GNS3: Cisco GETVPN Configuration, KS Behind Firewall

Posted by
Facebooktwitterredditpinterestlinkedintumblr

Cisco Group Encrypted Transport VPN, eliminates the need for compromise between network intelligence and data privacy in private WAN environments. Service providers can finally offer managed encryption without a provisioning and management nightmare since GET VPN simplifies the provisioning and management of VPN. GET VPN defines a new category of VPN, one that does not use tunnels. <extracted from Cisco dot com>

This video will demonstrate how to configure Cisco GETPN on two Cisco 2600 Router. The KS is behind Cisco PIX firewall while the GM is on the unprotected zone. All of the devices here are pre-configured with basic connectivity likeIP addresses and routing. Full running configuration of KS, GM and PIX firewall are provided below.


Key Server (R0) Running Configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 1.1.1.2
!
!
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
!
crypto ipsec profile GETVPN_PROFILE
set transform-set t-set
!
crypto gdoi group GETVPN_GROUP
identity number 1234
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN_KEY
rekey transport unicast
sa ipsec 1
profile GETVPN_PROFILE
match address ipv4 101
replay counter window-size 64
address ipv4 2.2.2.2
!
interface Loopback0
ip address 20.20.20.1 255.255.255.0
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.0
ip ospf authentication-key CISCO
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
area 0 authentication
network 2.2.2.0 0.0.0.255 area 0
network 20.20.20.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
end


Group Member (R1) Running Configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 2.2.2.2
!
crypto gdoi group GETVPN_GROUP
identity number 1234
server address ipv4 2.2.2.2
!
crypto map GETVPN_MAP 1 gdoi
set group GETVPN_GROUP
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip ospf authentication-key CISCO
duplex auto
speed auto
crypto map GETVPN_MAP
!
router ospf 1
log-adjacency-changes
area 0 authentication
network 1.1.1.0 0.0.0.255 area 0
network 10.10.10.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
end


PIX Firewall Running Configuration

hostname PIX
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
ospf authentication-key CISCO
!
interface Ethernet1
nameif inside
security-level 100
ip address 2.2.2.1 255.255.255.0
ospf authentication-key CISCO
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit udp host 1.1.1.2 eq 848 host 2.2.2.2 eq 848
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
!
router ospf 1
network 1.1.1.0 255.255.255.0 area 0
network 2.2.2.0 255.255.255.0 area 0
area 0 authentication
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

3 comments

  1. Pingback: loan rates

Leave a Reply

Your email address will not be published. Required fields are marked *

*