An excellent Cisco resource that I found very useful in preparing for this lab was:
https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html
The Topology:
The Requirements:
1. All routers interfaces must be configured using the ip schema from the topology diagram.
2. You must run RIP protocol between all routers and no other routing protocol
- Advertise all your connected networks
- R2 must run RIP version 2
- All other routers must run RIP version 1, and should see R2's loopback with its real mask
3. You must have routes representing all the subnets(classful or better) from the topology in all your routing tables.
4. configure GET VPN between all routers WAN interfaces
- R1 must be the key-server
5. pings sourced from the loopbacks of the group members to other group members must be encrypted
- All other traffic should not be encrypted.
6. You should have full reachability to all loopbacks in the topology
My Solution:
The Configs:
R1:int fa0/0ip add 10.0.0.1 255.255.255.0 no shut int lo 1 ip add 1.1.1.1 255.255.255.255 no shut router rip network 10.0.0.1 network 1.1.1.1 no auto-summary exit R2:int fa0/0ip add 10.0.0.2 255.255.255.0 ip rip receive 1 2 no shut int lo 2 ip add 2.2.2.2 255.255.255.255 no shut router rip network 10.0.0.2 network 2.2.2.2 version 2 no auto-summary R3:int fa0/0ip add 10.0.0.3 255.255.255.0 no shut int lo 2 ip add 2.2.2.2 255.255.255.255 no shut router rip network 10.0.0.3 network 3.3.3.3 no auto-summary R4:int fa0/0ip add 10.0.0.4 255.255.255.0 no shut int lo 2 ip add 4.4.4.4 255.255.255.255 no shut router rip network 10.0.0.4 network 4.4.4.4 no auto-summary |
GET-VPN Configs:
Key Server:
crypto key generate rsa modulus 1024 label GETVPN_KEY
ip access-list extended 100
permit icmp any any
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 0.0.0.0
crypto ipsec transform-set GETVPN_TRANS esp-3des esp-md5-hmac
crypto ipsec profile GETVPN_PROFILE
set transform-set GETVPN_TRANS
crypto gdoi group GETVPN_GROUP
identity number 123
server local
rekey authentication mypubkey rsa GETVPN_KEY
rekey transport unicast
sa ipsec 1
profile GETVPN_PROFILE
match address ipv4 100
replay counter window-size 64
address ipv4 10.0.0.1
Group Members:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 10.0.0.1
crypto ipsec transform-set GETVPN_TRANS esp-3des esp-md5-hmac
crypto ipsec profile GETVPN_PROFILE
set transform-set GETVPN_TRANS
crypto gdoi group GETVPN_GROUP
identity number 123
server address ipv4 10.0.0.1
crypto map GETVPN_MAP 10 gdoi
set group GETVPN_GROUP
int fa0/0
crypto map GETVPN_MAP
exit
|
Verification:
foreach address {
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
} { ping $address repeat 1 source 1.1.1.1 }
|
! Change the 'source x.x.x.x' to the appropriate source IP