on 07-05-2025 06:29 AM
Implementing Group Encrypted Transport VPN (GETVPN)
All router's are configured with ip addresses and configured ospf as routing protocol and have the full reachability.
Key Server Configuration
Step-1: Define Interesting Traffic using ACL
The first step would be to create the interesting traffic access list. These access lists tell routers which traffic has to be encrypted, and the permit statement tells the router which traffic to encrypt, and a deny statement tells the router which traffic not to encrypt.
Now all data traffic that's going from the headquarters to the branch must be encrypted. However, we have to remember when creating GETVPN interesting traffic ACLs, we have to deny GDOI management 115 traffic routing protocols or NTP requests as if we encrypt these, it can break the network and GETVPN will not work.
So the first traffic we're going to deny is UDP and it's any equal to and it's port 848, which is GDOI, to any equal to 848. Okay, then we need to make sure we don't encrypt SSH. So we say deny tcp any any equal to 22. Then NTP, which used UDP port 123.
KS1(config)# ip access-list extended GETVPN_ACL
KS1(config-ext-nacl)# deny udp any eq 848 any eq 848
KS1(config-ext-nacl)# deny tcp any any eq 22
KS1(config-ext-nacl)# deny tcp any eq 22 any
KS1(config-ext-nacl)# deny ospf any any
KS1(config-ext-nacl)# deny udp any any eq 123
KS1(config-ext-nacl)# deny udp any eq 123 any
KS1(config-ext-nacl)# permit ip any any
KS1(config-ext-nacl)# exit
Step-2: Define ISAKMP Policy
KS1(config)# crypto isakmp policy 1
KS1(config-isakmp)# encryption aes
KS1(config-isakmp)# authentication pre-share
KS1(config-isakmp)# group 14
KS1(config-isakmp)# lifetime 86400
KS1(config-isakmp)# exit
Step-3: Define Transform Set
KS1(config)# crypto ipsec transform-set TSET esp-aes esp-sha-hmac
KS1(cfg-crypto-trans)# exit
Step-4: Define IPSec Profile
Next, we have to configure the IPsec profile, and we'll call this IPSEC‑PROFILE. Then under here, we need to say set security‑association lifetime and in seconds. And we're going to specify a lifetime of 7200, and this number is important so we need to remember this a bit later on.
KS1(config)# crypto ipsec profile IPSEC-PROFILE
KS1(ipsec-profile)# set transform-set TSET
KS1(ipsec-profile)# set security-association lifetime seconds 7200
KS1(ipsec-profile)# exit
Step-5: create a ISAKMP preshared key
KS1(config)# crypto isakmp key Password1 address 192.168.1.1
KS1(config)# crypto isakmp key Password1 address 192.168.1.2
Step-6: Generate RSA Key Pair for ssh session
KS1(config)# crypto key generate rsa modulus 1024 label KS_PAIR
Step-7: Create a GDOI Profile
Finally, we need to create a GDOI profile . With in this along with identity number, rekey algorithm we need to specify a lifetime, so rekey lifetime in seconds. And the lifetime we specify here needs to be three times the lifetime we set when we created our IPsec profle. Our IPsec profle has a lifetime of 7200. So 3 x 7200 is 21,600.
KS1(config)# crypto gdoi group GDOI-GROUP
KS1(config-gkm-group)# identity number 1
KS1(config-gkm-group)# server local
KS1(gkm-local-server)# rekey algorithm aes 128
KS1(gkm-local-server)# rekey lifetime seconds 21600
KS1(gkm-local-server)# rekey authentication mypubkey rsa KS_PAIR
KS1(gkm-local-server)#sa ipsec 1
KS1(gkm-sa-ipsec)# profile IPSEC-PROFILE
KS1(gkm-sa-ipsec)# match address ipv4 GETVPN_ACL
KS1(gkm-sa-ipsec)# replay time window-size 5
KS1(gkm-sa-ipsec)# exit
KS1(gkm-local-server)# address ipv4 10.0.0.1
KS1(gkm-local-server)# exit
KS1(config-gkm-group)#exit
Group Member Configuration
When it comes to configuring the group members, they actually require a lot less configuration. So on both routers, we're going to create an ISAKMP policy, but we're going to configure it with a very low lifetime. We're then going to set an ISAKMP preshared key of Password1. And the IP address of the preshared key will be the loopback interface of the key server. We're then going to create a GDOI profile. We're going to add this profile to a crypto map. Then, we're going to assign this crypto map to the WAN interface on our routers.
Step-1: Create ISAKMP Policy
GM1(config)# crypto isakmp policy 1
GM1(config-isakmp) # lifetime 300
GM1(config-isakmp)# encryption aes
GM1(config-isakmp)# authentication pre-share
GM1(config-isakmp)# group 14
GM1(config-isakmp)# exit
Step-2: Create an ISAKMP Preshared Key
GM1(config-isakmp)# crypto isakmp key Password1 address 10.0.0.1
Step-3: Create GDOI Profile
GM1(config)# crypto gdoi group GDOI-GROUP
GM1(config-gkm-group)# identity number 1
GM1(config-gkm-group)# server address ipv4 10.0.0.1
GM1(config-gkm-group)# exit
Step-4: Add GDOI profile to Crypto Map
GM1(config)# crypto map GETVPN-MAP 1 gdoi
GM1(config-crypto-map)# set group GDOI-GROUP
GM1(config-crypto-map)# exit
Step-5: Apply Crypto Map on WAN Interface
GM1(config)# Interface Gig0/1
GM1(config-if)# crypto map GETVPN-MAP
GM1(config-if)# exit
The Similar Configuration, you have to do in GM2 Router.
Verification
........................................................................ Thank you very much..! ...............................................................................
Hey!
Thanks for the cool guide!
One question - would you still consider GETVPN today?
It's been a few years since I have seen the last deployment..
All have been replaced by SD-WAN Solutions of various vendors, some with Catalyst SD-WAN.
One GETVPN Deployment I knew ... the customer got rid of all MPLS lines and now they are even using Meraki Auto VPN
What do you think?
BR
Jules
Hello @julian.bendix
The limitation with GETVPN is... it works on private networks and only with Cisco Devices. We have another advanced version of VPN, which is FlexVPN. It works with even with Non-Cisco devices. I will cover FlexVPN in another article. If anybody preparing for SVPN (300-730) exam, they will be needed to familier with all different types of VPNs along with FlexVPNs, for them it might be very useful..!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: