Category:Cisco Systems -> Security
A quick template on how to configure GETVPN Key Server (KS) and its associated Group Members (GM)
Prerequisite:
//KS sample config:
//rsa keys with label GETVPN_KEYS were already generated (see pic above)
cyrpto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp key 6 <key1> address <address1>
crypto isakmp key 6 <key2> address <address2>
crypto isakmp key 6 <key3> address <address3>
crypto isakmp key 6 <key4> address <address4>
crypto isakmp key 6 <key5> address <address5>
crypto isakmp keepalive 25 periodic
crypto ipsec transform-set GETVPN_ENCR esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile GETVPN_PROFILE
set security-assosiation lifetime seconds 7200
set transform-set GETVPN_ENCR
crypto gdoi group GETVPN_GDOI
identity number 1234
server local
rekey algorithm aes 256
rekey retransmit 40 number 3
rekey aithentication mypubkey rsa GETVPN_KEYS
rekey transport unicast
authirization address ipv4 ACL_GETVPN_AUTH
registration interface GigabitEthernet0/0
sa ipsec 10
profile GETVPN_PROFILE
match address ipv4 ACL_GETVPN_ENCR
replay time window-size 5
address ipv4 <address_of_Gi0/0>
redundancy
local priority 100
peer address ipv4 <peer_address>
ip access-list standard ACL_GETVPN_AUTH
permit <GETVPN_GM_address1>
permit <GETVPN_GM_address2>
permit <GETVPN_GM_address3>
permit <GETVPN_GM_address4>
permit <GETVPN_GM_address5>
ip access-list extended ACL_GETVPN_ENCR
remark no encryption for encrypted traffic
deny udp any eq 848 any eq 848
deny udp any eq isakmp any eq isakmp
deny esp any any
deny tcp any any eq 22
deny tcp any eq 22 anydeny tcp any any eq tacacs
deny tcp any eq tacacs any
remark no encryption for BGP
deny tcp any any bgp //when GM’s use BGP for PE-CE adjacency
deny tcp any eq bgp any //when GM’s use BGP for PE-CE adjacency
remark no ecryption for ntp
deny udp any any eq ntp
deny udp any eq ntp any
remark encrypt all other traffic
permit ip any any
//GM sample config:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 1200
crypto isakmp key <removed> address <KS_address_primary>
crypto isakmp key <removed> address <KS_address_secondary>
crypto gdoi group GETVPN_GDOI
identity number 1234
server address ipv4 <KS_address_primary>
server address ipv4 <KS_address_secondary>
crypto map GETVPN_MAP local-address Loopback0
crypto map GETVPN_MAP gdoi fail-close
//Fail-close means that no clear traffic will leak out of a router interface after a router reboot or an event such as “clear crypto gdoi”
match address ACL_GETVPN_FAILCLOSE
activate
crypto map GETVPN_MAP 10 gdoi
set group GETVPN_GDOI
ip access-list extended ACL_GETVPN_FAILCLOSE //deny ACEs for cleartext traffic
deny udp any eq 848 any eq 848
deny udp any eq isakmp any eq isakmp
deny esp any any
deny tcp any any eq 22
deny tcp any eq 22 any
deny tcp any any eq tacacs
deny tcp any eq tacacs any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny udp any any eq ntp
deny udp any eq ntp any
//Fail Close increases the security of GETVPN and the group member by enforcing that:
//Prior to registration or during registration, group member will drop any packets that arrive in the clear.
//Failure in any step during the registration process should also cause the group member to drop any packets in the clear.
interface GigabitEthernet0/0
description ### WAN interface ###
crypto map GETVPN_MAP
crypto ipsec df-bit clear
