Does not support IKEv2. Only IKE v1.

Does not have an overlay routing protocol or tunnel. Encrypts data in the underlay itself.

Since there’s no overlay tunnel you don’t need additional subnets created.

Centralized policy management. Policies in one place and pushed to all clients. The Keyserver.

Components:
-GM (Group Member)
-KS (Key Server)
-GDOI (Group Domain of Interpretation) port 848/UDP
-IPSec

Key Server:

crypto isakmp policy 1

 encr aes 256

 hash sha512

 authentication pre-share

 group 15

crypto isakmp key cisco address 155.1.35.5     

crypto isakmp key cisco address 155.1.51.22    

crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac 

 mode tunnel

crypto ipsec profile IPSEC

 set transform-set TS 

crypto gdoi group GDOI

 identity number 852

 server local

  rekey address ipv4 REKEYACL

  rekey authentication mypubkey rsa CSR8.cisco.com

  rekey transport unicast

  sa ipsec 1

   profile IPSEC

   match address ipv4 INST

   replay counter window-size 64

   no tag

ip access-list extended INST

 permit ip host 150.22.22.1 host 150.5.5.1

 permit ip host 150.5.5.1 host 150.22.22.1

ip access-list extended REKEYACL

 permit udp host 155.1.55.8 host 155.1.35.5 eq 848

 permit udp host 155.1.55.8 host 155.1.51.22 eq 848

Member Router:

crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 15
crypto isakmp key cisco address 155.1.55.8
crypto gdoi group GDOI
identity number 852
server address ipv4 155.1.55.8
crypto map GETVPN 1 gdoi
set group GDOI
crypto map GETVPN

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *