This is a Cisco proprietary technology used for encrypting data across networks that require full mesh connectivity. Traditional VPN topologies are hub and spoke.
- Key server – Centrally manages encryption keys. Not part of the encryption. Dedicated router.
- Group Member – Routers that will encrypt the data
GDOI protocol – Group Domain of Interpretation. Modified version of ISAKMP. It uses UDP 848.
Header preservation – This allows QoS and Multicast to continue working through the MPLS although data is encrypted.
Set of keys:
- KEK – Key Encryption Key – Used to encrypt the rekeys.
- TEK – Traffic Encryption Key – used to encrypt the traffic between the Group Members
Recommended to use AES128 because it has much longer lifetime.
Coop configuration requires to generate RSA keys in on of the KS servers and import them to the other KS servers.
Fail Open – Default mode. Data will be sent clear until the router registers to the KS.
Fail Close – All traffic is dropped until the router registers to the KS.
crypto isakmp policy 1 encr aes hash sha authentication pre-share group 2 lifetime 300 ! crytpo isakmp key cisco address 0.0.0.0 0.0.0.0 crytpo ipsec transform-set GET esp-aes esp-sha-hmac crytpo ipsec profile GET set transform-set GET crypto gdoi group GET identity number 1 server local rekey authentication mypubkey rsa r1.test.com rekey transport unicast sa ipsec 1 profile GET match address ipv4 101 address ipv4 KS1_IP // ip address of the KS reachable by the GMs ! for coop configuration redundancy peer address ipv4 KS2_IP access-list 101 permit icmp any any
crypto isakmp policy 1 encr aes hash sha authentication pre-share group 2 lifetime 300 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto gdoi group GET identity number 1 server address ipv4 KS1_IP server address ipv4 KS2_IP crypto map GET 10 gdoi set group GET interface s0/0/0 crypto map GET
GDOI configuration – members, keys, active servers, server list
KS# show crypto gdoi GM# show crypto gdoi
Check that there are packets encapsulated
GM# show crypto ipsec sa