Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​GETVPN - GETVPN - Cooperative Key Server and Group Member Unicast Setup w/ PSK

Picture
This lab example adds another key server for redundancy or what is referred to as "cooperative". The design name makes sense since both KS are working together, or cooperating. They basically have the same P1 and P2 policy configuration and share an RSA key. The RSA key can be manually exported and imported or leverage TFTP/FTP.

IOS15
IOSv15#show crypto key mypubkey rsa 
% Key pair was generated at: 05:08:09 UTC Dec 9 2019
Key name: GETVPN
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
  00A03BD8 00D0B053 E710EBFB 1B9B3460 8F3A7427 E3A0A81B 2D08FA59 4138B25A 
  870548A4 5EEC5074 A82B0E73 921CF5B2 6AC05CF9 4112EC1A 26170D8E D277A37C 
  5016B70D 9FB81503 E28FDFC8 E644C2DF DA54B21F 96169643 6C398054 FA5941A4 
  6D3EFF43 27C25942 4F9B8B7D 4A371448 9E5A7105 F8AF1D5F 01C3838E DC61D4FA 
  25A0068B DB14E494 68E80937 2B15808F B913F63A C5549B69 59557793 5A36E712 
  0C11F0CF 18B1F8FF 013ABF99 9834A774 C5B09381 C8AF8F38 F991E961 2B6FC725 
  7CB614DD 1B4CD15A 3748BD52 A6A204E3 A1A6FF32 81338A71 383312EF D71F231A 
  27D2B95C 20D771DC 6EC6058A 118DCE7B 7FAE6C01 771D0473 8586D8CF 6D3B4C37 
  2D020301 0001
% Key pair was generated at: 22:10:58 UTC Dec 13 2019
Key name: GETVPN.server
Key type: RSA KEYS
Temporary key
 Usage: Encryption Key
          


IOSv15(config)#crypto key export rsa GETVPN pem terminal 3des cisco1234
% Key name: GETVPN
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoDvYANCwU+cQ6/sbmzRg
jzp0J+OgqBstCPpZQTiyWocFSKRe7FB0qCsOc5Ic9bJqwFz5QRLsGiYXDY7Sd6N8
UBa3DZ+4FQPij9/I5kTC39pUsh+WFpZDbDmAVPpZQaRtPv9DJ8JZQk+bi31KNxRI
nlpxBfivHV8Bw4OO3GHU+iWgBovbFOSUaOgJNysVgI+5E/Y6xVSbaVlVd5NaNucS
DBHwzxix+P8BOr+ZmDSndMWwk4HIr484+ZHpYStvxyV8thTdG0zRWjdIvVKmogTj
oab/MoEzinE4MxLv1x8jGifSuVwg13HcbsYFihGNznt/rmwBdx0Ec4WG2M9tO0w3
LQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,94A552555A037C25

