1.拓扑图：

 

 GET***保留原始IP头信息，因此需要全网可路由。

参照：

                

2.基本接口配置：

①KS1： Interface Loopback0  ip address 10.1.101.1 255.255.255.0 interface FastEthernet0/0  ip address 172.16.1.101 255.255.255.0②KS2： interface FastEthernet0/0  ip address 172.16.1.102 255.255.255.0③GM1： nterface Loopback0  ip address 10.1.1.1 255.255.255.0 interface FastEthernet0/0  ip address 172.16.1.1 255.255.255.0④GM2： interface Loopback0  ip address 10.1.2.1 255.255.255.0 interface FastEthernet0/0  ip address 172.16.1.2 255.255.255.03.动态路由配置：①KS1： router ospf 10  network 10.1.101.0 0.0.0.255 area 0  network 172.16.1.0 0.0.0.255 area 0②KS2： router ospf 10  network 172.16.1.0 0.0.0.255 area 0③GM1： router ospf 10  network 10.1.1.0 0.0.0.255 area 0  network 172.16.1.0 0.0.0.255 area 0④GM2： router ospf 10  network 10.1.2.0 0.0.0.255 area 0  network 172.16.1.0 0.0.0.255 area 04.KS1和KS2同步密钥：①KS1创建密钥，并在终端界面导出： ip domain name yuntian.com crypto key generate rsa  modulus 1024 get***key ex crypto key generate rsa  modulus 1024 label get***key exportable crypto key export rsa get***key pem terminal 3des 1234qwer, KS1(config)#crypto key export rsa get***key pem terminal 3des 1234qwer, % Key name: get***key    Usage: General Purpose Key    Key data: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn0O68W7RLtq7RmL3aSc0nneKQ TQnUHyOEbD+gZnJJdijsmXb4fJs9k+aXnIvlr8M3UERKnV6TnTlGcD/lrrdH9qkg IgFFrR9AkuV+R/W+iY4Ty1cbTB1ML+CkQESRpS/Rxcn8dRt+9q8rsqPQYwMjZNgM l4wq9tJtD0AZIcdztwIDAQAB -----END PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,23724F120A63ACFB gMtL6Osu6BqsuxTWvGTTC25MG7mNKIRe4Y9gRgjvb33DTg2dWzdf1MycpFUkspQl k0EEncoHsnnvMrzSo3YarDOZx0zvtps8AYs4vWFsGg6MI4QQfsxZ9qCwxIRLFLuu jcpbrTyqU+ALEg34TYb/T85nIudbU++vn/e3309iUTSGDHtnGcHgiEeshWGzFZ4t yO1U+tbwqyccnDHHVCMQLDGCP13LuNQOyhMC3hGLqx0IfO5+8My0DLkxyCKuksWO gDutk8GPjsyLUQhXxJG+afadfRtLnrdNtl5RPvtB9186nJGZsvCxHk3kGj2kjwqO d9EcNT7k1gp6n2IuqxvR04DG/7wIpe8JucDS/ejoc0iysF+4sal/SWMW13TVOkGY /taikJKzJ9pDgnOAlq4e5o74tmRpcLG6bK2hwsn/ctiHNfqSJ0ID/wvnIEmYecTW NBrnPl/97vk+Ehk0kCXBZ1zeZ+zzWrzyrA0Gxw7dDDfg6RQZ63Ww3ffWodOdC6fO tP6pvmOM+bzLiDD5A70wsGGuaWFhwR7LZLPrrkViRedroECqojyv1UkBLR9le6l3 LQwJUrRBacTzjyhIJfiys5VeYBivlnyaoYYaI57Hkry20RHzHRIrVqLIgtJxQch/ gZjshiNFpHkCN6zBmqqnb/m8MEMjSZNzjRzX5rk/eQZliweXskWm65ZnXw+8E6Wi fBf7qAqSOnSTzL61Snc0yHPKZIRULLjSZbbqKnmMAl5T8HR2v1FpbxmF5hFTsGWb J8whcD2AqFJh6Ts+0BXrzmgdRwVQrfYPRofXo2ZND3o= -----END