Cisco Group Encrypted Transport VPN

GET VPN is a Cisco solution to encrypt the traffic across private WAN. In recent years government regulations, such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry Data Security Standard (PCI DSS), mandate encryption even over private IP networks. GET VPN is common deployed over private WAN topologies such as MPLS VPN.

Cisco IOS offers several IP security (IPsec) tunnel-based encryption solutions (for example, Site to Site IPsec, IPsec/GRE, and Dynamic Multipoint VPN (DMVPN) that can be deployed over an MPLS VPN, VPLS or shared IP networks. Traditional tunnel-based encryption solutions are point-to-point.

GET VPN uses IPSec to encrypt the traffic but the main concept of GET VPN is to use group security association (SA) as opposed to the standard LAN to LAN tunnels where the SA is created in a point to point fashion.

Traditional point-to-point IPsec tunneling solutions suffer from multicast replication issues because multicast replication must be performed before tunnel encapsulation and encryption at the IPsec CE (customer edge) router closest to the multicast source. Multicast replication cannot be performed in the provider network because encapsulated multicasts appear to the core network as unicast data.

GET VPN provides a tunnel-less VPN solution. It is tunnel-less as it retains the original IP header of the packet and encrypts only the data payload. To retain the original IP header, the original header is copied and placed before the IPSEC header. GET VPN does not rely on a point-to-point VPN mechanism and can further expand with the capability of scaling any-to-any intersite VPN connectivity. It takes advantage of underlying IP VPN routing infrastructure and does not require an overlay routing control plane.

Cisco’s Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM. The CE router acts as a GM. In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is “tunnel-less.”

GET VPN Comparison

GET VPN Components

Group Domain of Interpretation – GDOI

The GDOI group key management protocol is used to provide a set of cryptographic keys and policies to a group of devices. In a GET VPN network, GDOI is used to distribute common IPsec keys to a group of enterprise VPN gateways that must communicate securely. These keys are periodically refreshed and are updated on all the VPN gateways using a process called “rekey.” GDOI protocol uses UDP port 848. GDOI is documented in RFC3547.

The GDOI protocol is protected by a Phase 1 Internet Key Exchange (IKE) SA. The participating VPN gateways authenticate themselves to the device providing keys using IKE. Authentication can be performed with a pre-shared key (PSK) or through a public key infrastructure (PKI). After the VPN gateways have been authenticated and provided with the appropriate security keys via the IKE SA, the IKE SA will expire and GDOI is then used to update the GMs in a more scalable and efficient manner.

Key Server – KS

A key server (KS) is an IOS device responsible for creating and maintaining the GET VPN control plane. All encryption policies, such as interesting traffic, encryption protocols, security association, rekey timers, and so on, are centrally defined on the KS and are pushed down to all GMs at registration time. The KS sends two types of keys:

1. Traffic Encryption Key – TEK
2. Key Encryption Key – KEK

The TEK becomes the IPsec SA, which is used to communicate with group members within the same group.

The KEK is used to encrypt the rekey messages and is used by the group members (GMs) to decrypt the incoming rekey messages from the key server (KS).

Cooperative Key Servers – COOP KSs

The KS is the most important entity in the GET VPN network because the KS maintains the control plane. Therefore, a single KS is a single point of failure for an entire GET VPN network. Because redundancy is an important consideration for KSs, GET VPN supports multiple KSs, called cooperative (COOP) KSs, to ensure seamless fault recovery if a KS fails or becomes unreachable.

A GM can be configured to register to any available KS from a list of all COOP KSs. GM configuration determines the registration order. The KS defined first is contacted first, followed by the second defined KS, and so on.

When COOP KSs boot, all KSs assume a “secondary” role and begin an election process. One KS, typically the one having the highest priority, is elected as a “primary” KS. The other KSs remain in the secondary state. The primary KS is responsible for creating and distributing group policies to all GMs, and to periodically synchronize the COOP KSs.

Group Member – GM

The group member (GM) is the router that registers with the key server (KS) to get the IPsec SA to communicate with other devices in the group.

Group SA

Unlike traditional IPsec encryption solutions, GET VPN uses the concept of group SA. All members in the GET VPN group can communicate with each other using a common encryption policy and a shared SA. With a common encryption policy and a shared SA, there is no need to negotiate IPsec between GMs.

Group Member ACL

Traffic that requires encryption is statically defined on the key server (KS) through an access control list (ACL). This policy is defined for both unicast and multicast traffic. This information is sent to all authenticated group members (GMs) to create a trusted domain of communication.

It is a best practice to summarize interesting traffic to as few permit entries as possible, and to build symmetric policies. For example, an enterprise network is using subnets from a class A major IP network 10.0.0.0/8 for all LAN interfaces behind the group members. You can define one ACL permit statement “access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255” to represent all the subnets in your network.

