# Group Encrypted Transport VPN (GETVPN)


Topology

+[ROUTER-0]
|
+[ROUTER-1]----[DEVICE-1]
|
+[ROUTER-2]----[DEVICE-2]
|
+[ROUTER-3]----[DEVICE-3]

[ROUTER-0] fa0/0: 1.2.3.254/24

[ROUTER-1] fa0/0: 1.2.3.1/24
[ROUTER-1] fa0/1: 123.0.1.254/24
[DEVICE-1] fa0/1: 123.0.1.1/24

[ROUTER-2] fa0/0: 1.2.3.2/24
[ROUTER-2] fa0/1: 123.0.2.254/24
[DEVICE-2] fa0/1: 123.0.2.1/24

[ROUTER-3] fa0/0: 1.2.3.3/24
[ROUTER-3] fa0/1: 123.0.3.254/24
[DEVICE-3] fa0/1: 123.0.3.1/24

Note 1: All IP addresses are public.
Note 2: Communication encrypted from DEVICE-X to DEVICE-Y between ROUTER-X and ROUTER-Y.
Note 3: Tunnel mode with header preservation (IP addresses are also used for IPsec packets).

GDOI server

ROUTER-0(config)# crypto isakmp policy 1
ROUTER-0(config-isakmp)# authentication pre-share
ROUTER-0(config-isakmp)# encryption aes
ROUTER-0(config-isakmp)# hash sha
ROUTER-0(config-isakmp)# group 2
ROUTER-0(config-isakmp)# lifetime 86400
ROUTER-0(config)# crypto isakmp aggressive-mode disable
ROUTER-0(config)# crypto isakmp key 0 SECRET_KEY address 0.0.0.0 0.0.0.0
ROUTER-0(config)# crypto isakmp enable
ROUTER-0(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-0(config)# crypto ipsec profile PROFILE
ROUTER-0(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-0(ipsec-profile)# set pfs group2
ROUTER-0(config)# ip access-list extended CRYPTO_ACL
ROUTER-0(config-ext-nacl)# permit ip 123.0.0.0 0.0.255.255 123.0.0.0 0.0.255.255
ROUTER-0(config)# crypto gdoi group GDOI_GROUP
ROUTER-0(config-gdoi-group)# identity number 1
ROUTER-0(config-gdoi-group)# server local
ROUTER-0(gdoi-local-server)# rekey retransmit 10 number 3
ROUTER-0(gdoi-local-server)# rekey transport unicast
ROUTER-0(gdoi-local-server)# sa ipsec 1
ROUTER-0(gdoi-sa-ipsec)# profile PROFILE
ROUTER-0(gdoi-sa-ipsec)# match address ipv4 CRYPTO_ACL
ROUTER-0(gdoi-sa-ipsec)# replay time window-size 5
ROUTER-0(gdoi-local-server)# address ipv4 1.2.3.254

GDOI clients

Same configuration for all GDOI client routers.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto gdoi group GDOI_GROUP
ROUTER-1(config-gdoi-group)# identity number 1
ROUTER-1(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-1(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-1(config-crypto-map)# set group GDOI_GROUP
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto gdoi group GDOI_GROUP
ROUTER-2(config-gdoi-group)# identity number 1
ROUTER-2(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-2(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-2(config-crypto-map)# set group GDOI_GROUP
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-3(config)# crypto isakmp policy 1
ROUTER-3(config-isakmp)# authentication pre-share
ROUTER-3(config-isakmp)# encryption aes
ROUTER-3(config-isakmp)# hash sha
ROUTER-3(config-isakmp)# group 2
ROUTER-3(config-isakmp)# lifetime 86400
ROUTER-3(config)# crypto isakmp aggressive-mode disable
ROUTER-3(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-3(config)# crypto isakmp enable
ROUTER-3(config)# crypto gdoi group GDOI_GROUP
ROUTER-3(config-gdoi-group)# identity number 1
ROUTER-3(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-3(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-3(config-crypto-map)# set group GDOI_GROUP
ROUTER-3(config)# interface fa0/0
ROUTER-3(config-if)# crypto map CRYPTO_MAP

1 comment:

Alan Wade said...

If you've got multiple computers or numerous devices connected to your network, and want for them to be routed through your VPN servers, you will opt to setup a VPN affiliation on your actual router. By doing therefore there ought no to tack together each device severally, as your router can mechanically connect all devices to our service. This can be particularly helpful for connecting devices with no inbuilt VPN support.

More VPN Router Information