RSA PRIVATE KEY-----②KS2将KS1屏幕上打印的密码导入： KS2(config)#crypto key import rsa get***key terminal 1234qwer, % Enter PEM-formatted public General Purpose key or certificate. % End with a blank line or "quit" on a line by itself. -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn0O68W7RLtq7RmL3aSc0nneKQ TQnUHyOEbD+gZnJJdijsmXb4fJs9k+aXnIvlr8M3UERKnV6TnTlGcD/lrrdH9qkg IgFFrR9AkuV+R/W+iY4Ty1cbTB1ML+CkQESRpS/Rxcn8dRt+9q8rsqPQYwMjZNgM l4wq9tJtD0AZIcdztwIDAQAB -----END PUBLIC KEY----- <回车> % Enter PEM-formatted encrypted private General Purpose key. % End with "quit" on a line by itself. -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,23724F120A63ACFB gMtL6Osu6BqsuxTWvGTTC25MG7mNKIRe4Y9gRgjvb33DTg2dWzdf1MycpFUkspQl k0EEncoHsnnvMrzSo3YarDOZx0zvtps8AYs4vWFsGg6MI4QQfsxZ9qCwxIRLFLuu jcpbrTyqU+ALEg34TYb/T85nIudbU++vn/e3309iUTSGDHtnGcHgiEeshWGzFZ4t yO1U+tbwqyccnDHHVCMQLDGCP13LuNQOyhMC3hGLqx0IfO5+8My0DLkxyCKuksWO gDutk8GPjsyLUQhXxJG+afadfRtLnrdNtl5RPvtB9186nJGZsvCxHk3kGj2kjwqO d9EcNT7k1gp6n2IuqxvR04DG/7wIpe8JucDS/ejoc0iysF+4sal/SWMW13TVOkGY /taikJKzJ9pDgnOAlq4e5o74tmRpcLG6bK2hwsn/ctiHNfqSJ0ID/wvnIEmYecTW NBrnPl/97vk+Ehk0kCXBZ1zeZ+zzWrzyrA0Gxw7dDDfg6RQZ63Ww3ffWodOdC6fO tP6pvmOM+bzLiDD5A70wsGGuaWFhwR7LZLPrrkViRedroECqojyv1UkBLR9le6l3 LQwJUrRBacTzjyhIJfiys5VeYBivlnyaoYYaI57Hkry20RHzHRIrVqLIgtJxQch/ gZjshiNFpHkCN6zBmqqnb/m8MEMjSZNzjRzX5rk/eQZliweXskWm65ZnXw+8E6Wi fBf7qAqSOnSTzL61Snc0yHPKZIRULLjSZbbqKnmMAl5T8HR2v1FpbxmF5hFTsGWb J8whcD2AqFJh6Ts+0BXrzmgdRwVQrfYPRofXo2ZND3o= -----END RSA PRIVATE KEY----- quit % Key pair import succeeded.5.GET***配置：①第一阶段：KS1： crypto isakmp policy 10  authentication pre-share crypto isakmp key cisco address 172.16.1.1 crypto isakmp key cisco address 172.16.1.2 crypto isakmp key cisco address 172.16.1.102KS2： crypto isakmp policy 10  authentication pre-share crypto isakmp key cisco address 172.16.1.1 crypto isakmp key cisco address 172.16.1.2 crypto isakmp key cisco address 172.16.1.101GM1和GM2： crypto isakmp policy 10  authentication pre-share crypto isakmp key cisco address 172.16.1.101 crypto isakmp key cisco address 172.16.1.102②配置感兴趣流：KS1和KS2： ip access-list extended get***traffic  permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255③第二阶段策略并创建ipsec profile与其关联：KS1和KS2： crypto ipsec transform-set get***-set esp-des esp-sha-hmac  exit crypto ipsec profile get***-profile  set transform-set get***-set④GET***组配置

KS1： crypto gdoi group get***group  identity number 12345678  server local   rekey algorithm aes 256   rekey retransmit 10 number 2   rekey authentication mypubkey rsa get***key   rekey transport unicast   sa ipsec 1    profile get***-profile    match address ipv4 get***traffic    replay time window-size 2   address ipv4 172.16.1.101   redundancy    local priority 100    peer address ipv4 172.16.1.102KS2：  crypto gdoi group get***group  identity number 12345678  server local   rekey algorithm aes 256   rekey retransmit 10 number 2   rekey authentication mypubkey rsa get***key   rekey transport unicast   sa ipsec 1    profile get***-profile    match address ipv4 get***traffic    replay time window-size 2   address ipv4 172.16.1.102   redundancy    local priority 75    peer address ipv4 172.16.1.101 GM1和GM2： crypto gdoi group get***group  identity number 12345678  server address ipv4 172.16.1.101  server address ipv4 172.16.1.102⑤成员服务器配置Crypto map: crypto map get***map 10 gdoi  set group get***group interface FastEthernet0/0  crypto map get***map6.验证：①查看密钥服务器和组成员GET***状态: KS1#show crypto gdoi group get***group     Group Name               : get***group (Unicast)     Group Identity           : 12345678     Group Members            : 2     IPSec SA Direction       : Both     Active Group Server      : Local     Redundancy               : Configured         Local Address        : 172.16.1.101         Local Priority       : 100         Local KS Status      : Alive         Local KS Role        : Primary     Group Rekey Lifetime     : 86400 secs     Group Rekey         Remaining Lifetime   : 85260 secs     Rekey Retransmit Period  : 10 secs     Rekey Retransmit Attempts: 2     Group Retransmit         Remaining Lifetime   : 0 secs       IPSec SA Number        : 1       IPSec SA Rekey Lifetime: 3600 secs       Profile Name           : get***-profile       Replay method          : Time Based       Replay Window Size     : 2       SA Rekey          Remaining Lifetime  : 2268 secs       ACL Configured         : access-list get***traffic     Group Server list        : Local KS2#show crypto gdoi group get***group     Group Name               : get***group (Unicast)     Group Identity           : 12345678     Group Members            : 2     IPSec SA Direction       : Both     Active Group Server      : Local     Redundancy               : Configured         Local Address        : 172.16.1.102         Local Priority       : 75         Local KS Status      : Alive         Local KS Role        : Secondary     Group Rekey Lifetime     : 86400 secs     Group Rekey         Remaining Lifetime   : 85190 secs     Rekey Retransmit Period  : 10 secs     Rekey Retransmit Attempts: 2     Group Retransmit         Remaining Lifetime   : 0 secs       IPSec SA Number        : 1       IPSec SA Rekey Lifetime: 3600 secs       Profile Name           : get***-profile       Replay method          : Time Based       Replay Window Size     : 2       SA Rekey          Remaining Lifetime  : 2199 secs       ACL Configured         : access-list get***traffic     Group Server list        : Local GM1#show crypto gdoi group get***group     Group Name               : get***group     Group Identity           : 12345678     Rekeys received          : 1     IPSec SA Direction       : Both     Active Group Server      : 172.16.1.101     Group Server list        : 172.16.1.101                                172.16.1.102                                    GM Reregisters in        : 2054 secs     Rekey Received(hh:mm:ss) : 00:24:48     Rekeys received                   Cumulative          : 1          After registration  : 1     Rekey Acks sent          : 1  ACL Downloaded From KS 172.16.1.101:    access-list  permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 KEK POLICY:     Rekey Transport Type     : Unicast     Lifetime (secs)          : 86399     Encrypt Algorithm        : AES     Key Size                 : 256         Sig Hash Algorithm       : HMAC_AUTH_SHA     Sig Key Length (bits)    : 1024    TEK POLICY:   FastEthernet0/0:     IPsec SA:         sa direction:inbound         spi: 0xFA2E31D9(4197331417)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (1915)         Anti-Replay(Time Based) : 2 sec interval     IPsec SA:         sa direction:outbound         spi: 0xFA2E31D9(4197331417)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (1915)         Anti-Replay(Time Based) : 2 sec interval     IPsec SA:         sa direction:inbound         spi: 0x9F280E82(2670202498)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (2107)         Anti-Replay(Time Based) : 2 sec interval     IPsec SA:         sa direction:outbound         spi: 0x9F280E82(2670202498)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (2107)         Anti-Replay(Time Based) : 2 sec interval GM2#show crypto gdoi group get***group *Mar  1 01:20:18.987: %SYS-5-CONFIG_I: Configured from console by console GM2#show crypto gdoi group get***group     Group Name               : get***group     Group Identity           : 12345678     Rekeys received          : 1     IPSec SA Direction       : Both     