Unicast Rekey

The KS will generate a rekey message and send multiple copies of this message, one copy to each GM. The GM will then ACK this rekey message to the KS. The ACK mechanism keeps the list of GMs at the KS current and ensures that the rekey message is only sent to active GMs.

A KS can be configured to re-transmit rekey messages to overcome reachability issues in the network. If a GM does not send an ACK for three consecutive rekey messages, the KS will remove the GM from the active GM database and stop sending rekey messages to that GM.

Multicast Rekey

In the multicast rekey process, a single copy of the rekey message is sent to a multicast group which the GMs will have joined. Each GM joins this multicast group at registration, each GM will therefore receive this rekey message.

The multicast rekey process does not have an ACK mechanism and the KS does not keep a list of active GMs. The KS can be configured to retransmit rekey messages. The CPU overhead is a lot less with multicast rekeying since only a single messages needs to be sent compared to having to replicating it in unicast mode to potentially hundreds of routers.

Multicast must be enabled in the core network for multicast rekey to work in the GET VPN control plane.

Time Based Anti-Replay

Traditional IPSec solutions have anti replay capabilities to prevent a malicious third party from capturing IPSec packets and relaying those packets at a later time to perform an attack against the IPSec endpoints. This is normally done by having a counter based sliding window where the sender sends a packet with a sequence number and the receiver will use the sliding window to determine if the packet is acceptable or if it has arrived out of sequence and outside the window of acceptable packets.

This mechanism is not useful in GET VPN because it uses a group SA. GET VPN therefore uses a time based anti replay function where the KS uses a pseudo time clock. Because the KS uses a pseudo time clock, there is no need to synchronize the time with NTP for this reason.

The primary KS will keep this pseudo time synchronized on all GMs with rekey updates. Every GM will include its pseudo time as a time stamp in the data packets. The receiving VPN gateway will then compare the time stamp of the received packet with the GM reference pseudo time clock it maintains for the group. If the packet is too late it will be dropped.

How GET VPN works

• GET VPN uses the keying protocol GDOI combined with IPsec standards encryption to encrypt and decrypt the packets, thereby providing an efficient mechanism to secure native (non-tunneled) IP unicast and multicast traffic.
• Each group member (GM) sends  a registration request to the key server (KS). Using the GDOI protocol, the key server authenticates and authorizes the group member and sends the IPsec policy and the keys, which are required  to encrypt and decrypt IP unicast and multicast packets.
• After the group member is registered with the IPsec SA, and upon receiving the respective keys, group members can directly exchange encrypted IP unicast and multicast packets with each other, bypassing the key server.
• As needed, the key server sends a rekey message to all the group members within the group. The rekey message contains the new IPsec policy and keys that are used when the outdated IPsec SA expires.

Implementing Cisco GET VPN

We will use following topology for GET VPN implementation.

Configurations

MPLS Provider Network Configuration

R1 - PE Router

hostname R1
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.15.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.16.1 255.255.255.0
!
router ospf 1
 router-id 10.1.0.1
!
router bgp 100
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.16.6 remote-as 65001
  neighbor 172.16.16.6 activate
  neighbor 172.16.16.6 as-override
 exit-address-family
!

R2 - PE Router

hostname R2
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.25.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.27.2 255.255.255.0
!
router ospf 1
 router-id 10.1.0.2
!
router bgp 100
 bgp router-id 10.1.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.27.7 remote-as 65001
  neighbor 172.16.27.7 activate
  neighbor 172.16.27.7 as-override
 exit-address-family
!

R3 - PE Router

hostname R3
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.35.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.38.3 255.255.255.0
!
router ospf 1
 router-id 10.1.0.3
!
router bgp 100
 bgp router-id 10.1.0.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.38.8 remote-as 65001
  neighbor 172.16.38.8 activate
  neighbor 172.16.38.8 as-override
 exit-address-family
!

R4 - PE Router

hostname R4
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.45.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.49.4 255.255.255.0
!
router ospf 1
 router-id 10.1.0.4
!
router bgp 100
 bgp router-id 10.1.0.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.49.9 remote-as 65001
  neighbor 172.16.49.9 activate
  neighbor 172.16.49.9 as-override
 exit-address-family
!

R5 - P Router

hostname R5
!
ip cef
!
interface Loopback0
 ip address 10.1.0.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.15.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.1.25.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 ip address 10.1.35.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/1
 ip address 10.1.45.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.1.0.5
!
router bgp 100
 bgp router-id 10.1.0.5
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor PE-ROUTERS peer-group
 neighbor PE-ROUTERS remote-as 100
 neighbor PE-ROUTERS update-source Loopback0
 neighbor 10.1.0.1 peer-group PE-ROUTERS
 neighbor 10.1.0.2 peer-group PE-ROUTERS
 neighbor 10.1.0.3 peer-group PE-ROUTERS
 neighbor 10.1.0.4 peer-group PE-ROUTERS
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor PE-ROUTERS send-community extended
  neighbor PE-ROUTERS route-reflector-client
  neighbor 10.1.0.1 activate
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.3 activate
  neighbor 10.1.0.4 activate
 exit-address-family
!

Customer Sites Configuration

We need to generate RSA key before key server (KS) configurations. RSA keys must be generated on any KS. All KSs must share the same keys, so these keys must be generated with an “exportable” tag. The keys are then imported on the remaining KSs. These keys do not need to be imported on the GMs.

!! -- Generate RSA key on Primary Key Server Router R10 -- !!

R10-Primary-KS#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R10-Primary-KS(config)#crypto key generate rsa general-keys label getvpn-export-general modulus 1024 exportable        
The name for the keys will be: getvpn-export-general

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 1 seconds)

R10-Primary-KS(config)#

!! -- Export this key to the terminal -- !!

R10-Primary-KS(config)#crypto key export rsa getvpn-export-general pem terminal 3des myrsakeypasswd
% Key name: getvpn-export-general
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0W2WX/cvI41mAJ+AbDgOMpRbi
l6FPtOIiw6SDYa3z4GixsYqem5pt7SLk/spxLeHFNsYaD7XqzRAj/hmDWpfrHOmE
IANfiCwfhnh4/Ep1a0+dBKCqK7C90qtQQswdDJfdX8Eunbp93E73caSws4Qkpwqs
iEigKWoAauIvFlDV6QIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,DAAC1EB9DAA8FA6D

HqkzonxyuD6bXNJZD6+Zblyscwuvbfskhs9mLnYo1CflKMUxHv1XU/5Ctdvmirp2
AVzlWFgR/FFriVYofQoT1BbCtoCJXsT4nPbF07K/rsBsP7HXX0UEsh6zx/Tagv6Q
EBOjk15Tfx+yP3twIpK7jN3hp/81Yjybg+hDV2sfVElqpVShHr8HrAqpiQdtuQiC
MNUtC3/GJy95CO0Wpg/qAKknG4H/wEQqG4wXU0yZ8qUE71xlO7p9Z2GqGMjcRmwZ
ADsIKvGBwNQSg77VZ+Bq2zYLosThz63r1kn7oVxt2dU4wNSpu3CvcAlVhxf7TJoW
mKCr7H99Yk8upFH6Nh+HUG6+BhFZEkkDOjIU1CJeFFO1qEToQA1U4ue0OMt0IQnU
KMA+1IfNCIoH05L4+x2TRHu+uEk1tgu5smU+QmJYSwn6drj74poXsuRcJgNs4VWO
0B7phKvaoXXUdkXiyaOMgHacnnCHL8LEzmp6BzVUbDCbBtYomeaFCI6B7BaOvwDv
sr1Z85xgynXhm1vGWJNd45Lk7+SSVaOp6qp/IIAcFTbA1OfqtWayMMcDHRsc1m3O
iyn5fa4AUlx6smkhkBe7lh1FCQh+C1DrZdrKVWmo7iuDfAxdC6IW+XiUW1gwlnKd
taw4Fy+AALlhMc/pKHqx2WVX1s6SAWgxwhsjxbFIZXSDdRfhkLdl9QAd6G0zVsBq
U7J1rPwZ1dMtZTDfyj/KSl2DbPpv90vJYGHMcU+h49XfBNF2QsizIkx8mjegmX0O
+ep0LsrsqV5XnMeotYzCTPNmb6PoE/fN+YdhzjWJHmTOt6HAdhRsKw==
-----END RSA PRIVATE KEY-----

R10-Primary-KS(config)#

!! -- Import this key using cut-and-paste -- !!
!! -- to other Key Server (KS) Router R11 -- !!

R11-Backup-KS#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R11-Backup-KS(config)#crypto key import rsa getvpn-export-general pem exportable terminal myrsakeypasswd    
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0W2WX/cvI41mAJ+AbDgOMpRbi
l6FPtOIiw6SDYa3z4GixsYqem5pt7SLk/spxLeHFNsYaD7XqzRAj/hmDWpfrHOmE
IANfiCwfhnh4/Ep1a0+dBKCqK7C90qtQQswdDJfdX8Eunbp93E73caSws4Qkpwqs
iEigKWoAauIvFlDV6QIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,DAAC1EB9DAA8FA6D

HqkzonxyuD6bXNJZD6+Zblyscwuvbfskhs9mLnYo1CflKMUxHv1XU/5Ctdvmirp2
AVzlWFgR/FFriVYofQoT1BbCtoCJXsT4nPbF07K/rsBsP7HXX0UEsh6zx/Tagv6Q
EBOjk15Tfx+yP3twIpK7jN3hp/81Yjybg+hDV2sfVElqpVShHr8HrAqpiQdtuQiC
MNUtC3/GJy95CO0Wpg/qAKknG4H/wEQqG4wXU0yZ8qUE71xlO7p9Z2GqGMjcRmwZ
ADsIKvGBwNQSg77VZ+Bq2zYLosThz63r1kn7oVxt2dU4wNSpu3CvcAlVhxf7TJoW
mKCr7H99Yk8upFH6Nh+HUG6+BhFZEkkDOjIU1CJeFFO1qEToQA1U4ue0OMt0IQnU
KMA+1IfNCIoH05L4+x2TRHu+uEk1tgu5smU+QmJYSwn6drj74poXsuRcJgNs4VWO
0B7phKvaoXXUdkXiyaOMgHacnnCHL8LEzmp6BzVUbDCbBtYomeaFCI6B7BaOvwDv
sr1Z85xgynXhm1vGWJNd45Lk7+SSVaOp6qp/IIAcFTbA1OfqtWayMMcDHRsc1m3O
iyn5fa4AUlx6smkhkBe7lh1FCQh+C1DrZdrKVWmo7iuDfAxdC6IW+XiUW1gwlnKd
taw4Fy+AALlhMc/pKHqx2WVX1s6SAWgxwhsjxbFIZXSDdRfhkLdl9QAd6G0zVsBq
U7J1rPwZ1dMtZTDfyj/KSl2DbPpv90vJYGHMcU+h49XfBNF2QsizIkx8mjegmX0O
+ep0LsrsqV5XnMeotYzCTPNmb6PoE/fN+YdhzjWJHmTOt6HAdhRsKw==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.

R11-Backup-KS(config)#

Configuration

!! -- R10 Primary Key Server Router -- !!

hostname R10-Primary-KS
!
!! -- IKE Phase 1 Configuration -- !!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!! --Defined Pre-shared key for peers network range 172.16.0.0/16--!! 
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.0.0
crypto isakmp keepalive 10 periodic     
!
!! -- Transform Set Configuration -- !!
crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha256-hmac 
 mode transport
!
!! -- IPsec Profile Configuration -- !!
crypto ipsec profile GDOI-PROFILE
 set security-association lifetime seconds 7200
 set transform-set GDOI-TRANS 
!
!! -- GDOI Group Configuration -- !!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 !! -- Local keyword identified this router as Key Server -- !!
 server local
  rekey retransmit 10 number 2
  !! -- RSA Key -- !!
  rekey authentication mypubkey rsa getvpn-export-general
  !! -- Rekeying through unicast transport -- !!
  rekey transport unicast
  sa ipsec 1
   !! -- Transform Set for Group Members -- !!
   profile GDOI-PROFILE
   !! -- Policies defining traffic to be encrypted -- !!
   match address ipv4 GETVPN-ACL
   replay time window-size 5
  address ipv4 172.16.16.10
  !! -- Enable Cooperative Key Server feature -- !!
  !! -- High Priority server decides the Primary Key Server Role -- !!
  !! -- All other Key Server(s) must be configured with as peers -- !!
  redundancy
   local priority 100
   peer address ipv4 172.16.27.11
!
interface FastEthernet0/0
 ip address 172.16.16.10 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.16.6
!
ip access-list extended GETVPN-ACL
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!

!! -- R11 Backup Key Server Router -- !!

hostname R11-Backup-KS
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.0.0  
crypto isakmp keepalive 10 periodic   
!
crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha256-hmac 
 mode transport
!
crypto ipsec profile GDOI-PROFILE
 set security-association lifetime seconds 7200
 set transform-set GDOI-TRANS 
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa getvpn-export-general
  rekey transport unicast
  sa ipsec 1
   profile GDOI-PROFILE
   match address ipv4 GETVPN-ACL
   replay time window-size 5
  address ipv4 172.16.27.11
  redundancy
   local priority 75
   peer address ipv4 172.16.16.10
!
interface FastEthernet0/0
 ip address 172.16.27.11 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.27.7
!
ip access-list extended GETVPN-ACL
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!

!! -- R6 CE, GET VPN Group Member Router -- !!

hostname R6-CE-GM
!
!! -- IKE Phase 1 Configuration -- !!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
!! -- Defined Pre-shared key for Key Server Routers -- !!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
!! -- GDOI Group Configuration -- !!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
!! -- Crypto MAP Configuration -- !!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
!! -- Associate Crypto MAP to the WAN Interfaces -- !!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.16.6 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.6.6 255.255.255.0
!
router bgp 65001
 bgp router-id 172.16.16.6
 bgp log-neighbor-changes
 network 192.168.0.6 mask 255.255.255.255
 network 192.168.6.0
 neighbor 172.16.16.1 remote-as 100
!

!! -- R7 CE, GET VPN Group Member Router -- !!

hostname R7-CE-GM
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.27.7 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.7.7 255.255.255.0
!
router bgp 65001
 bgp router-id 172.16.27.7
 bgp log-neighbor-changes
 network 192.168.0.7 mask 255.255.255.255
 network 192.168.7.0
 neighbor 172.16.27.2 remote-as 100
!

!! -- R8 CE, GET VPN Group Member Router -- !!

hostname R8-CE-GM
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.38.8 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.8.8 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.8.8
 bgp log-neighbor-changes
 network 192.168.8.0
 neighbor 172.16.38.3 remote-as 100
!

!! -- R9 CE, GET VPN Group Member Router -- !!

hostname R9-CE-GM
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.49.9 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.9.9 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.9.9
 bgp log-neighbor-changes
 network 192.168.9.0
 neighbor 172.16.49.4 remote-as 100
!

Verification and Testing

!! -- Routing on all Customer sites Routers -- !!

R6-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
C        172.16.16.0/24 is directly connected, FastEthernet0/0
L        172.16.16.6/32 is directly connected, FastEthernet0/0
B        172.16.27.0/24 [20/0] via 172.16.16.1, 09:25:04
B        172.16.38.0/24 [20/0] via 172.16.16.1, 09:25:04
B        172.16.49.0/24 [20/0] via 172.16.16.1, 09:24:55
      192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.6.0/24 is directly connected, FastEthernet0/1
L        192.168.6.6/32 is directly connected, FastEthernet0/1
B     192.168.7.0/24 [20/0] via 172.16.16.1, 09:25:04
B     192.168.8.0/24 [20/0] via 172.16.16.1, 09:25:04
B     192.168.9.0/24 [20/0] via 172.16.16.1, 09:23:48


R7-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
B        172.16.16.0/24 [20/0] via 172.16.27.2, 09:25:25
C        172.16.27.0/24 is directly connected, FastEthernet0/0
L        172.16.27.7/32 is directly connected, FastEthernet0/0
B        172.16.38.0/24 [20/0] via 172.16.27.2, 09:25:25
B        172.16.49.0/24 [20/0] via 172.16.27.2, 09:25:16
B     192.168.6.0/24 [20/0] via 172.16.27.2, 09:25:25
      192.168.7.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.7.0/24 is directly connected, FastEthernet0/1
L        192.168.7.7/32 is directly connected, FastEthernet0/1
B     192.168.8.0/24 [20/0] via 172.16.27.2, 09:25:25
B     192.168.9.0/24 [20/0] via 172.16.27.2, 09:24:09

R8-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
B        172.16.16.0/24 [20/0] via 172.16.38.3, 09:25:35
B        172.16.27.0/24 [20/0] via 172.16.38.3, 09:25:35
C        172.16.38.0/24 is directly connected, FastEthernet0/0
L        172.16.38.8/32 is directly connected, FastEthernet0/0
B        172.16.49.0/24 [20/0] via 172.16.38.3, 09:25:26
B     192.168.6.0/24 [20/0] via 172.16.38.3, 09:25:35
B     192.168.7.0/24 [20/0] via 172.16.38.3, 09:25:35
      192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.8.0/24 is directly connected, FastEthernet0/1
L        192.168.8.8/32 is directly connected, FastEthernet0/1
B     192.168.9.0/24 [20/0] via 172.16.38.3, 09:24:19

R9-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
B        172.16.16.0/24 [20/0] via 172.16.49.4, 09:24:31
B        172.16.27.0/24 [20/0] via 172.16.49.4, 09:24:31
B        172.16.38.0/24 [20/0] via 172.16.49.4, 09:24:31
C        172.16.49.0/24 is directly connected, FastEthernet0/0
L        172.16.49.9/32 is directly connected, FastEthernet0/0
B     192.168.6.0/24 [20/0] via 172.16.49.4, 09:24:31
B     192.168.7.0/24 [20/0] via 172.16.49.4, 09:24:31
B     192.168.8.0/24 [20/0] via 172.16.49.4, 09:24:31
      192.168.9.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.9.0/24 is directly connected, FastEthernet0/1
L        192.168.9.9/32 is directly connected, FastEthernet0/1

R10-Primary-KS#show ip route | beg Gate
Gateway of last resort is 172.16.16.6 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.16.6
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.16.0/24 is directly connected, FastEthernet0/0
L        172.16.16.10/32 is directly connected, FastEthernet0/0

R11-Backup-KS#show ip route | beg Gate
Gateway of last resort is 172.16.27.7 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.27.7
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.27.0/24 is directly connected, FastEthernet0/0
L        172.16.27.11/32 is directly connected, FastEthernet0/0


!! -- When only Primary Key Server is configured -- !!
!! -- KS would participate in the Election with Secondary role -- !! 

*Apr 19 15:21:13.519: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Apr 19 15:21:47.923: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 15:22:55.623: %GDOI-5-COOP_KS_ADD: 172.16.27.11 added as COOP Key Server in group GETVPN-GROUP.
*Apr 19 15:23:35.671: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GETVPN-GROUP (Previous Primary = NONE)

R10-Primary-KS#sh crypto gdoi ks coop 
Crypto Gdoi Group Name :GETVPN-GROUP 
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.16.10 
        Local Priority: 100      
        Local KS Role: Secondary , Local KS Status: Alive     
        Local KS version: 1.0.4 
        Secondary Timers: 
                Sec Primary Periodic Time: 30 
                Remaining Time: 2, Retries: 2
                Invalid ANN PST recvd: 0
                New GM Temporary Blocking Enforced?: No
                Antireplay Sequence Number: 3

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.27.11
                Peer Version: 0.0.0 
                Peer Priority: Unknown 
                Peer KS Role: Secondary , Peer KS Status: Unknown   
                Antireplay Sequence Number: 0

                IKE status: In Progress
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 0
                    Ann msgs recv: 0 
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 3 
                    Packet Recv drops: 0 
                    Total bytes sent: 0 
                    Total bytes recv: 0
                
!! -- It keep trying to reach peer KS but we have not confiugured--!! 
!! -- Backup KS (Peer KS) so when Primary KS do not receive response!! 
!! -- from any other KS, it will become Primary and declare -- !!
!! -- Peer KS as dead -- !!

*Apr 19 15:25:05.775: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 172.16.16.10 in group GETVPN-GROUP transitioned to Primary (Previous Primary = NONE)
*Apr 19 15:25:05.815: %GDOI-3-COOP_KS_UNREACH: Cooperative KS 172.16.27.11 Unreachable in group GETVPN-GROUP. IKE SA Status = Failed to establish.

R10-Primary-KS#sh crypto gdoi ks coop 
Crypto Gdoi Group Name :GETVPN-GROUP 
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.16.10 
        Local Priority: 100      
        Local KS Role: Primary   , Local KS Status: Alive     
        Local KS version: 1.0.4 
        Primary Timers: 
                Primary Refresh Policy Time: 20 
                Remaining Time: 18
                Antireplay Sequence Number: 5

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.27.11
                Peer Version: 0.0.0 
                Peer Priority: Unknown 
                Peer KS Role: Secondary , Peer KS Status: Dead      
                Antireplay Sequence Number: 0

                IKE status: In Progress
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 0
                    Ann msgs recv: 0 
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 5 
                    Packet Recv drops: 0 
                    Total bytes sent: 0 
                    Total bytes recv: 0

!! -- When we configure Backup Key Server, it will also participate-!!
!! -- in the Election with Secondary KS Role -- !!
!! -- When It knows Primary KS with higher priority is active -- !!
!! -- It remains in the Secondary Role -- !! 

R11-Backup-KS# 
*Apr 19 15:26:17.627: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Apr 19 15:27:24.143: %GDOI-5-COOP_KS_ADD: 172.16.16.10 added as COOP Key Server in group GETVPN-GROUP.
*Apr 19 15:27:24.183: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GETVPN-GROUP (Previous Primary = NONE)
*Apr 19 15:27:29.527: %GDOI-4-GDOI_ANN_TIMESTAMP_LARGE: COOP_KS ANN received from KS 172.16.16.10 in group GETVPN-GROUP has PST bigger than myself. Adjust to new PST:
my_old_pst is 71 sec, peer_pst is 375 sec
*Apr 19 15:27:34.543: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 172.16.16.10 in group GETVPN-GROUP transitioned to Primary (Previous Primary = NONE)

R11-Backup-KS#sh crypto gdoi ks coop                 
Crypto Gdoi Group Name :GETVPN-GROUP 
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.27.11 
        Local Priority: 75       
        Local KS Role: Secondary , Local KS Status: Alive     
        Local KS version: 1.0.4 
        Secondary Timers: 
                Sec Primary Periodic Time: 30 
                Remaining Time: 27, Retries: 0
                Invalid ANN PST recvd: 0
                New GM Temporary Blocking Enforced?: No
                Antireplay Sequence Number: 1

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.16.10
                Peer Version: 1.0.4 
                Peer Priority: 100             
                Peer KS Role: Primary   , Peer KS Status: Alive     
                Antireplay Sequence Number: 42

                IKE status: Established
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 1
                    Ann msgs recv: 29 
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 0 
                    Packet Recv drops: 0 
                    Total bytes sent: 152 
                    Total bytes recv: 18415

!! -- Now IKE phase-1 is UP between Primary and Backup KS -- !!

