Policy

GM1(config)# crypto isakmp policy 1

GM1(config-isakmp) # lifetime 300

GM1(config-isakmp)# encryption aes

GM1(config-isakmp)# authentication pre-share

GM1(config-isakmp)# group 14

GM1(config-isakmp)# exit

Step-2: Create an ISAKMP Preshared Key

GM1(config-isakmp)# crypto isakmp key Password1 address 10.0.0.1

Step-3: Create GDOI Profile

GM1(config)# crypto gdoi group GDOI-GROUP

GM1(config-gkm-group)# identity number 1

GM1(config-gkm-group)# server address ipv4 10.0.0.1

GM1(config-gkm-group)# exit

Step-4: Add GDOI profile to Crypto Map

GM1(config)# crypto map GETVPN-MAP 1 gdoi

GM1(config-crypto-map)# set group GDOI-GROUP

GM1(config-crypto-map)# exit

Step-5: Apply Crypto Map on WAN Interface

GM1(config)# Interface Gig0/1

GM1(config-if)# crypto map GETVPN-MAP

GM1(config-if)# exit

The Similar Configuration, you have to do  in GM2 Router.

Verification

Blue_Bird_1-1751717524603.png
Blue_Bird_2-1751717549337.png
Blue_Bird_0-1751721648324.png 
Blue_Bird_1-1751721668296.png 
Blue_Bird_2-1751721688444.png 
Blue_Bird_3-1751721712411.png 
Blue_Bird_4-1751721742471.png 
Blue_Bird_5-1751721778309.png 
Blue_Bird_6-1751721800023.png 
Blue_Bird_7-1751721823092.png

........................................................................ Thank you very much..! ...............................................................................

Comments
julian.bendix
Level 4
Level 4

Hey! 

Thanks for the cool guide!

One question - would you still consider GETVPN today?
It's been a few years since I have seen the last deployment.. 

All have been replaced by SD-WAN Solutions of various vendors, some with Catalyst SD-WAN.
One GETVPN Deployment I knew ... the customer got rid of all MPLS lines and now they are even using Meraki Auto VPN  

What do you think?

BR 
Jules

Blue_Bird
VIP
VIP

Hello @julian.bendix 

The limitation with GETVPN is... it works  on private networks and only with Cisco Devices. We have another advanced version of VPN, which is FlexVPN. It works with even with Non-Cisco devices. I will cover FlexVPN in another article. If anybody preparing for SVPN (300-730) exam, they will be needed to familier with all different types of VPNs along with FlexVPNs, for them it might be very useful..!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: