Topology
+[ROUTER-0]
|
+[ROUTER-1]----[DEVICE-1]
|
+[ROUTER-2]----[DEVICE-2]
|
+[ROUTER-3]----[DEVICE-3]
[ROUTER-0] fa0/0: 1.2.3.254/24
[ROUTER-1] fa0/0: 1.2.3.1/24
[ROUTER-1] fa0/1: 123.0.1.254/24
[DEVICE-1] fa0/1: 123.0.1.1/24
[ROUTER-2] fa0/0: 1.2.3.2/24
[ROUTER-2] fa0/1: 123.0.2.254/24
[DEVICE-2] fa0/1: 123.0.2.1/24
[ROUTER-3] fa0/0: 1.2.3.3/24
[ROUTER-3] fa0/1: 123.0.3.254/24
[DEVICE-3] fa0/1: 123.0.3.1/24
Note 1: All IP addresses are public.
Note 2: Communication encrypted from DEVICE-X to DEVICE-Y between ROUTER-X and ROUTER-Y.
Note 3: Tunnel mode with header preservation (IP addresses are also used for IPsec packets).
GDOI server
ROUTER-0(config)#crypto isakmp policy 1ROUTER-0(config-isakmp)#authentication pre-shareROUTER-0(config-isakmp)#encryption aesROUTER-0(config-isakmp)#hash shaROUTER-0(config-isakmp)#group 2ROUTER-0(config-isakmp)#lifetime 86400ROUTER-0(config)#crypto isakmp aggressive-mode disableROUTER-0(config)#crypto isakmp key 0 SECRET_KEY address 0.0.0.0 0.0.0.0ROUTER-0(config)#crypto isakmp enableROUTER-0(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmacROUTER-0(config)#crypto ipsec profile PROFILEROUTER-0(ipsec-profile)#set transform-set TRANSFORM_SETROUTER-0(ipsec-profile)#set pfs group2ROUTER-0(config)#ip access-list extended CRYPTO_ACLROUTER-0(config-ext-nacl)#permit ip 123.0.0.0 0.0.255.255 123.0.0.0 0.0.255.255ROUTER-0(config)#crypto gdoi group GDOI_GROUPROUTER-0(config-gdoi-group)#identity number 1ROUTER-0(config-gdoi-group)#server localROUTER-0(gdoi-local-server)#rekey retransmit 10 number 3ROUTER-0(gdoi-local-server)#rekey transport unicastROUTER-0(gdoi-local-server)#sa ipsec 1ROUTER-0(gdoi-sa-ipsec)#profile PROFILEROUTER-0(gdoi-sa-ipsec)#match address ipv4 CRYPTO_ACLROUTER-0(gdoi-sa-ipsec)#replay time window-size 5ROUTER-0(gdoi-local-server)#address ipv4 1.2.3.254
GDOI clients
Same configuration for all GDOI client routers.
ROUTER-1(config)#crypto isakmp policy 1ROUTER-1(config-isakmp)#authentication pre-shareROUTER-1(config-isakmp)#encryption aesROUTER-1(config-isakmp)#hash shaROUTER-1(config-isakmp)#group 2ROUTER-1(config-isakmp)#lifetime 86400ROUTER-1(config)#crypto isakmp aggressive-mode disableROUTER-1(config)#crypto isakmp key 0 SECRET_KEY address 1.2.3.254ROUTER-1(config)#crypto isakmp enableROUTER-1(config)#crypto gdoi group GDOI_GROUPROUTER-1(config-gdoi-group)#identity number 1ROUTER-1(config-gdoi-group)#server address ipv4 1.2.3.254ROUTER-1(config)#crypto map CRYPTO_MAP 1 gdoiROUTER-1(config-crypto-map)#set group GDOI_GROUPROUTER-1(config)#interface fa0/0ROUTER-1(config-if)#crypto map CRYPTO_MAP
ROUTER-2(config)#crypto isakmp policy 1ROUTER-2(config-isakmp)#authentication pre-shareROUTER-2(config-isakmp)#encryption aesROUTER-2(config-isakmp)#hash shaROUTER-2(config-isakmp)#group 2ROUTER-2(config-isakmp)#lifetime 86400ROUTER-2(config)#crypto isakmp aggressive-mode disableROUTER-2(config)#crypto isakmp key 0 SECRET_KEY address 1.2.3.254ROUTER-2(config)#crypto isakmp enableROUTER-2(config)#crypto gdoi group GDOI_GROUPROUTER-2(config-gdoi-group)#identity number 1ROUTER-2(config-gdoi-group)#server address ipv4 1.2.3.254ROUTER-2(config)#crypto map CRYPTO_MAP 1 gdoiROUTER-2(config-crypto-map)#set group GDOI_GROUPROUTER-2(config)#interface fa0/0ROUTER-2(config-if)#crypto map CRYPTO_MAP
ROUTER-3(config)#crypto isakmp policy 1ROUTER-3(config-isakmp)#authentication pre-shareROUTER-3(config-isakmp)#encryption aesROUTER-3(config-isakmp)#hash shaROUTER-3(config-isakmp)#group 2ROUTER-3(config-isakmp)#lifetime 86400ROUTER-3(config)#crypto isakmp aggressive-mode disableROUTER-3(config)#crypto isakmp key 0 SECRET_KEY address 1.2.3.254ROUTER-3(config)#crypto isakmp enableROUTER-3(config)#crypto gdoi group GDOI_GROUPROUTER-3(config-gdoi-group)#identity number 1ROUTER-3(config-gdoi-group)#server address ipv4 1.2.3.254ROUTER-3(config)#crypto map CRYPTO_MAP 1 gdoiROUTER-3(config-crypto-map)#set group GDOI_GROUPROUTER-3(config)#interface fa0/0ROUTER-3(config-if)#crypto map CRYPTO_MAP
No comments:
Post a Comment