R10-Primary-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE

R11-Backup-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE

!! -- Verify interesting traffic ACL added into GETVPN domain -- !!

R10-Primary-KS#sh crypto gdoi ks acl 
Group Name: GETVPN-GROUP
 Configured ACL:
   access-list GETVPN-ACL  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

!! -- Verify GDOI Policy on KS, which would be pushed to the -- !!
!! -- Group Members (GM) -- !!

R10-Primary-KS#sh crypto gdoi ks policy 
Key Server Policy:
For group GETVPN-GROUP (handle: 2147483650) server 172.16.16.10 (handle: 2147483650):

  # of teks : 2  Seq num : 1
  KEK POLICY (transport type : Unicast)
    spi : 0x25C92085E5951A54B8182918A13D10B4
    management alg     : disabled    encrypt alg       : 3DES      
    crypto iv length   : 8           key size          : 24      
    orig life(sec): 86400       remaining life(sec): 79722     
    sig hash algorithm : enabled     sig key length    : 162     
    sig size           : 128       
    sig key name       : getvpn-export-general

  TEK POLICY (encaps : ENCAPS_TRANSPORT)
    spi                : 0xF22F8F3B
    access-list        : GETVPN-ACL
    transform          : esp-256-aes esp-sha256-hmac 
    alg key size       : 32            sig key size          : 32        
    orig life(sec)     : 7200          remaining life(sec)   : 523       
    tek life(sec)      : 7200          elapsed time(sec)     : 6677      
    override life (sec): 0             antireplay window size: 5         

          
  TEK POLICY (encaps : ENCAPS_TRANSPORT)
    spi                : 0xBB9CF351
    access-list        : GETVPN-ACL
    transform          : esp-256-aes esp-sha256-hmac 
    alg key size       : 32            sig key size          : 32        
    orig life(sec)     : 7200          remaining life(sec)   : 6978      
    tek life(sec)      : 7200          elapsed time(sec)     : 222       
    override life (sec): 0             antireplay window size: 5         

  Replay Value 6909.39 secs 
For group GETVPN-GROUP (handle: 2147483650) server 172.16.27.11 (handle: 2147483651):

!! -- After configuration of Group Member (GM) Router R6 -- !!
!! -- It will register to all key servers (KS) in order -- !!
!! -- of KS configuration list on GM -- !!
!! -- But GM will have ISAKMP SA only with Primary KS -- !!
!! -- and Primary KS will push the GDOI policies to GM -- !!

R6-CE-GM(config-if)#
*Apr 19 15:41:54.175: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.16.6
*Apr 19 15:41:54.191: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R6-CE-GM(config-if)#
*Apr 19 15:41:54.719: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 15:41:54.723: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 15:41:54.727: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 15:41:54.863: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.16.6
*Apr 19 15:41:54.883: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.16.6
R6-CE-GM(config-if)#end
R6-CE-GM#

R6-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.16.10    172.16.16.6     GDOI_IDLE         1001 ACTIVE
172.16.16.6     172.16.16.10    GDOI_REKEY        1002 ACTIVE

!! -- Similarily configure Group Member Router R7 -- !!

R7-CE-GM(config-if)#
*Apr 19 15:46:30.231: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.27.7
*Apr 19 15:46:30.247: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Apr 19 15:46:31.643: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 15:46:31.647: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 15:46:31.651: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 15:46:31.851: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.27.7
*Apr 19 15:46:31.871: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.27.7

R7-CE-GM#
*Apr 19 15:46:33.451: %SYS-5-CONFIG_I: Configured from console by console
R7-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.16.10    172.16.27.7     GDOI_IDLE         1001 ACTIVE
172.16.27.7     172.16.16.10    GDOI_REKEY        1002 ACTIVE

!! -- Configure Group Member Router R8 -- !!

R8-CE-GM(config-if)#
*Apr 19 16:11:57.187: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.38.8
R8-CE-GM(config-if)#end
R8-CE-GM#
*Apr 19 16:11:57.207: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R8-CE-GM#
*Apr 19 16:11:58.739: %SYS-5-CONFIG_I: Configured from console by console
*Apr 19 16:11:58.795: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 16:11:58.799: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 16:11:58.803: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 16:11:59.131: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.38.8
*Apr 19 16:11:59.151: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.38.8
R8-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.38.8     172.16.16.10    GDOI_REKEY        1002 ACTIVE
172.16.16.10    172.16.38.8     GDOI_IDLE         1001 ACTIVE

!! -- Configure Group Member Router R9 -- !!

R9-CE-GM(config-if)#
*Apr 19 16:13:31.651: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.49.9
R9-CE-GM(config-if)#
*Apr 19 16:13:31.667: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R9-CE-GM(config-if)#
*Apr 19 16:13:33.055: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 16:13:33.059: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 16:13:33.063: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 16:13:33.279: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.49.9
*Apr 19 16:13:33.295: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.49.9
R9-CE-GM(config-if)#end
R9-CE-GM#
*Apr 19 16:13:35.263: %SYS-5-CONFIG_I: Configured from console by console
R9-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.49.9     172.16.16.10    GDOI_REKEY        1002 ACTIVE
172.16.16.10    172.16.49.9     GDOI_IDLE         1001 ACTIVE

!! -- After configuration of all GM -- !!

R10-Primary-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.16.10    172.16.27.7     GDOI_IDLE         1003 ACTIVE
172.16.16.10    172.16.49.9     GDOI_IDLE         1005 ACTIVE
172.16.16.10    172.16.16.6     GDOI_IDLE         1002 ACTIVE
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE
172.16.16.10    172.16.38.8     GDOI_IDLE         1004 ACTIVE

R11-Backup-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE

!! -- Verify GDOI status on Group Member (GM) Routers -- !!

R6-CE-GM#show crypto gdoi 
GROUP INFORMATION

    Group Name               : GETVPN-GROUP
    Group Identity           : 1234
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 1
    IPSec SA Direction       : Both

     Group Server list       : 172.16.16.10
                               172.16.27.11
                               
    Group member             : 172.16.16.6      vrf: None
       Version               : 1.0.4 
       Registration status   : Registered
       Registered with       : 172.16.16.10
       Re-registers in       : 6947 sec
       Succeeded registration: 1
       Attempted registration: 1
       Last rekey from       : 172.16.16.10
       Last rekey seq num    : 1
       Unicast rekey received: 1
       Rekey ACKs sent       : 1
       Rekey Rcvd(hh:mm:ss)  : 00:00:31
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 1
       After latest register : 1
       Rekey Acks sents      : 1

 ACL Downloaded From KS 172.16.16.10:
   access-list   permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 79912
    Encrypt Algorithm        : 3DES
    Key Size                 : 192     
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024    

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0xF22F8F3B(4063203131)
        transform: esp-256-aes esp-sha256-hmac 
        sa timing:remaining key lifetime (sec): (714)
        Anti-Replay(Time Based) : 5 sec interval

    IPsec SA:
        spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac 
        sa timing:remaining key lifetime (sec): (7169)
        Anti-Replay(Time Based) : 5 sec interval

!! -- No traffic is exchanged between sites yet -- !!
!! -- encap/decap and encryp/decrypt packet count is zero -- !!

R8-CE-GM#sh cry ipsec sa

interface: FastEthernet0/0
    Crypto map tag: GETVPN-MAP, local addr 172.16.38.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.38.8, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBB9CF351(3147625297)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6387)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6387)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

!! -- Send traffic between Site-3 and Site-4 LAN -- !!

R8-CE-GM#ping 192.168.9.9 so 192.168.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.9, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/202/228 ms
R8-CE-GM#sh cry ipsec sa                

interface: FastEthernet0/0
    Crypto map tag: GETVPN-MAP, local addr 172.16.38.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.38.8, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBB9CF351(3147625297)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6373)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6373)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

!! -- Send traffic between Site-1 and Site-3 LAN -- !!

R8-CE-GM#ping 192.168.6.6 so 192.168.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.6.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/188/224 ms

!! -- Send traffic between Site-2 and Site-3 LAN -- !!

R8-CE-GM#ping 192.168.7.7 so 192.168.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.7, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 176/194/212 ms

!! -- Traffic between each site LAN is ecnrypted now -- !!
!! -- GM has downloaded the ACL from KS, which covers LAN subnets --!!
!! -- of all sites -- !!

R8-CE-GM#sh cry ipsec sa                

interface: FastEthernet0/0
    Crypto map tag: GETVPN-MAP, local addr 172.16.38.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.38.8, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBB9CF351(3147625297)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6341)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6341)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Reference:

http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf