GET VPN
Task 1: (Optional) Configure an IKE Policy
Router(config)# crypto isakmp policy 10
Router(config-isakmp)# authentication pre-share (인증 방법)
Router(config-isakmp)# group 14(DH 그룹 지정)
Task 2: Generate and/or Configure Authentication Credentials
Router(config)# crypto isakmp key ad73asmdkfl902380amadfjkasdjf 172.17.2.4 (미리 공유된 key 값과 client ip 설정)
Router(config)# crypto isakmp key akjsdfljfdasdfu2389872jh3241u 172.17.0.1
Task 3: Generate RSA keys for Rekey Authentication
Router(config)# crypto key generate rsa modulus 2048 label MYRSAKEYS exportable (rsa key 생성 및 모듈비트 설정)
Task 4: Configure a Traffic Protection Policy on the Key Server
Router(config)# crypto ipsec tranform-set MYSET esp-aes esp-sha-hmac
Router(config)# crypto ipsec profile MYIPsecPROFILE
Set transform-set MYSET
Router(config)# ip access-list extended MYGETVPNACL
Router(config-acl)# permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Task 5: Enable and Configure the GET VPN Key Server Function
Router(config)# crypto gdoi group MYGETVPNGROUP
Router(config-gdoi)# identity number 1324
Router(config-gdoi)# server local
Router(config-gdoi)# address ipv4 172.17.0.1
Router(config-gdoi)# sa ipsec 10
Router(config-gdoi-sa)# profile MYIPsecPROFILE
Router(config-gdoi-sa)# match address ipv4 MYGETVPNACL
Task 6: (Optional) Tune the Rekeying Policy
Router(config-gdoi)# rekey transport unicast
Router(config-gdoi)# rekey authentication mypubkey rsa MYRSAKEYS
Task 7: Create and Apply the GET VPN Crypto Map
Router(config)# crypto map MYCRYPTOMAP 10 gdoi
Router(config)# set group MYGETVPNGROUP
Router(config)# interface GigabitEthernet0/0
Router(config-if)# crypto map MYCRYPTOMAP
show crypto gdoi
GROUP INFORMATION
Group Name : MYGETVPNGROUP (unicast)
Group Identity : 1234
Group Members : 34
IPSec SA Direction : Both
Group Rekey Lifetime : 86400 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts : 2
IPSec SA Number : 8
IPSec SA Rekey Lifetime : 3600 secs
Profile Name : MYIPSECPROFILE
Replay Method : Count Based
Replay Window Size : 64
ACL Configured : access-list MYGETACL
Group Server List : Local
show crypto gdoi ks rekey
Router# show crypto gdoi ks rekey
Group MYGETVPNGROUP (Unicast)
Number of rekeys sent : 23843
Number of rekeys retransmitted : 56
KEK rekey lifetime (sec) : 86400
Number of retransmissions : 2
IPSec SA 10 lifetime (sec) : 3600
show crypto gdoi ks members
Router# show crypto gdoi ks members
Group Member Information:
Number of rekeys sent for group getvpn : 10
Group member ID : 172.17.2.24
Group ID : 1234
Group Name : MYGETVPNGROUP
Member
Task 1: Configure an IKE Policy
Router(config)# crypto isakmp policy 10
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 14
Task 2: Generate and/or Configure Authentication Credentials
Router(config)# crypto isakmp key ad73asmdkfl902380amadfjkasdjf 172.17.2.4
Router(config)# crypto isakmp key akjsdfljfdasdfu2389872jh3241u 172.17.0.1
Task 3: Enable the GET VPN Group Member Function
Router(config)# crypto gdoi group MYGETVPNGROUP
Router(config-gdoi)# identity number 1324
Router(config-gdoi)# server address ipv4 172.17.0.1
Task 4: Create and Apply the GET VPN Crypto Map
Router(config)# crypto map MYCRYPTOMAP 10 gdoi
Router(config-map)# set group MYGETVPNGROUP
Router(config)# interface GigabitEthernet0/0
Router(config-if)# crypto map MYCRYPTOMAP
Task 5: (Optional) Configure a Fail-Closed Policy
Router(config)# crypto map MYCRYPTOMAP gdoi fail-close
Router(config-map)# match address MYFAILCLOSEACL
Router(config-map)# activate
Configure and Verify High-Availability Mechanisms in
a GET VPN
Task 1: Distribute the Rekey RSA Key Pair
Task 2: Configure a Full Mesh of Key Server IKE Peering
Router(config)# crypto isakmp policy 10
Router(config-isakmp)# lifetime 86400
Router(config)# crypto isakmp keepalive 10 periodic
Task 3: Configure COOP
router(config)# crypto gdoi group MYGETVPNGROUP
router(config-gdoi-group)# server local
router(config-local-server)# redundancy
router(gdoi-coop-ks-config)# local priority 10
router(gdoi-coop-ks-config)# peer address ipv4 172.17.0.2
Tasks 4 and 5: Configure Traffic Protection Policy and Multiple Key Servers on
Group Members
router(config-gdoi)# server address ipv4 172.17.0.1
router(config-gdoi)# server address ipv4 172.17.0.2
verify : show crypto gdoi ks coop
Key Server
Building configuration...
