GET VPN is a really clever method of enabling a full mesh of VPN connections that can be established dynamically. No longer will an administrator need to worry about the construction of point-to-point VPN tunnels that can be very cumbersome and tedious to create and maintain. Another awesome feature is that there is header preservation with GET VPN. So the solution can eliminate the need for things like GRE tunnels for protecting multicast traffic and NAT traversal.

GET VPN relies upon a new protocol called the Group Domain of Interpretation (GDOI). You can basically think of this protocol as an enhanced version of ISAKMP. It will provide the safety net of keying information in the GET VPN environment. Key Servers (KS) can provide the keying information to Group Members (GMs) in the GET VPN. Note that by design, the Key Server does not participate in the encryption domain. Instead, its job is to distribute the ISAKMP/IPsec Security Association (SAs) to the Group Members.

So the Key Server (or Servers for redundancy) are an important ingredient in the GET VPN. They store the IPsec policies that group members will use to encrypt unicast and multicast traffic to each other! By the way – this device can store multiple policies for multiple different groups to add to the flexibility of the solution. It is also possible to use GET VPN in conjunction with Dynamic Multipoint VPNS (DMVPNs). Continue reading The Group Encrypted Transport (GET) VPN →