MyDrLzBU8k4ypceKLqz/o8sa5Ekj1x6R+dH8uCBHvLdzdCUSopXw79LeKagVrBZF
P3vocNuOmM9DNZ8klgX2rUZ0ft7DgrQRG8Ip3PUu00iZUaag3WGw+ZW05XdHBqVM
Xh49dp3rVMTr1pB6phLZHVQK4JbkluFnD140Gps18PZn3FX5iOhI6J4YBjc8OZtZ
5//c7j+b3ECDAEKhzVyj2QhzbfWW9PbPdrcMwV/MTgumAYBOPTo8gnmc51ngC/xl
tHVJtg/6H/iHvwjngAirAaNHPF5UPJC7n2RJXA7B/0+2m3mlklWJlEOEMkuC1fkK
+FBmPB3i9n/+6U1f1y1W8hArhBZ4oIfkGCI5boXhbrUMKXy23GxNKfOXszrZXOpU
oj6eEPOYoNNjQsY9aeg5cXYGVM6B+SJILASj/nvq+7YRPhlz2vuuikrcoTCg4QwF
TC8b2vYVmG6nJ2AwCfRZ4zwXX5m6Sy+qnqTJKuOVvLjKEIJtnqt0prf9eVW0z6pc
n7EgLRpJKbmB85HBHosEYXbFulqY/rgoQm5Fgb6RP38bh4a9Hg2z4jiexza35Q/O
ZpqgXBJj9coS2HQ+hmMhhYDro8rUOKvWoitcC2OTJUzgptKQIDwoRdmI1I/Veb2G
/ndLx6AoGRC78jXadzVNVrZSiy+gqZSv9Q/NEF3uLvAe28+swh1fyHVsULyHQ3x3
sdB/JAKFOhkh5jHO725RGf7OLvCjL87GtFO5wSiAleN5ag5fgFvRv8qLEIDl7eSM
C4XvEMPStoOsekouVwKijN54rrrwZq67jXGmcdrJP03jqhxLuk53H69xXht6ZQVR
bD/hctdR9edkKufFVZI2h7BQHVSiek7ONseKVeJAJHPbV4qQoFFTFNSATw6rvdK+
oEetGzXpJRKNM58ZPrfGO89U3GMtUdGcEC0goQVT1bG91TRx/yyxhMJIMrvvD5gF
dbx4vN6Pv6WB1U8pnGV6q8rzoflc/k+gKfUgqzLGw3/ded0hcdYJD+0GfZyfG9SM
LJk/RMTWpgoUjVbopWncXVEc3owLo94xmgPCRJe+Vlo4tf5LNKve7/bmO4UHLBGE
rsr30UYCaZncbP7hdPejaTiGvRcDvSS9FZDc8ZHIash5YIWEjHF+UYW+5P7/wztp
Fnu7UAd8ZHuuMQbRDwBpkPRbk59Zw9E5ZAzn4lB4VcNnWAn7AI6S2Y5lvr5v0lDa
UoQd1uhSWQKcoE0YlrVFQ2dyTk0In/RzvHPKapNaqJvVz65jiFbQi3UZ554SUMwc
RPA5TKevCS501S9ZvWKvMJOQmAekDtGeVa6TGclEEhy7JG3laMo7Dekc3vl2odyF
7B9VP5qO2qVfLIRXCHCZuDwTWDBNDuM6wf9TDmTZKroHuoM9kvZW5RBveYSHV3Vm
eLrGdHuAbKZhu8F1EH4cDbtLE6EhFZjMwg3O0WJ2RyUEEPqWdUVSnRk4F9pkk/p7
tswbi7p27u9jKXASHeNILpmIEA66zV2yFmO4yqfHsVZQgXf/A8doyWrAa6Odf5Et
pMUaveww5zX4caY40Wm/QI12l8+b4Wpi0EHkTc6cQe0PNp3SNAR+wg==
-----END RSA PRIVATE KEY-----



ip access-list extended GETVPN
 deny   udp any any eq 848
 deny   udp any eq 848 any
 deny   tcp any any eq bgp
 deny   tcp any eq bgp any
 deny   udp any any eq snmp
 deny   udp any eq snmp any
 permit ip any any
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
crypto ipsec profile DMVPN
 set transform-set DMVPN 
crypto gdoi group GETVPNGROUP
 identity number 100
 server local
  rekey algorithm aes 128
  rekey authentication mypubkey rsa GETVPN
  rekey transport unicast
  sa ipsec 10
   profile DMVPN
   match address ipv4 GETVPN
   replay counter window-size 64
   no tag
  address ipv4 10.1.15.15
  redundancy
   local priority 255
   peer address ipv4 10.1.14.14
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP




IOSv14(config)#crypto key import rsa GETVPN terminal cisco1234
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoDvYANCwU+cQ6/sbmzRg
jzp0J+OgqBstCPpZQTiyWocFSKRe7FB0qCsOc5Ic9bJqwFz5QRLsGiYXDY7Sd6N8
UBa3DZ+4FQPij9/I5kTC39pUsh+WFpZDbDmAVPpZQaRtPv9DJ8JZQk+bi31KNxRI
nlpxBfivHV8Bw4OO3GHU+iWgBovbFOSUaOgJNysVgI+5E/Y6xVSbaVlVd5NaNucS
DBHwzxix+P8BOr+ZmDSndMWwk4HIr484+ZHpYStvxyV8thTdG0zRWjdIvVKmogTj
oab/MoEzinE4MxLv1x8jGifSuVwg13HcbsYFihGNznt/rmwBdx0Ec4WG2M9tO0w3
LQIDAQAB
-----END PUBLIC KEY----- 
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,94A552555A037C25

