Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2130
Views
0
Helpful
1
Replies

GET VPN Router Key Server

Artemio Magdiel Pantoja Palomares
Level 1
Level 1

‎02-22-2013 11:59 AM - edited ‎03-04-2019 07:06 PM

Is it possible to have a Router acting as Group Member and Key Server at same time?

What are the requirements for the Key Server?                  

Labels:
0 Helpful
1 Reply 1

johnlloyd_13
Level 9
Level 9

‎02-22-2013 05:20 PM

hi,

yes, you can configure the router to be either the key server or group member. it depends on the group/identity number configured.

see the below requirements to configure a key server (and sample config). please remember to rate useful post. thanks!

Perform the following sequence to configure a GET VPN key server:

Task 1: (Optional) Configure an IKE policy. The default IKE policy can be used.

Task 2: Generate/configure authentication credentials for all group members.

Task 3: Generate or choose existing RSA keys on the key server to authenticate rekeys.

Task 4: Configure a traffic protection policy.

Task 5: Enable and configure the GET VPN key server function itself.

Task 6: (Optional) Tune the rekeying policy.

KS#configure terminal

KS(config)#crypto isakmp policy 10

KS(config-isakmp)#encryption aes 128

KS(config-isakmp)#hash sha

KS(config-isakmp)#group 5

KS(config-isakmp)#authentication pre-share

KS(config-isakmp)#exit

KS(config)#crypto isakmp key 0 c1sc0k3y address 0.0.0.0

KS(config)#ip domain name lab.com

KS(config)#crypto key generate rsa modulus 2048 label GETVPN_KEY

KS(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac

KS(cfg-crypto-trans)#mode transport

KS(cfg-crypto-trans)#exit

KS(config)#crypto ipsec profile GETVPN_PROFILE

KS(ipsec-profile)#set transform-set TSET

KS(ipsec-profile)#exit

KS(config)#ip access-list extended GETVPN_ACL

KS(config-ext-nacl)#permit ip any any

KS(config-ext-nacl)#exit

KS(config)#crypto gdoi group GETVPN_GROUP

KS(config-gdoi-group)#identity number 1234

KS(config-gdoi-group)#server local

KS(gdoi-local-server)#address ipv4 192.168.1.1

KS(gdoi-local-server)#rekey authentication mypubkey rsa GETVPN_KEY

KS(gdoi-local-server)#rekey transport unicast

KS(gdoi-local-server)#sa ipsec 10

KS(gdoi-sa-ipsec)#profile GETVPN_PROFILE

KS(gdoi-sa-ipsec)#match address ipv4 GETVPN_ACL

KS(gdoi-sa-ipsec)#end

KS#show crypto gdoi

GROUP INFORMATION

    Group Name               : GETVPN_GROUP (Unicast)

    Group Identity           : 1234

    Group Members            : 0

    IPSec SA Direction       : Both

    Active Group Server      : Local

    Group Rekey Lifetime     : 86400 secs

    Rekey Retransmit Period  : 10 secs

    Rekey Retransmit Attempts: 2

      IPSec SA Number        : 10

      IPSec SA Rekey Lifetime: 3600 secs

      Profile Name           : GETVPN_PROFILE

      Replay method          : Count Based

      Replay Window Size     : 64

      ACL Configured         : access-list GETVPN_ACL

    Group Server list        : Local

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card