Current configuration : 2030 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.1.1.2
crypto isakmp key 6 cisco2 address 10.1.1.3
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto ipsec profile MYIPsecPROFILE
set transform-set MYSET
!
crypto gdoi group MYGETVPNGROUP
identity number 1234
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa MYRSAKEYS
rekey transport unicast
sa ipsec 10
profile MYIPsecPROFILE
match address ipv4 MYGETVPNACL
replay counter window-size 64
address ipv4 10.1.1.1
!
!
crypto map MYCRYPTOMAP 10 gdoi
set group MYGETVPNGROUP
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 10.1.1.1 255.255.255.0
serial restart-delay 0
crypto map MYCRYPTOMAP
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MYGETVPNACL
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.1.1.2
crypto isakmp key 6 cisco2 address 10.1.1.3
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto ipsec profile MYIPsecPROFILE
set transform-set MYSET
!
crypto gdoi group MYGETVPNGROUP
identity number 1234
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa MYRSAKEYS
rekey transport unicast
sa ipsec 10
profile MYIPsecPROFILE
match address ipv4 MYGETVPNACL
replay counter window-size 64
address ipv4 10.1.1.1
!
!
crypto map MYCRYPTOMAP 10 gdoi
set group MYGETVPNGROUP
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 10.1.1.1 255.255.255.0
serial restart-delay 0
crypto map MYCRYPTOMAP
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MYGETVPNACL
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
Member 1
Building configuration...
Current configuration : 1550 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.1.1.1
!
!
crypto gdoi group MYGETVPNGROUP
identity number 1234
server address ipv4 10.1.1.1
!
!
crypto map MYCRYPTOMAP 10 gdoi
set group MYGETVPNGROUP
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 10.1.1.2 255.255.255.0
serial restart-delay 0
crypto map MYCRYPTOMAP
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.1.1.1
!
!
crypto gdoi group MYGETVPNGROUP
identity number 1234
server address ipv4 10.1.1.1
!
!
crypto map MYCRYPTOMAP 10 gdoi
set group MYGETVPNGROUP
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 10.1.1.2 255.255.255.0
serial restart-delay 0
crypto map MYCRYPTOMAP
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
Member 2
Building configuration...
Current configuration : 1552 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
authentication pre-share
group 5
crypto isakmp key 6 cisco2 address 10.1.1.1
!
!
crypto gdoi group MYGETVPNGROUP
identity number 1234
server address ipv4 10.1.1.1
!
!
crypto map MYCRYPTOMAP 10 gdoi
set group MYGETVPNGROUP
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
ip address 10.1.1.3 255.255.255.0
serial restart-delay 0
crypto map MYCRYPTOMAP
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
authentication pre-share
group 5
crypto isakmp key 6 cisco2 address 10.1.1.1
!
!
crypto gdoi group MYGETVPNGROUP
identity number 1234
server address ipv4 10.1.1.1
!
!
crypto map MYCRYPTOMAP 10 gdoi
set group MYGETVPNGROUP
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
ip address 10.1.1.3 255.255.255.0
serial restart-delay 0
crypto map MYCRYPTOMAP
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
ISP
Building configuration...
Current configuration : 1331 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 10.1.1.4 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 10.1.1.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
ip address 10.1.1.6 255.255.255.0
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 10.1.1.4 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 10.1.1.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
ip address 10.1.1.6 255.255.255.0
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
No comments:
Post a Comment