The Group Encrypted Transport (GET) VPN

mpls-icon

GET VPN is a really clever method of enabling a full mesh of VPN connections that can be established dynamically. No longer will an administrator need to worry about the construction of point-to-point VPN tunnels that can be very cumbersome and tedious to create and maintain. Another awesome feature is that there is header preservation with GET VPN. So the solution can eliminate the need for things like GRE tunnels for protecting multicast traffic and NAT traversal.

GET VPN relies upon a new protocol called the Group Domain of Interpretation (GDOI). You can basically think of this protocol as an enhanced version of ISAKMP. It will provide the safety net of keying information in the GET VPN environment. Key Servers (KS) can provide the keying information to Group Members (GMs) in the GET VPN. Note that by design, the Key Server does not participate in the encryption domain. Instead, its job is to distribute the ISAKMP/IPsec Security Association (SAs) to the Group Members.

So the Key Server (or Servers for redundancy) are an important ingredient in the GET VPN. They store the IPsec policies that group members will use to encrypt unicast and multicast traffic to each other! By the way – this device can store multiple policies for multiple different groups to add to the flexibility of the solution. It is also possible to use GET VPN in conjunction with Dynamic Multipoint VPNS (DMVPNs).

What would this configuration look like? Here is a sample Key Server configuration:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 400
crypto isakmp key CISCO address 10.1.1.13
crypto isakmp key CISCO address 10.1.1.9

!
crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
!
crypto ipsec profile PROFILE1
 set security-association lifetime seconds 1800
 set transform-set TRANS
!
crypto gdoi group GROUP1
 identity number 1
 server local
  rekey lifetime seconds 86400
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa group1-export-general
  rekey transport unicast
  sa ipsec 1
   profile PROFILE1
   match address ipv4 101
   replay counter window-size 64
   address ipv4 10.1.1.17

Here is a sample Group Member configuration:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key CISCO address 10.1.1.17
!
crypto gdoi group GROUP1
 identity number 1
 server address ipv4 10.1.1.17
!
crypto map map-group1 10 gdoi
 set group GROUP1

6 thoughts on “The Group Encrypted Transport (GET) VPN

Leave a Reply

Your email address will not be published.