Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
5
Helpful
2
Replies

Confusing IPSEC VPN Configuration

Go to solution
SubnetWarrior
Level 1
Level 1

‎08-19-2018 08:25 AM - edited ‎02-21-2020 09:26 PM

Hi cisco experts!

So i just learn about IPSEC VPN. I have learned and thankfully understand these configuration (from youtube) : 

 

crypto isakmp policy 10

encryption aes 256

authentication pre-share

group 5

!

crypto isakmp key secretkey address 209.165.100.1

!

crypto ipsec transform-set R3-R1 esp-aes 256 esp-sha-hmac

!
crypto map IPSEC-MAP 10 ipsec-isakmp
 
set peer 209.165.100.1

set pfs group5

set security-association lifetime seconds 86400

set transform-set R3-R1

match address 100

!

interface GigabitEthernet0/0

crypto map IPSEC-MAP

!

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

But when i see my company VPN configuration i'm a little bit confused. Btw i have changed the ip address and all sensitive content from my company configuration. My company vpn config : 

 

 

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2  
crypto isakmp key BD address 172.149.254.251 
crypto isakmp key BD address 172.149.254.254 
crypto isakmp key BD address 172.150.254.251 
crypto isakmp key BD address 172.150.254.254 
!         
!         
!         
!         
crypto gdoi group BankGDOI
 identity number 12345
 server address ipv4 172.149.254.251
 server address ipv4 172.149.254.254
 server address ipv4 172.150.254.251
 server address ipv4 172.150.254.254
 passive  
!         
!         
crypto map BankMAP local-address GigabitEthernet0/0
crypto map BankMAP 1 gdoi 
 set group BankGDOI
 match address GETVPN-ACL
!         
!

My questiens are : 

 

  1. What kind of VPN is this ? IPSEC right?
  2. What in the world these configurations about :  
    crypto gdoi group BankGDOI
 identity number 12345
 server address ipv4 172.149.254.251
 server address ipv4 172.149.254.254
 server address ipv4 172.150.254.251
 server address ipv4 172.150.254.254
 passive
  3. I understand this config (from youtube) :  
    crypto map IPSEC-MAP 10 ipsec-isakmp
    But i lost it when it becomes (from my company) :  
    crypto map BankMAP local-address GigabitEthernet0/0
  4. What is this config use for :  
    crypto map BankMAP 1 gdoi 
 set group BankGDOI

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-19-2018 10:17 AM

Hi,

The example you have from youtube is a standard crypto map, but your company is using another type of VPN called GETVPN. More information here.

 

GETVPN is still an IPSec VPN, it uses GDOI to distribute IPSec keys to a group of VPN peers (as per BankGDOI group configuration in your example), this group is referenced in your example under the command "crypto map BankMAP 1 gdoi".

 

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎08-19-2018 10:17 AM

Hi,

The example you have from youtube is a standard crypto map, but your company is using another type of VPN called GETVPN. More information here.

 

GETVPN is still an IPSec VPN, it uses GDOI to distribute IPSec keys to a group of VPN peers (as per BankGDOI group configuration in your example), this group is referenced in your example under the command "crypto map BankMAP 1 gdoi".

 

HTH

Go to solution
SubnetWarrior
Level 1
Level 1
In response to Rob Ingram

‎08-19-2018 07:37 PM

Thx a lot sir! Another VPN knowledge that i have to master!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents