1.拓扑图:
 

 GET***保留原始IP头信息,因此需要全网可路由。

参照:http://blog.sina.com.cn/s/blog_52ddfea30100nwlf.html

         http://blog.sina.com.cn/s/blog_52ddfea30100ny39.html       

2.基本接口配置:
①KS1:
Interface Loopback0
 ip address 10.1.101.1 255.255.255.0
interface FastEthernet0/0
 ip address 172.16.1.101 255.255.255.0
②KS2:
interface FastEthernet0/0
 ip address 172.16.1.102 255.255.255.0
③GM1:
nterface Loopback0
 ip address 10.1.1.1 255.255.255.0
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
④GM2:
interface Loopback0
 ip address 10.1.2.1 255.255.255.0
interface FastEthernet0/0
 ip address 172.16.1.2 255.255.255.0
3.动态路由配置:
①KS1:
router ospf 10
 network 10.1.101.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0
②KS2:
router ospf 10
 network 172.16.1.0 0.0.0.255 area 0
③GM1:
router ospf 10
 network 10.1.1.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0
④GM2:
router ospf 10
 network 10.1.2.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0
4.KS1和KS2同步密钥:
①KS1创建密钥,并在终端界面导出:
ip domain name yuntian.com
crypto key generate rsa  modulus 1024 get***key ex
crypto key generate rsa  modulus 1024 label get***key exportable
crypto key export rsa get***key pem terminal 3des 1234qwer,

KS1(config)#crypto key export rsa get***key pem terminal 3des 1234qwer,
% Key name: get***key
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn0O68W7RLtq7RmL3aSc0nneKQ
TQnUHyOEbD+gZnJJdijsmXb4fJs9k+aXnIvlr8M3UERKnV6TnTlGcD/lrrdH9qkg
IgFFrR9AkuV+R/W+iY4Ty1cbTB1ML+CkQESRpS/Rxcn8dRt+9q8rsqPQYwMjZNgM
l4wq9tJtD0AZIcdztwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,23724F120A63ACFB

gMtL6Osu6BqsuxTWvGTTC25MG7mNKIRe4Y9gRgjvb33DTg2dWzdf1MycpFUkspQl
k0EEncoHsnnvMrzSo3YarDOZx0zvtps8AYs4vWFsGg6MI4QQfsxZ9qCwxIRLFLuu
jcpbrTyqU+ALEg34TYb/T85nIudbU++vn/e3309iUTSGDHtnGcHgiEeshWGzFZ4t
yO1U+tbwqyccnDHHVCMQLDGCP13LuNQOyhMC3hGLqx0IfO5+8My0DLkxyCKuksWO
gDutk8GPjsyLUQhXxJG+afadfRtLnrdNtl5RPvtB9186nJGZsvCxHk3kGj2kjwqO
d9EcNT7k1gp6n2IuqxvR04DG/7wIpe8JucDS/ejoc0iysF+4sal/SWMW13TVOkGY
/taikJKzJ9pDgnOAlq4e5o74tmRpcLG6bK2hwsn/ctiHNfqSJ0ID/wvnIEmYecTW
NBrnPl/97vk+Ehk0kCXBZ1zeZ+zzWrzyrA0Gxw7dDDfg6RQZ63Ww3ffWodOdC6fO
tP6pvmOM+bzLiDD5A70wsGGuaWFhwR7LZLPrrkViRedroECqojyv1UkBLR9le6l3
LQwJUrRBacTzjyhIJfiys5VeYBivlnyaoYYaI57Hkry20RHzHRIrVqLIgtJxQch/
gZjshiNFpHkCN6zBmqqnb/m8MEMjSZNzjRzX5rk/eQZliweXskWm65ZnXw+8E6Wi
fBf7qAqSOnSTzL61Snc0yHPKZIRULLjSZbbqKnmMAl5T8HR2v1FpbxmF5hFTsGWb
J8whcD2AqFJh6Ts+0BXrzmgdRwVQrfYPRofXo2ZND3o=
-----END RSA PRIVATE KEY-----


②KS2将KS1屏幕上打印的密码导入:

KS2(config)#crypto key import rsa get***key terminal 1234qwer,
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn0O68W7RLtq7RmL3aSc0nneKQ
TQnUHyOEbD+gZnJJdijsmXb4fJs9k+aXnIvlr8M3UERKnV6TnTlGcD/lrrdH9qkg
IgFFrR9AkuV+R/W+iY4Ty1cbTB1ML+CkQESRpS/Rxcn8dRt+9q8rsqPQYwMjZNgM
l4wq9tJtD0AZIcdztwIDAQAB
-----END PUBLIC KEY-----
<回车>
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,23724F120A63ACFB

gMtL6Osu6BqsuxTWvGTTC25MG7mNKIRe4Y9gRgjvb33DTg2dWzdf1MycpFUkspQl
k0EEncoHsnnvMrzSo3YarDOZx0zvtps8AYs4vWFsGg6MI4QQfsxZ9qCwxIRLFLuu
jcpbrTyqU+ALEg34TYb/T85nIudbU++vn/e3309iUTSGDHtnGcHgiEeshWGzFZ4t
yO1U+tbwqyccnDHHVCMQLDGCP13LuNQOyhMC3hGLqx0IfO5+8My0DLkxyCKuksWO
gDutk8GPjsyLUQhXxJG+afadfRtLnrdNtl5RPvtB9186nJGZsvCxHk3kGj2kjwqO
d9EcNT7k1gp6n2IuqxvR04DG/7wIpe8JucDS/ejoc0iysF+4sal/SWMW13TVOkGY
/taikJKzJ9pDgnOAlq4e5o74tmRpcLG6bK2hwsn/ctiHNfqSJ0ID/wvnIEmYecTW
NBrnPl/97vk+Ehk0kCXBZ1zeZ+zzWrzyrA0Gxw7dDDfg6RQZ63Ww3ffWodOdC6fO
tP6pvmOM+bzLiDD5A70wsGGuaWFhwR7LZLPrrkViRedroECqojyv1UkBLR9le6l3
LQwJUrRBacTzjyhIJfiys5VeYBivlnyaoYYaI57Hkry20RHzHRIrVqLIgtJxQch/
gZjshiNFpHkCN6zBmqqnb/m8MEMjSZNzjRzX5rk/eQZliweXskWm65ZnXw+8E6Wi
fBf7qAqSOnSTzL61Snc0yHPKZIRULLjSZbbqKnmMAl5T8HR2v1FpbxmF5hFTsGWb
J8whcD2AqFJh6Ts+0BXrzmgdRwVQrfYPRofXo2ZND3o=
-----END RSA PRIVATE KEY-----

quit
% Key pair import succeeded.


5.GET***配置:

①第一阶段:
KS1:
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 172.16.1.1
crypto isakmp key cisco address 172.16.1.2
crypto isakmp key cisco address 172.16.1.102
KS2:
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 172.16.1.1
crypto isakmp key cisco address 172.16.1.2
crypto isakmp key cisco address 172.16.1.101
GM1和GM2:
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 172.16.1.101
crypto isakmp key cisco address 172.16.1.102
②配置感兴趣流:
KS1和KS2:
ip access-list extended get***traffic
 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
③第二阶段策略并创建ipsec profile与其关联:
KS1和KS2:
crypto ipsec transform-set get***-set esp-des esp-sha-hmac
 exit
crypto ipsec profile get***-profile
 set transform-set get***-set
④GET***组配置
KS1:

crypto gdoi group get***group
 identity number 12345678
 server local
  rekey algorithm aes 256
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa get***key
  rekey transport unicast
  sa ipsec 1
   profile get***-profile
   match address ipv4 get***traffic
   replay time window-size 2
  address ipv4 172.16.1.101
  redundancy
   local priority 100
   peer address ipv4 172.16.1.102
KS2: 
crypto gdoi group get***group
 identity number 12345678
 server local
  rekey algorithm aes 256
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa get***key
  rekey transport unicast
  sa ipsec 1
   profile get***-profile
   match address ipv4 get***traffic
   replay time window-size 2
  address ipv4 172.16.1.102
  redundancy
   local priority 75
   peer address ipv4 172.16.1.101
GM1和GM2:
crypto gdoi group get***group
 identity number 12345678
 server address ipv4 172.16.1.101
 server address ipv4 172.16.1.102

⑤成员服务器配置Crypto map:
crypto map get***map 10 gdoi
 set group get***group
interface FastEthernet0/0
 crypto map get***map

