GETVPN with Unicast PSK
GETVPN (Group Encrypted Transport VPN) offers secure IP communications between multiple sites without the need for tunnels, making it ideal for scalable enterprise networks. This guide outlines how to configure GETVPN using Unicast mode with pre-shared keys (PSK) for IKEv1 authentication. We’ll break down the setup process across the key server (KS) and group members (GMs).
Step 1: IKEv1 Configuration on the Key Server (KS)
Begin by defining the ISAKMP policy on the key server. This policy sets the phase 1 parameters for IKEv1:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Next, define the pre-shared key and associate it with the IP address of the GM(s):
crypto isakmp key key address address-of-GM
Create the IPsec transform set to define how data will be encrypted and authenticated:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel
Then, bind the transform set into a crypto profile:
crypto ipsec profile profile-name set transform-set tset-name
Step 2: IKEv1 Configuration on Group Members (GMs)
Each GM must also be configured with a matching ISAKMP policy:
crypto isakmp policy 1 encryption aes authentication pre-share group 5 lifetime 1800 exit
Then configure the shared key on the GM, pointing back to the key server:
crypto isakmp key key address ip-of-KS
Step 3: Access Control List (ACL) on the Key Server
On the KS, define an ACL that identifies the traffic to be encrypted:
access-list extended acl-name1 deny eigrp any any deny udp any any eq 848 permit ip any any
This denies GDOI and EIGRP control traffic while permitting all other IP traffic for encryption.
Step 4: Exportable RSA Key Generation
The KS must generate exportable RSA keys for GDOI operations:
crypto key generate rsa general-keys exportable label label-name modulus 1024
Step 5: GDOI Group Configuration on the KS
Now configure the GDOI group, which handles key distribution and IPsec SA policies:
crypto gdoi group group-name identity number id-num server local rekey transport unicast rekey retransmit 10 number 2 rekey lifetime seconds sec rekey authentication mypubkey rsa label-name sa ipsec 1 profile profile-name replay time match address ipv4 acl-name1 exit address ipv4 x.x.x.x ! This is the KS IP to be advertised
Step 6: GDOI Configuration on the Group Members
Each GM must be configured to join the GDOI group and locate the KS:
crypto gdoi group group-name identity number id-num server address ipv4 ks-ip-address exit
Step 7: Apply the Crypto Map on the GM
Create and apply the crypto map to bind the GDOI group configuration to the outbound interface:
crypto map map-name num gdoi set group group-name exit interface g2 crypto map map-name
GETVPN Multicast Dense Mode PSK
Group Encrypted Transport VPN (GETVPN) can operate over multicast to efficiently distribute rekey messages to all Group Members (GMs). When using dense mode multicast and pre-shared keys (PSKs) for authentication, the configuration must ensure multicast routing is fully enabled across all routers.
1. Enabling Multicast Routing
Before diving into crypto configurations, make sure multicast routing is enabled globally on all participating routers:
ip multicast-routing
Then, enable PIM dense mode on each participating interface—this allows the multicast control traffic (like GDOI rekey messages) to be properly distributed:
interface g2 ip pim dense-mode
2. Configuring the Key Server (KS)
Start by configuring the ISAKMP policy for IKEv1 on the Key Server. This sets the encryption and authentication parameters:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Then define the pre-shared key for communication with GMs:
crypto isakmp key key address address-of-GM
Create the IPsec transform set for phase 2 encryption:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel
Bind it to a profile:
crypto ipsec profile profile-name set transform-set tset-name
3. Configuring Group Members (GMs)
Each GM should have a matching ISAKMP policy:
crypto isakmp policy 1 encryption aes authentication pre-share group 5 lifetime 1800 exit
Then configure the shared key for the Key Server:
crypto isakmp key key address ip-of-KS
4. Access Control Lists (ACLs) on the Key Server
Two ACLs are used. The first identifies which traffic should be encrypted by GETVPN:
ip access-list extended acl-name1 deny eigrp any any deny udp any any eq 848 deny pim any any deny igmp any any permit ip any any
The second ACL is used to define which GMs are allowed to join the multicast group for rekey messages:
ip access-list extended acl-name2 permit ip any host 239.1.1.1
5. Generate Exportable RSA Keys
On the Key Server, generate the RSA key pair used to authenticate GDOI key pushes:
crypto key generate rsa general-keys exportable label label-name modulus 1024
6. GDOI Group Configuration on KS
Now, configure the GDOI group settings. Note that we are not using unicast for rekeying, so no rekey transport unicast is specified:
crypto gdoi group group-name identity number id-num server local no rekey transport unicast rekey retransmit 10 number 2 rekey lifetime seconds sec rekey authentication mypubkey rsa label-name rekey address ipv4 acl-name2 sa ipsec 1 profile profile-name replay time match address ipv4 acl-name1 exit address ipv4 x.x.x.x ! KS GDOI multicast address exit
7. GDOI Configuration on Group Members
GMs must be configured to join the same GDOI group and point to the KS:
crypto gdoi group group-name identity number id-num server address ipv4 ks-ip-address exit
Apply the GDOI group to a crypto map and bind it to the interface:
crypto map map-name num gdoi set group group-name exit interface g2 ip igmp join-group 239.1.1.1 source 192.168.101.100 crypto map map-name
The ip igmp join-group command ensures the GM actively joins the multicast group (239.1.1.1), receiving multicast rekey traffic from the KS.
GETVPN Multicast Sparse Mode PSK
GETVPN offers a powerful method for encrypting traffic across enterprise WANs, and its multicast rekey capability allows centralized management of security associations (SAs). In sparse mode, multicast rekey traffic is distributed using Source-Specific Multicast (SSM), making it scalable and efficient. Here’s how to configure GETVPN in multicast sparse mode using IKEv1 with PSK authentication.
Step 1: Enable Multicast Routing and Sparse Mode
To begin, ensure multicast routing is globally enabled on all routers:
ip multicast-routing
Next, enable PIM sparse mode on the relevant interfaces. This is critical for supporting Source-Specific Multicast (SSM):
interface g2 ip pim sparse-mode
Step 2: Configure ISAKMP and IPsec on the Key Server (KS)
Start with an IKEv1 policy that defines how the KS will negotiate secure tunnels with Group Members:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Define the shared key used to authenticate GMs:
crypto isakmp key key address address-of-GM
Now, define the IPsec transform set and bind it to a profile:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel crypto ipsec profile profile-name set transform-set tset-name
Step 3: Configure GMs with Matching Crypto Parameters
On each Group Member, configure an identical ISAKMP policy:
crypto isakmp policy 1 encryption aes authentication pre-share group 5 lifetime 1800 exit
And specify the shared key pointing back to the KS:
crypto isakmp key key address ip-of-KS
Step 4: ACLs for GETVPN Traffic and Multicast
On the KS, create an extended ACL to match the traffic you want encrypted by GETVPN:
ip access-list extended acl-name1 deny eigrp any any deny ospf any any deny udp any any eq 848 deny pim any any deny igmp any any permit ip any any
Also create a second ACL for rekey multicast traffic:
ip access-list extended acl-name2 permit ip any host 239.1.1.1
On all routers, configure a standard ACL for PIM SSM and map the multicast group to the rekey source:
ip access-list standard 55 permit host 239.1.1.1 ip pim ssm range 55
Step 5: Generate Exportable RSA Keys on the KS
Exportable RSA keys are required for GETVPN’s secure GDOI rekey process:
crypto key generate rsa general-keys exportable label label-name modulus 1024
Step 6: Configure the GDOI Group on the KS
Now define the GDOI group and associate the crypto profile and ACLs:
crypto gdoi group group-name identity number id-num server local no rekey transport unicast rekey retransmit 10 number 2 rekey lifetime seconds sec rekey authentication mypubkey rsa label-name rekey address ipv4 acl-name2 sa ipsec 1 profile profile-name replay time match address ipv4 acl-name1 exit address ipv4 x.x.x.x exit
Step 7: Configure the GDOI Client Settings on GMs
On the Group Member, configure the GDOI group to match the KS:
crypto gdoi group group-name identity number id-num server address ipv4 ks-ip-address exit
Attach this configuration to a crypto map and apply it to the appropriate interface:
crypto map map-name num gdoi set group group-name exit interface g2 ip igmp join-group 239.1.1.1 source ks-server-ip crypto map map-name
The ip igmp join-group ensures the GM explicitly joins the SSM group for receiving multicast rekey traffic from the KS.
GETVPN Sparse-Dense Mode PSK & Multicast Rekey at Scale
GETVPN (Group Encrypted Transport VPN) supports secure, scalable key distribution across IP networks using multicast. The Sparse-Dense Mode allows networks to combine dense flooding in some areas and source-specific multicast (SSM) in others, offering flexibility for complex topologies. Below is a step-by-step configuration guide using IKEv1 with pre-shared key authentication.
Step 1: Enable Multicast and Sparse-Dense Mode
Begin by enabling multicast routing on all participating routers:
ip multicast-routing
Then, on each interface involved in the GETVPN deployment, enable sparse-dense PIM mode:
interface g2 ip pim sparse-dense-mode
This hybrid mode enables the network to use dense flooding where PIM neighbors are unavailable and source-based routing where they are.
Step 2: Configure IKEv1 and IPsec on the Key Server (KS)
Start by configuring the ISAKMP policy on the key server:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Define the pre-shared key and associate it with the GM IP addresses:
crypto isakmp key key address address-of-GM
Next, define your IPsec transform set and apply it to a crypto profile:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel crypto ipsec profile profile-name set transform-set tset-name
Step 3: Configure the Group Members (GMs)
Each GM should be configured with a matching ISAKMP policy:
crypto isakmp policy 1 encryption aes authentication pre-share group 5 lifetime 1800 exit
And specify the shared key pointing back to the KS:
crypto isakmp key key address ip-of-KS
Step 4: Create Access Control Lists on the Key Server
Start by defining which traffic will be encrypted with GETVPN:
ip access-list extended acl-name1 deny eigrp any any deny ospf any any deny udp any any eq 848 deny pim any any deny igmp any any permit ip any any
Then define the multicast group used for rekeying:
ip access-list extended acl-name2 permit ip any host 239.1.1.1
On all routers, define a standard ACL and apply it to a PIM SSM range:
ip access-list standard 55 permit host 239.1.1.1 ip pim ssm range 55
Step 5: Generate RSA Keys on the KS
GETVPN requires RSA key pairs for GDOI secure distribution:
crypto key generate rsa general-keys exportable label label-name modulus 1024
Step 6: Configure the GDOI Group on the Key Server
Now create and configure the GDOI group:
crypto gdoi group group-name identity number id-num server local no rekey transport unicas rekey retransmit 10 number 2 rekey lifetime seconds sec rekey authentication mypubkey rsa label-name rekey address ipv4 acl-name2 sa ipsec 1 profile profile-name replay time match address ipv4 acl-name1 exit address ipv4 x.x.x.x exit
Step 7: Configure GDOI on the GMs
Each GM must be enrolled in the same GDOI group:
crypto gdoi group group-name identity number id-num server address ipv4 ks-ip-address exit
Apply the group to a crypto map and bind it to the interface:
crypto map map-name num gdoi set group group-name exit interface g2 ip igmp join-group 239.1.1.1 source ks-server-ip crypto map map-name
This ensures that GMs will receive the rekey multicast traffic from the Key Server via Source-Specific Multicast.
GETVPN Redundancy with COOPs and GM Authorization with PSK
High availability is critical for enterprise VPNs, and GETVPN delivers on this through its Cooperative Key Server (COOP) feature. This enables two or more key servers (KS1 and KS2) to operate redundantly, ensuring Group Members (GMs) can continue receiving Security Association (SA) rekeys even if a key server goes offline.
We walk through the configuration of GETVPN COOPs with GM authorization using pre-shared keys (PSK) and TFTP-based RSA key export.
Step 1: Export and Import RSA Keys Between Key Servers
Start by generating exportable RSA keys on the first key server:
crypto key generate rsa general-keys exportable label label-name modulus 1024
Next, export the RSA keys to be shared with the second KS via TFTP:
crypto key export rsa label-name pem url nvram: 3des password tftp-server nvram:label-name.pub tftp-server nvram:label-name.priv ip tftp source-interface g2
Then, on the second key server, import the keys:
crypto key import rsa label-name-from-other-key-server url tftp: password ip-of-first-ks
Step 2: Configure IKEv1 and IPsec on Both Key Servers
On both KS1 and KS2, configure matching ISAKMP policies:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Define PSKs for communication with the GMs:
crypto isakmp key key address address-of-GM
Define transform sets and apply to crypto profiles:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel crypto ipsec profile profile-name set transform-set tset-name
Enable ISAKMP keepalives for faster failure detection:
crypto isakmp keepalive 10 10
Step 3: Configure the GMs
On each GM, configure an identical ISAKMP policy:
crypto isakmp policy 1 encryption aes authentication pre-share group 5 lifetime 1800 exit
Point the GM to both key servers:
crypto isakmp key key address ip-of-KS1 crypto isakmp key key address ip-of-KS2
Step 4: Access Control List (ACL) for SA Policy
On both key servers, define an ACL for encrypted traffic:
ip access-list extended acl-name1 deny eigrp any any deny ospf any any deny udp any any eq 848 deny pim any any deny igmp any any permit ip any any
Step 5: GDOI Group Configuration on KS1
Create the GDOI group on the first key server and set it as primary with higher priority:
crypto gdoi group group-name identity number id-num server local rekey transport unicast rekey retransmit 10 number 2 rekey lifetime seconds sec rekey authentication mypubkey rsa label-name sa ipsec 1 profile profile-name replay time match address ipv4 acl-name1 exit address ipv4 KS1-ip-address redundancy local priority 255 peer address ipv4 key-server-2-ip exit
Step 6: GDOI Group Configuration on KS2
Repeat the same configuration on key server 2, but set it with a lower priority so that it acts as the backup:
crypto gdoi group group-name identity number id-num server local rekey transport unicast rekey retransmit 10 number 2 rekey lifetime seconds sec rekey authentication mypubkey rsa label-name sa ipsec 1 profile profile-name replay time match address ipv4 acl-name1 exit address ipv4 KS2-ip-address redundancy local priority 155 peer address ipv4 key-server-1-ip exit
Step 7: Final Configuration on the Group Members
Now configure the GMs to join the GDOI group and recognize both KS IPs:
crypto gdoi group group-name identity number id-num server address ipv4 ks-ip-address server address ipv4 ks2-ip-address exit crypto map map-name num gdoi set group group-name exit interface g2 crypto map map-name
GETVPN with Unicast RSA and IOS CA
When deploying GETVPN with RSA-based authentication, integrating an IOS-based Certificate Authority (CA) provides scalable identity verification without relying on pre-shared keys. This guide walks through setting up an IOS router as the local CA and configuring GETVPN with RSA-signed IKEv1 authentication.
Step 1: Prepare the IOS CA Router
Before configuring the IOS router as a CA, ensure that the clock is correctly set or NTP is synchronized. Then generate the exportable RSA key pair that will be used by the CA:
crypto key generate rsa general-keys exportable label label modulus 1024
Export the RSA key so it can be referenced by the CA configuration:
crypto key export rsa label pem url nvram: 3des password
Now configure the IOS CA itself:
ip http server crypto pki server name database level minimum database url nvram: issuer-name cn=name l=location c=country grant auto no shutdown
This sets up a lightweight CA that will automatically grant certificates to clients upon request.
Step 2: Enroll and Authenticate GMs and KSs
On each device (GMs and KSs), configure the trustpoint and enroll with the CA:
crypto pki trustpoint trustpoint-name enrollment url http://x.x.x.x exit crypto pki authenticate name crypto pki enroll name
Step 3: Configure IKEv1 with RSA Authentication
On the key server, configure ISAKMP to use RSA signature authentication:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit
Create the IPsec transform set and bind it to a profile:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel crypto ipsec profile profile-name set transform-set tset-name
Step 4: Configure ISAKMP on Group Members (GMs)
Match the ISAKMP policy on all GMs to align with the key server:
crypto isakmp policy 1 encryption aes authentication rsa-sig group 5 lifetime 1800 exit
Step 5: Define Traffic to Encrypt on the KS
Back on the key server, create an extended ACL to define which traffic should be encrypted:
access-list extended acl-name1 deny eigrp any any deny udp any any eq 848 deny tcp any eq 80 any deny tcp any any eq 80 permit ip any any
Step 6: Generate Exportable Keys for GDOI
RSA keys are also required for secure GDOI communications. Generate them with:
crypto key generate rsa general-keys exportable label label-name modulus 1024
Step 7: Configure the GDOI Group on the Key Server
Now configure the GETVPN GDOI group on the key server:
crypto gdoi group group-name identity number id-num server local rekey transport unicast rekey retransmit 10 number 2 rekey lifetime seconds sec rekey authentication mypubkey rsa label-name sa ipsec 1 profile profile-name replay time match address ipv4 acl-name1 exit address ipv4 x.x.x.x exit
Step 8: Configure the GM to Join the GDOI Group
Each GM must be configured to join the GDOI group and point to the KS:
crypto gdoi group group-name identity number id-num server address ipv4 ks-ip-address exit crypto map map-name num gdoi set group group-name exit interface g2 crypto map map-name
