GET VPN configuration example

hello everyone my name is Sam and in

this video I'm going to show you how to

configure get VPN on a Cisco router this

is the network topology I'm going to use

for this demonstration I have a key

server I have two group members TM 1 and

DM 2 and I have a co router that does

the routing part I have the IP addresses

and the routing already set up and all

addresses in this network topology have

a subnet mask of slash 24 so let's get

started now first I'm going to hop on to

the key server and I'm going to create a

crypto IAC KMP policy so I'm gonna say

crypto is a KMP policy 100 encryption is

AES 128 authentication is pre here and

the lifetime for this association is

3600 seconds and I'm gonna use if you

help me group 5 ok next we need to

specify the address with which the

tunnel is going to be formed so I'm

gonna say crypto IC can't be key 0 Cisco

address + 0 0 0 0 0 0 0 0 which means

use the key Cisco with all the peers

next I'm going to create a transform set

so let's say crypto IPSec transform set

and let's call the trends the algorithm

is es PA es 128 es PA c JH Mac exit next

let's create an IPSec profile crypto

ipsec profile IPSec and let's set the

transform set as trends next we need to

create a public key which is going to be

used for rekeying that is when the when

the key server generates the real key

mechanism

the real key messages it needs to use a

public key so let's generate the public

key so crypto key generate RSA label

let's call it as VPN keys and the

modulus is 1024 and let's make them

exportable okay and next let's create an

access list that is going to allow the

traffic from the 10.1 that to network to

the 10.13 network so I'm gonna say IP

access list

extended and let's call it get VPN ACL

and permit the IP traffic from ten

network 0.002 the ten network on this

side so I'm gonna say 10.0.0.0 0.25 five

two five five two five five exit next we

need to create a DDI group so I'm gonna

say crypto G DOI group and let's call it

as G dy and the identity number for this

group is 1 2 3 4 the server is local and

the re-keying the Ricky algorithm for

this is going to be a es 256 Ricky

lifetime is seconds that is 600 and

Ricky authentication my pop key RSA the

keys we just created so VPN keys

excellent and finally I'm going to say

Ricky transport is going to be unicast

so I'm gonna use unicast transport

protocol for wreaking next we need to

create an ipsec profile IPSec security

Association so I'm gonna say IP sex si

IPSec number 10 and the ipsec profile

for this is going to be profile IPSec

this is already created and we're gonna

match the access list match and address

ipv4 get VPN ACL next I need to specify

the address of the server address ipv4

192 168 1 dot 2 which is here the key

server ok that's it

next step we need to create a crypto map

so crypto map and let's call it as

crypto sequence number 10 and the type

is gdy and let's set the group as gdy

which is already been created

I just created yep

okay and we now we need to apply this

crypto map on to an interface so I'm

gonna say this interface serial 0/0

which is here and crypto map crypto exit

now you can see the key server is up and

running so we can hop onto the group

member group member 1 and start

configuring it and I'm just going to

configure or I'm just going to copy the

configuration from here do show run

section crypto IESA KMP and paste it

there okay there you see this is the is

it can't be policy we can just copy and

paste it there great and I'm gonna say

crypto is a KMP key 0 Cisco and the

address is the address of the key server

192 168 1 dot 2 which is help ok next I

need to create a GUI group so crypto GUI

group let's call it G DUI and the server

IP address is server address ipv4 192

168 1 dot 2 and the identity number is 1

2 3 4 next let's create a crypto map

crypto map let's call it crypto sequence

number 10 type G DOI and let's set the

group as GT wire which is yep ok next we

just need to apply this on an interface

interface serial 0 which is here and the

crypto map crypto so that's it you can

see start registration to key server 192

168 1 dot 2 registration completed

ok now let's copy the same configuration

onto the group number 2 so I'm just

going to say a douche or run and yep

this is what I want you can just copy

the whole thing and paste it on to group

number 2 ok great and you can copy even

this

and this okay just paste it great now

finally I'm just going to apply this on

the interface which is here interface

zero zero slash zero crypto map crypto

you can see start registration

registration completed

okay let's hop on the group number one

and see if we have a tunnel up and

running show crypto is a can't be

security Association yep

and finally let's see if we are having

the packets encrypted show crypto IPSec

si now you can see the packets are not

being encrypted the reason behind is

there is no traffic to encrypt so let's

have some traffic I'm going to hop on to

host one which is this host and I'm

gonna paint this host 10.13 dot too so

let's say a ping 10.1 to 3.2 and let's

hop on to the group member and see if we

have some encryption going on show

crypto IPSec okay there you see packets

are being encrypted see so that is

basically how you can't figure get VPN

on a Cisco router thank you for watching