Active Group Server      : 172.16.1.101     Group Server list        : 172.16.1.101                                172.16.1.102                                    GM Reregisters in        : 2006 secs     Rekey Received(hh:mm:ss) : 00:25:33     Rekeys received                   Cumulative          : 1          After registration  : 1     Rekey Acks sent          : 1  ACL Downloaded From KS 172.16.1.101:    access-list  permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 KEK POLICY:     Rekey Transport Type     : Unicast     Lifetime (secs)          : 86399     Encrypt Algorithm        : AES     Key Size                 : 256         Sig Hash Algorithm       : HMAC_AUTH_SHA     Sig Key Length (bits)    : 1024    TEK POLICY:   FastEthernet0/0:     IPsec SA:         sa direction:inbound         spi: 0xFA2E31D9(4197331417)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (1870)         Anti-Replay(Time Based) : 2 sec interval     IPsec SA:         sa direction:outbound         spi: 0xFA2E31D9(4197331417)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (1870)         Anti-Replay(Time Based) : 2 sec interval     IPsec SA:         sa direction:inbound         spi: 0x9F280E82(2670202498)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (2062)         Anti-Replay(Time Based) : 2 sec interval     IPsec SA:         sa direction:outbound         spi: 0x9F280E82(2670202498)         transform: esp-des esp-sha-hmac         sa timing:remaining key lifetime (sec): (2062)         Anti-Replay(Time Based) : 2 sec interval②查看密钥服务器协作状态: KS1#show crypto gdoi ks coop Crypto Gdoi Group Name :get***group         Group handle: 2147483650, Local Key Server handle: 2147483650         Local Address: 172.16.1.101         Local Priority: 100              Local KS Role: Primary   , Local KS Status: Alive             Primary Timers:                 Primary Refresh Policy Time: 20                 Remaining Time: 4                 Antireplay Sequence Number: 41         Peer Sessions:         Session 1:                 Server handle: 2147483651                 Peer Address: 172.16.1.102                 Peer Priority: 75                              Peer KS Role: Secondary , Peer KS Status: Alive                     Antireplay Sequence Number: 2                 IKE status: Established                 Counters:                     Ann msgs sent: 14                     Ann msgs sent with reply request: 0                     Ann msgs recv: 0                     Ann msgs recv with reply request: 3                     Packet sent drops: 27                     Packet Recv drops: 0                     Total bytes sent: 8652                     Total bytes recv: 3016 KS2#show crypto gdoi ks coop Crypto Gdoi Group Name :get***group         Group handle: 2147483650, Local Key Server handle: 2147483650         Local Address: 172.16.1.102         Local Priority: 75               Local KS Role: Secondary , Local KS Status: Alive             Secondary Timers:                 Sec Primary Periodic Time: 30                 Remaining Time: 9, Retries: 0                 Antireplay Sequence Number: 3         Peer Sessions:         Session 1:                 Server handle: 2147483651                 Peer Address: 172.16.1.101                 Peer Priority: 100                             Peer KS Role: Primary   , Peer KS Status: Alive                     Antireplay Sequence Number: 43                 IKE status: Established                 Counters:                     Ann msgs sent: 0                     Ann msgs sent with reply request: 3                     Ann msgs recv: 13                     Ann msgs recv with reply request: 0                     Packet sent drops: 0                     Packet Recv drops: 0                     Total bytes sent: 3016                     Total bytes recv: 8034③查看密钥服务器上注册的成员： KS1#show crypto gdoi ks members Group Member Information : Number of rekeys sent for group get***group : 1 Group Member ID   : 172.16.1.1 Group ID          : 12345678 Group Name        : get***group Key Server ID     : 172.16.1.101 Rekeys sent       : 1 Rekey Acks Rcvd   : 1 Rekey Acks missed : 0 Sent seq num :    0    0    0    0 Rcvd seq num :    0    0    0    0 Group Member ID   : 172.16.1.2 Group ID          : 12345678 Group Name        : get***group Key Server ID     : 172.16.1.101 Rekeys sent       : 1 Rekey Acks Rcvd   : 1 Rekey Acks missed : 0 Sent seq num :    0    0    0    0 Rcvd seq num :    0    0    0    0 KS2#show crypto gdoi ks members Group Member Information : Number of rekeys sent for group get***group : 0 Group Member ID   : 172.16.1.1 Group ID          : 12345678 Group Name        : get***group Key Server ID     : 172.16.1.101 Rekeys sent       : 0 Rekey Acks Rcvd   : 0 Rekey Acks missed : 0 Sent seq num :    0    0    0    0 Rcvd seq num :    0    0    0    0 Group Member ID   : 172.16.1.2 Group ID          : 12345678 Group Name        : get***group Key Server ID     : 172.16.1.101 Rekeys sent       : 0 Rekey Acks Rcvd   : 0 Rekey Acks missed : 0 Sent seq num :    0    0    0    0 Rcvd seq num :    0    0    0    0④组成员上测试GET***的加解密:

第一步:在GM1测试前查看加解密状况 GM1#show crypto engine connections active Crypto Engine Connections    ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address     1 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0     2 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0     5 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0     6 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0  1001 Fa0/0      IKE   SHA+DES                   0        0 172.16.1.1  1002 <none>     IKE   SHA+AES256                0        0  1003 <none>     IKE   SHA+AES256                0        0 第二步:GM1上通过Ping产生加密的感兴趣流 GM1#ping 10.1.2.1 source 10.1.1.1 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 12/27/68 ms第三步:在GM1测试后查看加解密状况 GM1#show crypto engine connections active Crypto Engine Connections    ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address     1 Fa0/0      IPsec DES+SHA                   0      100 10.0.0.0     2 Fa0/0      IPsec DES+SHA                 100        0 10.0.0.0     5 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0     6 Fa0/0      IPsec DES+SHA                   0        0 10.0.0.0  1001 Fa0/0      IKE   SHA+DES                   0        0 172.16.1.1  1002 <none>     IKE   SHA+AES256                0        0  1003 <none>     IKE   SHA+AES256                0        0 ⑤组成员访问控制列表配置第一步: GM1测试访问KS1身后网络     GM1#ping 10.1.101.1 source 10.1.1.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 ..... Success rate is 0 percent (0/5)        不能通讯的原因为:源为10.1.1.1目的为10.1.101.1的流量满足GET***的感兴趣流，KS1会对这个流量进行加密，但是密钥服务器KS1，不存在IPSec SA所以不能对此流量进行解密，所以造成无法通讯。解决方案为，在组成员GM1上配置组成员访问控制列表，旁路掉从10.1.1.0/24到10.1.101.0/24的流量。  第二步:在组成员GM1上配置组成员访问控制列表   GM1(config)#ip access-list extended bypass GM1(config-ext-nacl)#deny ip 10.1.1.0 0.0.0.255 10.1.101.0 0.0.0.255   GM1(config)#crypto map cisco 10 GM1(config-crypto-map)#match address bypass       第三步: GM1测试访问KS1身后网络   GM1#ping 10.1.101.1 source 10.1.1.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/120/156 ms       备注：

①也可以在KS上配置感兴趣流，如下所示：

KS1#show ip access-lists Extended IP access list get***traffic     5 deny ip 10.1.1.0 0.0.0.255 10.1.101.0 0.0.0.255     6 deny ip 10.1.2.0 0.0.0.255 10.1.101.0 0.0.0.255     10 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

②但是没有找到组成员除了接口no crypto map get***map 再crypto map get***map其他好的方法使得KS能够快速的下面兴趣流给各个组成员。