Tunnel-less VPN (Group Encrypted Transport)

hostname r1
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 123.1.1.2
crypto isakmp key cisco address 123.1.1.3
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto ipsec profile profile1
set transform-set test
!
crypto gdoi group tcy
identity number 8879576
server local
rekey retransmit 10 number 2
sa ipsec 10
profile profile1
match address ipv4 100
replay counter window-size 64
!
!
crypto map tcy 10 gdoi
set group tcy

interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 123.1.1.1 255.255.255.0
crypto map tcy
!
router ospf 1
network 10.1.1.0 0.0.0.255 area 10
network 123.1.1.0 0.0.0.255 area 10

access-list 100 permit ip 20.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
access-list 100 permit ip 30.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
----------------------------------------------------------------------
hostname r2

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 123.1.1.1
crypto isakmp key cisco address 123.1.1.3
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
crypto gdoi group tcy
identity number 8879576
server address ipv4 123.1.1.1
!
!
crypto map test 10 gdoi
set group tcy
!

interface Loopback0
ip address 20.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 123.1.1.2 255.255.255.0
crypto map test
!
router ospf 1
network 20.1.1.0 0.0.0.255 area 10
network 123.1.1.0 0.0.0.255 area 10
-------------------------------------------------------------------
hostname r3

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 123.1.1.1
crypto isakmp key cisco address 123.1.1.2
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
crypto gdoi group tcy
identity number 8879576
server address ipv4 123.1.1.1
!
!
crypto map test 10 gdoi
set group tcy

interface Loopback0
ip address 30.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 123.1.1.3 255.255.255.0
crypto map test
!
router ospf 1
network 30.1.1.0 0.0.0.255 area 10
network 123.1.1.0 0.0.0.255 area 10
!
-------------------------------------------------------------------
r1#sh cry gdoi ks
Total group members registered to this box: 2

Key Server Information For Group tcy:
Group Name : tcy
Group Identity : 8879576
Group Members : 2
IPSec SA Direction : Both
ACL Configured:
access-list 100
-------------------------------------------------------------------
r1#sh cry gdoi
Group Information

Group Name : tcy
Group Identity : 8879576
Group Members : 2
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2

IPSec SA Number : 10
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : profile1
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 2676 secs
ACL Configured : access-list 100

Group Server list : Local
-------------------------------------------------------------------
r2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/2] via 123.1.1.1, 00:07:03, FastEthernet0/0
123.0.0.0/24 is subnetted, 1 subnets
C 123.1.1.0 is directly connected, FastEthernet0/0
30.0.0.0/32 is subnetted, 1 subnets
O 30.1.1.1 [110/2] via 123.1.1.3, 00:07:03, FastEthernet0/0
------------------------------------------------------------------
r2#sh cry gdoi gm
Group Member Information For Group tcy:
IPSec SA Direction : Inbound Optional
ACL Received From KS : gdoi_group_tcy_temp_acl
Re-register
Remaining time : 2576 secs

------------------------------------------------------------------
r2#sh cry gdoi ipsec sa

SA created for group tcy:
FastEthernet0/0:
protocol = ip
local ident = 20.1.1.0/24, port = 0
remote ident = 30.1.1.0/24, port = 0
direction: Both, replay: Disabled
protocol = ip
local ident = 30.1.1.0/24, port = 0
remote ident = 20.1.1.0/24, port = 0
direction: Both, replay: Disabled

-------------------------------------------------------------------
r2#sh cry ips sa

interface: FastEthernet0/0
Crypto map tag: test, local addr 123.1.1.2

protected vrf: (none)
local ident (addr/mask/prot/port): (30.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 123.1.1.2, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x3E14DDF4(1041554932)

inbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: 7, crypto map: test
sa timing: remaining key lifetime (k/sec): (4450547/2630)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: 8, crypto map: test
sa timing: remaining key lifetime (k/sec): (4450547/2629)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (30.1.1.0/255.255.255.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 123.1.1.2, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x3E14DDF4(1041554932)

inbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: 5, crypto map: test
sa timing: remaining key lifetime (k/sec): (4532355/2629)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: 6, crypto map: test
sa timing: remaining key lifetime (k/sec): (4532355/2628)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
-------------------------------------------------------------------------
r2#sh cry map
Crypto Map "test" 10 gdoi
Group Name: tcy
identity number 8879576
server address ipv4 123.1.1.1
Interfaces using crypto map test:
FastEthernet0/0
-------------------------------------------------------------------------
r2#p ip
Target IP address: 30.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 20.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 20.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 412/629/840 ms

------------------------------------------------------------------------
r2#sh cry ips sa

interface: FastEthernet0/0
Crypto map tag: test, local addr 123.1.1.2

protected vrf: (none)
local ident (addr/mask/prot/port): (30.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 123.1.1.2, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x3E14DDF4(1041554932)

inbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: 7, crypto map: test
sa timing: remaining key lifetime (k/sec): (4450547/2608)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: 8, crypto map: test
sa timing: remaining key lifetime (k/sec): (4450547/2593)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (30.1.1.0/255.255.255.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 123.1.1.2, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x3E14DDF4(1041554932)

inbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: 5, crypto map: test
sa timing: remaining key lifetime (k/sec): (4532354/2592)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x3E14DDF4(1041554932)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: 6, crypto map: test
sa timing: remaining key lifetime (k/sec): (4532354/2588)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
-----------------------------------------------------------------------
================================================== ======================
r3(config)#int fa0/0
r3(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/32 is subnetted, 1 subnets
O 20.1.1.1 [110/2] via 123.1.1.2, 00:01:25, FastEthernet0/0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/2] via 123.1.1.1, 00:01:26, FastEthernet0/0
123.0.0.0/24 is subnetted, 1 subnets
C 123.1.1.0 is directly connected, FastEthernet0/0
30.0.0.0/24 is subnetted, 1 subnets
C 30.1.1.0 is directly connected, Loopback0
------------------------------------------------------------------------
r3(config-if)#do sh cry map
Crypto Map "test" 10 gdoi
Group Name: tcy
identity number 8879576
server address ipv4 123.1.1.1
Interfaces using crypto map test:
FastEthernet0/0
-----------------------------------------------------------------------