Thats right, Im going to do what most men would never attempt, what most people would deem impossible. I will configure GET VPN in 28 minutes or less. This will consist of 1 KS and 2 GMs using the following topology.

My friends always told me “Joe, your an animal. One day your going to try and configure something that will send you right over the edge.” Well I say bring it on. GET VPN is great and I want to tame the beast and use it my battle against the stuff I tend to have to battle sometimes.The networking world is serious business and only the true gladiators can thrive in it.

Now lets get back to reality. I didnt really configure in 28 minutes. Im not sure how long it took me because I wasnt timing myself. I did however successfully configure GET VPN in my own scenario. Im starting to like GET VPN a bit more. I understand how it works but now I just need to remember exactly what to configure. This is actually pretty easy stuff. I did my configuration using gns3 and a another handy little app called process lasso. My laptop seems to manage great with it.  The GET VPN setup worked without a hitch.  Here is the config:

Key Server Config

1. Configure the phase 1 policy

crypto isakmp policy 10
auth pre-share
encry 3des
hash md5
group 2

2. Configure preshare keys for all group members

crypto isakmp key cisco address 192.168.0.2
crypto isakmp key cisco address 192.168.3.1

3. Confiure IPSec transform set and profile

crypto ipsec transform-set trans_gdoi esp-3des esp-sha-hmac
crypto ipsec profile ipsec_gdoi_profile
set transform-set trans_gdoi

4. Configure the match ACL. This should be as generic as possible to ensure you cover all of the GMs. (100 entry limit)

access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.12.0 0.0.0.255

5. Configure GDOI Group

crypto key gen rsa general-keys label getvpn_rekey mod 1024 exportable
! This is for rekeys <KEK>
! Below is the Key Server config
crypto gdoi group group_getvpn
identity number 1111
server local
rekey transport unicast
rekey authentication mypubkey rsa getvpn_rekey
sa ipsec 1
profile ipsec_gdoi_profile
match address ipv4 100
address ipv4 192.168.0.1

Group Member Config

1. Configured the phase 1 policy

crypto isakmp policy 10
auth pre-share
encry 3des
hash md5
group 2

2. Configure preshare keys for all key servers (Group members only need to make phase 1 with the KS)

crypto isakmp key cisco address 192.168.0.1

3. Configure GDOI Group

crypto gdoi group group_getvpn
identity number 1111
server address ipv4 192.168.0.1

4. Apply the GDOI group to a crypto map and the crypto map to the interface

crypto map map_getvpn 10 gdoi
set group group_getvpn
!
interface fa0/0
crypto map map_getvpn

Thats it. Since GET VPN preseves the IP header you only need to make sure the traffic defined by your match ACL is routed correctly to the other group members. GETVPN will insert the ESP header, encrypt the payload and in keep the original IP header intact. Here are some show commands you can use to verify:

GROUP MEMBER:
Router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.0.1     192.168.3.1     GDOI_IDLE         1001    0 ACTIVE

Router#sh cry gdoi ipsec sa
SA created for group group_GETVPN:
FastEthernet0/0:
protocol = ip
local ident = 192.168.12.0/24, port = 0
remote ident = 192.168.12.0/24, port = 0
direction: Both, replay(method/window): Time/5 sec
Router#

Router#sh crypto gdoi gm
Group Member Information For Group group_GETVPN:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_group_GETVPN_temp_acl
Re-register
Remaining time : 3398 secs

KEY SERVER:

Router#sh cry gdoi ks
Total group members registered to this box: 1
Key Server Information For Group group_GETVPN:
Group Name : group_GETVPN
Group Identity : 111
Group Members : 1
IPSec SA Direction : Both
ACL Configured:
access-list 100
Router#