Get vpn multicast for CCIE Security
Download as PPTX, PDF0 likes77 views
The document outlines the setup and configuration of GETVPN for multicast, focusing on the key components such as key management and group member configurations. It details step-by-step implementation for Key Server (KS), Internet Service Provider (ISP), and Group Member (GM) setups along with necessary commands. The document also includes testing procedures for validating VPN and GDOI group statuses.
Get vpn multicast for CCIE Security
- 1. GET VPN -Multicast Dhruv Sharma 6/30/2021
- 2. Introduction In this session we will review below points: • Building blocks in setting up GETVPN for Multicast • Review the implementation steps on KS and Group members • Lab fun 6/30/2021
- 4. Introduction • In Ipsec VPN where new IP Address were added along with the outer header as shown below, in tunnel mode. • With GET VPN it ensure the private address is preserved. Which makes GET VPN, usable only on the private LAN. We cannot use Transport Mode as it might cause fragmentation errors. 6/30/2021
- 5. Introduction • Two Types of Keys: • KEK ( Key Encryption Key) • TEK (Traffic Encryption Key) • When the lifetime expires, we can configure our VPN to send rekey messages in either unicast ( with acknowledgement) or multicast mode ( no acknowledgement). 6/30/2021
- 7. KS configuration – Step 1 • VPN Configuration crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 ! crypto ipsec transform-set ra-set esp-aes esp-sha-hmac mode tunnel ! ip access-list extended babi permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 ! crypto ipsec profile key1-profile set transform-set ra-set 6/30/2021
- 8. KS configuration – step 2 • Multicast configuration ! ip multicast-routing distributed ! interface GigabitEthernet1 ip address 11.11.11.1 255.0.0.0 ip pim dense-mode negotiation auto ! ip access-list extended multi permit ip host 11.11.11.1 host 239.1.1.1 ! 6/30/2021
- 9. KS configuration – step 3 • GDOI Configuration ! crypto gdoi group dhruv identity number 123 server local rekey address ipv4 multi rekey authentication mypubkey rsa rsa-keys sa ipsec 10 profile key1-profile match address ipv4 babi replay counter window-size 64 no tag address ipv4 11.11.11.1 6/30/2021 Crypto key generate rsa lablel rsa-keys mod 1024
- 11. ISP Configuration • ISP Configuration ip multicast-routing distributed ! interface GigabitEthernet1 ip address 11.11.11.100 255.0.0.0 ip pim dense-mode negotiation auto ! interface GigabitEthernet2 ip address 12.12.12.100 255.0.0.0 ip pim dense-mode negotiation auto ! interface GigabitEthernet3 ip address 13.13.13.100 255.0.0.0 ip pim dense-mode negotiation auto ! 6/30/2021
- 13. GM Configuration Step 1 • VPN Configuration crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key cisco address 11.11.11.1 ! crypto ipsec transform-set cow-set esp-aes esp-sha-hmac mode tunnel ! 6/30/2021
- 14. GM Configuration Step 2 • Multicast Configuration ip multicast-routing distributed ! interface GigabitEthernet1 ip address 12.12.12.1 255.0.0.0 ip pim dense-mode ip igmp join-group 239.1.1.1 negotiation auto ! 6/30/2021
- 15. GM Configuration Step 3 • GDOI Configuration ! crypto gdoi group gm1 identity number 123 server address ipv4 11.11.11.1 crypto map crypto 10 gdoi set group gm1 ! interface GigabitEthernet1 crypto map crypto 6/30/2021
- 18. Testing • Gdoi group status 6/30/2021
- 22. 6/30/2021