Group Encrypted Transport VPN (GETVPN) is a powerful solution for encrypting IP traffic across a WAN without the complexities of point-to-point tunnels. This post walks through the configuration process for both the Key Server (KS) and Group Members (GMs), streamlining your GETVPN deployment.
Key Server Configuration
1. ISAKMP Phase 1 – GDOI Authentication
The initial phase of GETVPN still relies on ISAKMP for establishing trust using pre-shared keys. Configure the ISAKMP policy on the Key Server as follows:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2
Define the pre-shared key that the group members will use to authenticate:
crypto isakmp key cisco123 address 0.0.0.0
You may optionally define individual IPs if needed:
crypto isakmp key cisco123 address 192.168.10.1 crypto isakmp key cisco123 address 192.168.20.2 crypto isakmp key cisco123 address 192.168.30.3 crypto isakmp key cisco123 address 192.168.40.4
2. Phase 2 – IPSec Transform Set
The transform set defines how IP traffic will be encrypted between group members:
crypto ipsec transform-set tset esp-3des esp-md5
3. IPSec Profile for the GDOI SA
Create an IPSec profile and bind it to the transform set:
crypto ipsec profile GETVPN set transform-set tset
4. Group ACL Definition
This ACL identifies which traffic should be encrypted. For example:
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
5. GDOI Group Setup
This is where the Key Server distributes encryption policies and keys:
crypto gdoi group KM-GS identity number 111 server local sa ipsec 1 profile GETVPN match address ipv4 101 address ipv4 192.168.15.5
Explanation:
- identity number: Identifies the group to GMs.
- server local: Designates this device as the KS.
- sa ipsec: Defines the SA parameters including IPSec profile and ACL.
- address: This is the local IP the GMs will connect to for registration.
Group Member Configuration
1. ISAKMP Phase 1 with the Key Server
Each group member must be configured with the same ISAKMP policy and key:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 crypto isakmp key cisco123 address 192.168.15.5
2. GDOI Group Association
This tells the GM how to register with the KS:
crypto gdoi group GM identity number 111 server address ipv4 192.168.15.5
3. Crypto Map Configuration
GDOI maps must be applied to an interface, but do not require manual transform-set definitions:
crypto map CMAP 10 gdoi set group GM interface g2 crypto map CMAP
Additional Configuration (Multi-Branch / Advanced Topology)
In complex deployments (e.g., multiple branches or ISPs), you may need the following:
Extended ACLs to deny UDP 848 from being encrypted:
ip access-list extended GET deny udp any eq 848 any eq 848 permit ip 10.11.11.0 0.0.0.255 10.12.12.0 0.0.0.255
RSA Authentication (optional):
rekey authentication mypubkey rsa KEYS
Multiple crypto maps and identity groups per interface:
crypto map GETMAP 10 gdoi set group GET interface g2 crypto map GETMAP
Verification commands:
show crypto gdoi gm show crypto gdoi sa show crypto isak sa show crypto ipsec sa | inc encrypt|decrypt|ident
Conclusion
GETVPN simplifies large-scale IP encryption by eliminating the need for tunnels between sites. With centralized key management and policy distribution via the GDOI protocol, traffic can be encrypted in a scalable and efficient manner. Once the Key Server and Group Members are correctly configured, the network gains a robust layer of encryption with minimal overhead.