6.验证:
①查看密钥服务器和组成员GET***状态:
KS1#show crypto gdoi group get***group
    Group Name               : get***group (Unicast)
    Group Identity           : 12345678
    Group Members            : 2
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Redundancy               : Configured
        Local Address        : 172.16.1.101
        Local Priority       : 100
        Local KS Status      : Alive
        Local KS Role        : Primary
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 85260 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : get***-profile
      Replay method          : Time Based
      Replay Window Size     : 2
      SA Rekey
         Remaining Lifetime  : 2268 secs
      ACL Configured         : access-list get***traffic

    Group Server list        : Local

KS2#show crypto gdoi group get***group
    Group Name               : get***group (Unicast)
    Group Identity           : 12345678
    Group Members            : 2
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Redundancy               : Configured
        Local Address        : 172.16.1.102
        Local Priority       : 75
        Local KS Status      : Alive
        Local KS Role        : Secondary
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 85190 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : get***-profile
      Replay method          : Time Based
      Replay Window Size     : 2
      SA Rekey
         Remaining Lifetime  : 2199 secs
      ACL Configured         : access-list get***traffic

    Group Server list        : Local

GM1#show crypto gdoi group get***group
    Group Name               : get***group
    Group Identity           : 12345678
    Rekeys received          : 1
    IPSec SA Direction       : Both
    Active Group Server      : 172.16.1.101
    Group Server list        : 172.16.1.101
                               172.16.1.102
                              
    GM Reregisters in        : 2054 secs
    Rekey Received(hh:mm:ss) : 00:24:48


    Rekeys received         
         Cumulative          : 1
         After registration  : 1
    Rekey Acks sent          : 1

 ACL Downloaded From KS 172.16.1.101:
   access-list  permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 86399
    Encrypt Algorithm        : AES
    Key Size                 : 256    
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024   

TEK POLICY:
  FastEthernet0/0:
    IPsec SA:
        sa direction:inbound
        spi: 0xFA2E31D9(4197331417)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1915)
        Anti-Replay(Time Based) : 2 sec interval

    IPsec SA:
        sa direction:outbound
        spi: 0xFA2E31D9(4197331417)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1915)
        Anti-Replay(Time Based) : 2 sec interval

    IPsec SA:
        sa direction:inbound
        spi: 0x9F280E82(2670202498)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2107)
        Anti-Replay(Time Based) : 2 sec interval

    IPsec SA:
        sa direction:outbound
        spi: 0x9F280E82(2670202498)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2107)
        Anti-Replay(Time Based) : 2 sec interval

GM2#show crypto gdoi group get***group
*Mar  1 01:20:18.987: %SYS-5-CONFIG_I: Configured from console by console
GM2#show crypto gdoi group get***group
    Group Name               : get***group
    Group Identity           : 12345678
    Rekeys received          : 1
    IPSec SA Direction       : Both
    Active Group Server      : 172.16.1.101
    Group Server list        : 172.16.1.101
                               172.16.1.102
                              
    GM Reregisters in        : 2006 secs
    Rekey Received(hh:mm:ss) : 00:25:33


    Rekeys received         
         Cumulative          : 1
         After registration  : 1
    Rekey Acks sent          : 1

 ACL Downloaded From KS 172.16.1.101:
   access-list  permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 86399
    Encrypt Algorithm        : AES
    Key Size                 : 256    
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024   

TEK POLICY:
  FastEthernet0/0:
    IPsec SA:
        sa direction:inbound
        spi: 0xFA2E31D9(4197331417)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1870)
        Anti-Replay(Time Based) : 2 sec interval

    IPsec SA:
        sa direction:outbound
        spi: 0xFA2E31D9(4197331417)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (1870)
        Anti-Replay(Time Based) : 2 sec interval

    IPsec SA:
        sa direction:inbound
        spi: 0x9F280E82(2670202498)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2062)
        Anti-Replay(Time Based) : 2 sec interval

    IPsec SA:
        sa direction:outbound
        spi: 0x9F280E82(2670202498)
        transform: esp-des esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2062)
        Anti-Replay(Time Based) : 2 sec interval

②查看密钥服务器协作状态:
KS1#show crypto gdoi ks coop
Crypto Gdoi Group Name :get***group
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.1.101
        Local Priority: 100     
        Local KS Role: Primary   , Local KS Status: Alive    
        Primary Timers:
                Primary Refresh Policy Time: 20
                Remaining Time: 4
                Antireplay Sequence Number: 41

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.1.102
                Peer Priority: 75             
                Peer KS Role: Secondary , Peer KS Status: Alive    
                Antireplay Sequence Number: 2

                IKE status: Established
                Counters:
                    Ann msgs sent: 14
                    Ann msgs sent with reply request: 0
                    Ann msgs recv: 0
                    Ann msgs recv with reply request: 3
                    Packet sent drops: 27
                    Packet Recv drops: 0
                    Total bytes sent: 8652
                    Total bytes recv: 3016

KS2#show crypto gdoi ks coop
Crypto Gdoi Group Name :get***group
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.1.102
        Local Priority: 75      
        Local KS Role: Secondary , Local KS Status: Alive    
        Secondary Timers:
                Sec Primary Periodic Time: 30
                Remaining Time: 9, Retries: 0
                Antireplay Sequence Number: 3

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.1.101
                Peer Priority: 100            
                Peer KS Role: Primary   , Peer KS Status: Alive    
                Antireplay Sequence Number: 43

                IKE status: Established
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 3
                    Ann msgs recv: 13
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 0
                    Packet Recv drops: 0
                    Total bytes sent: 3016
                    Total bytes recv: 8034

③查看密钥服务器上注册的成员:
KS1#show crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group get***group : 1

Group Member ID   : 172.16.1.1
Group ID          : 12345678
Group Name        : get***group
Key Server ID     : 172.16.1.101
Rekeys sent       : 1
Rekey Acks Rcvd   : 1
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

Group Member ID   : 172.16.1.2
Group ID          : 12345678
Group Name        : get***group
Key Server ID     : 172.16.1.101
Rekeys sent       : 1
Rekey Acks Rcvd   : 1
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

KS2#show crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group get***group : 0

Group Member ID   : 172.16.1.1
Group ID          : 12345678
Group Name        : get***group
Key Server ID     : 172.16.1.101
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

Group Member ID   : 172.16.1.2
Group ID          : 12345678
Group Name        : get***group
Key Server ID     : 172.16.1.101
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

④组成员上测试GET***的加解密:

第一步:在GM1测试前查看加解密状况

GM1#show crypto engine connections active
Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
    1 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0
    2 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0
    5 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0
    6 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0
 1001 Fa0/0      IKE   SHA+DES                   0        0 172.16.1.1
 1002 <none>     IKE   SHA+AES256                0        0
 1003 <none>     IKE   SHA+AES256                0        0

第二步:GM1上通过Ping产生加密的感兴趣流
GM1#ping 10.1.2.1 source 10.1.1.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/27/68 ms
第三步:在GM1测试后查看加解密状况
GM1#show crypto engine connections active
Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
    1 Fa0/0      IPsec DES+SHA                   0      100 10.0.0.0
    2 Fa0/0      IPsec DES+SHA                 100        0 10.0.0.0
    5 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0
    6 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0
 1001 Fa0/0      IKE   SHA+DES                   0        0 172.16.1.1
 1002 <none>     IKE   SHA+AES256                0        0
 1003 <none>     IKE   SHA+AES256                0        0

⑤组成员访问控制列表配置
第一步: GM1测试访问KS1身后网络
 
 
GM1#ping 10.1.101.1 source 10.1.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)     
 
不能通讯的原因为:源为10.1.1.1目的为10.1.101.1的流量满足GET***的感兴趣流,KS1会对这个流量进行加密,但是密钥服务器KS1,不存在IPSec SA所以不能对此流量进行解密,所以造成无法通讯。解决方案为,在组成员GM1上配置组成员访问控制列表,旁路掉从10.1.1.0/24到10.1.101.0/24的流量。
 
第二步:在组成员GM1上配置组成员访问控制列表
 
GM1(config)#ip access-list extended bypass
GM1(config-ext-nacl)#deny ip 10.1.1.0 0.0.0.255 10.1.101.0 0.0.0.255
 
GM1(config)#crypto map cisco 10
GM1(config-crypto-map)#match address bypass     
 
第三步: GM1测试访问KS1身后网络
 
GM1#ping 10.1.101.1 source 10.1.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/120/156 ms     
 备注:

①也可以在KS上配置感兴趣流,如下所示:
KS1#show ip access-lists
Extended IP access list get***traffic
    5 deny ip 10.1.1.0 0.0.0.255 10.1.101.0 0.0.0.255
    6 deny ip 10.1.2.0 0.0.0.255 10.1.101.0 0.0.0.255
    10 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

②但是没有找到组成员除了接口no crypto map get***map 再crypto map get***map其他好的方法使得KS能够快速的下面兴趣流给各个组成员。