GET VPN

Group Encrypted Transport VPN
! ! KS key server on R5
conf t

crypto isakmp policy 10
hash sha256
authentication pre-share
group 14
lifetime 180
encryption aes 256
exit

do show crypto isakmp policy

crypto isakmp key cisco123 address 0.0.0.0

crypto key gen rsa general label GETVPN mod 1024 exportable

crypto ipsec transform-set Our-TSET esp-aes 192 esp-sha-hmac
exit

crypto ipsec profile GDOI-Profile
set transform-set Our-TSET
set security-association lifetime seconds 300
exit

crypto gdoi group Our-GETVPN
identity number 6783
server local
address ipv4 5.5.5.5
rekey transport unicast
rekey lifetime seconds 600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN

sa ipsec 1
profile GDOI-Profile
match address ipv4 101
replay time window-size 5
exit
exit
exit

ip access-list extended 101
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
exit

router ospf 1
net 0.0.0.0 255.255.255.255 area 0
end

! GM Group member on R1-R4
conf t
crypto isakmp policy 10
hash sha256
authentication pre-share
group 14
lifetime 180
encryption aes 256
exit

crypto isakmp key cisco123 address 0.0.0.0

## we are not building tunnel between R2-R4 ie group members. They all will be using GDOI , the common SA.

crypto gdoi group Our-GETVPN
identity number 6783
server address ipv4 5.5.5.5
exit

crypto map GETVPN-MAP 10 gdoi
set group Our-GETVPN
exit

interface e0/0
crypto map GETVPN-MAP
ip tcp adjust-mss 1360
exit

router ospf 1
net 0.0.0.0 255.255.255.255 area 0
end

! R5

crypto gdoi ks rekey replace-now

show crypto gdoi

show crypto gdoi ks policy

show crypto gdoi ks acl

show crypto gdoi ks rekey

show crypto gdoi ks member


! R1

show crypto isakmp sa

show crypto isakmp sa detail

show crypto session

show crypto isakmp sa

show crypto gdoi

show crypto gdoi gm rekey

To get hit count of encrypted traffic:
show crypto engine connections active

show crypto ipsec sa

ping 10.2.2.2 source 10.1.1.1 repeat 123

show crypto engine connections active

show crypto gdoi group Our-GETVPN