MyDrLzBU8k4ypceKLqz/o8sa5Ekj1x6R+dH8uCBHvLdzdCUSopXw79LeKagVrBZF
P3vocNuOmM9DNZ8klgX2rUZ0ft7DgrQRG8Ip3PUu00iZUaag3WGw+ZW05XdHBqVM
Xh49dp3rVMTr1pB6phLZHVQK4JbkluFnD140Gps18PZn3FX5iOhI6J4YBjc8OZtZ
5//c7j+b3ECDAEKhzVyj2QhzbfWW9PbPdrcMwV/MTgumAYBOPTo8gnmc51ngC/xl
tHVJtg/6H/iHvwjngAirAaNHPF5UPJC7n2RJXA7B/0+2m3mlklWJlEOEMkuC1fkK
+FBmPB3i9n/+6U1f1y1W8hArhBZ4oIfkGCI5boXhbrUMKXy23GxNKfOXszrZXOpU
oj6eEPOYoNNjQsY9aeg5cXYGVM6B+SJILASj/nvq+7YRPhlz2vuuikrcoTCg4QwF
TC8b2vYVmG6nJ2AwCfRZ4zwXX5m6Sy+qnqTJKuOVvLjKEIJtnqt0prf9eVW0z6pc
n7EgLRpJKbmB85HBHosEYXbFulqY/rgoQm5Fgb6RP38bh4a9Hg2z4jiexza35Q/O
ZpqgXBJj9coS2HQ+hmMhhYDro8rUOKvWoitcC2OTJUzgptKQIDwoRdmI1I/Veb2G
/ndLx6AoGRC78jXadzVNVrZSiy+gqZSv9Q/NEF3uLvAe28+swh1fyHVsULyHQ3x3
sdB/JAKFOhkh5jHO725RGf7OLvCjL87GtFO5wSiAleN5ag5fgFvRv8qLEIDl7eSM
C4XvEMPStoOsekouVwKijN54rrrwZq67jXGmcdrJP03jqhxLuk53H69xXht6ZQVR
bD/hctdR9edkKufFVZI2h7BQHVSiek7ONseKVeJAJHPbV4qQoFFTFNSATw6rvdK+
oEetGzXpJRKNM58ZPrfGO89U3GMtUdGcEC0goQVT1bG91TRx/yyxhMJIMrvvD5gF
dbx4vN6Pv6WB1U8pnGV6q8rzoflc/k+gKfUgqzLGw3/ded0hcdYJD+0GfZyfG9SM
LJk/RMTWpgoUjVbopWncXVEc3owLo94xmgPCRJe+Vlo4tf5LNKve7/bmO4UHLBGE
rsr30UYCaZncbP7hdPejaTiGvRcDvSS9FZDc8ZHIash5YIWEjHF+UYW+5P7/wztp
Fnu7UAd8ZHuuMQbRDwBpkPRbk59Zw9E5ZAzn4lB4VcNnWAn7AI6S2Y5lvr5v0lDa
UoQd1uhSWQKcoE0YlrVFQ2dyTk0In/RzvHPKapNaqJvVz65jiFbQi3UZ554SUMwc
RPA5TKevCS501S9ZvWKvMJOQmAekDtGeVa6TGclEEhy7JG3laMo7Dekc3vl2odyF
7B9VP5qO2qVfLIRXCHCZuDwTWDBNDuM6wf9TDmTZKroHuoM9kvZW5RBveYSHV3Vm
eLrGdHuAbKZhu8F1EH4cDbtLE6EhFZjMwg3O0WJ2RyUEEPqWdUVSnRk4F9pkk/p7
tswbi7p27u9jKXASHeNILpmIEA66zV2yFmO4yqfHsVZQgXf/A8doyWrAa6Odf5Et
pMUaveww5zX4caY40Wm/QI12l8+b4Wpi0EHkTc6cQe0PNp3SNAR+wg==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.

%SSH-5-ENABLED: SSH 1.99 has been enabled



ip access-list extended GETVPN
 deny   udp any any eq 848
 deny   udp any eq 848 any
 deny   tcp any any eq bgp
 deny   tcp any eq bgp any
 deny   udp any any eq snmp
 deny   udp any eq snmp any
 permit ip any any
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server local
  rekey algorithm aes 128
  rekey authentication mypubkey rsa GETVPN
  rekey transport unicast
  sa ipsec 10
   profile DMVPN
   match address ipv4 GETVPN
   replay counter window-size 64
   no tag
  address ipv4 10.1.14.14
  redundancy
   local priority 110
   peer address ipv4 10.1.15.15



R3
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server address ipv4 15.15.15.15
 server address ipv4 14.14.14.14
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP
 crypto map GDOI
!
interface GigabitEthernet0/2
 crypto map GDOI



CSR1
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server address ipv4 15.15.15.15
 server address ipv4 14.14.14.14
!
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP
!
interface GigabitEthernet3
 crypto map GDOI



CSR8
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server address ipv4 15.15.15.15
 server address ipv4 14.14.14.14
!
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP
!
interface GigabitEthernet3
 crypto map GDOI



CSR9
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server address ipv4 15.15.15.15
 server address ipv4 14.14.14.14
!
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP
!
interface GigabitEthernet3
 crypto map GDOI



CSR10

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
​!
crypto isakmp key cisco address 0.0.0.0        
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN 
!
crypto gdoi group GETVPNGROUP
 identity number 100
 server address ipv4 15.15.15.15
 server address ipv4 14.14.14.14
!
crypto map GDOI 10 gdoi 
 set group GETVPNGROUP
!
interface GigabitEthernet2
 crypto map GDOI
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto