Get Vpn is new VPN technology that was disigned to provide scalable encryption of multicast traffic.
Traditional IPsec VPNs only allow for point to point IPSec SA .
Key features
- Preservation of orginal IP packet header.
- Instead of adding a second layer of encap GET VPN simply replicate the orginal packet header in tunnel mode.
- It is an integrated multicat infrastructure without the multicast replication.
- It is the perfect solution for MPLS WAN n/ws.
- It is large scale any to any IP connectivity using Group IPsec SA.
- It is integrated with QoS and TE.
- It uses key server for centrally distriburting encryption policies, interesting traffic , Encryption protocols,SAs and rekey timers.
- COOPkey servers are used for Load balancing and redundacy
- GM Group members are responsible for actual encryption and decription . Need to configure only IKE phase 1 parameters.
- Rekey mechanism is included
- IT uses GDOI for communication between GM and key servers.( shared Group encryption keys are send using GDOI)
- It uses time based anti replay .
Operation
All group members register with KS and establish Phase 1 IKE SA.
Every member receive two group keys. KEK ang TEK
KEK is used for control plane messages.
TEK is used for Dataplane traffic.
Both keys are shared by all nodes and periodically refreshed.
The key server mayh use multicast or unicast messages to refresh KEK/TEK.
Repaly protection
IPsec prevent replay by running sequence numbers for each end of the tunnel connection and incrementing it for every next packet sent. If the packet doesnot recive the packet with expected sequence number it will dicard.
Instead of this tunnel end pint run a special pseudo-time virtual clock, and distribute this time to GM.
Every GM sync with the pseudo-time with the KS and time stamp all outgoing packet. the receiving side check that time stamp is with in the acceptable window. + 10 or - 10 other wise discard.
Here R3 is the key server , R4 and R5 are Group members
R3 Configuration
#crypto isakmp policy 10
encr 3des
hash md5
group 2
authe pre-share
#crpto isakmp key CISCO address 0.0.0.0 0.0.0.0
#crypto ipsec transform-set NETSET esp-3des esp-md5-hmac
#crypto ipsec profile NETPROFILE
set transform-set NATSET
#crypto key generate rsa general-key label NET_GET modulus 1024 exportable
#crypto gdoi group GET_GROUP
identity number 1234
server local
rekey authentication mypubkey rsa NET_GET
rekey transport unicast
address ipv4 10.0.0.3
sa ipsec 1
profile NETPROFILE
replay time window-size 5
Configuration on R4
#crypto isakmp policy 10
encr 3des
hash md5
group 2
authe pre-share
#crypto isakmp key CISCO address 10.0.0.3
#crypto gdoi group NET_GROUP
identity number 1234
server address ipv4 10.0.0.3
#crypto map NET_MAP local-address loop 0
#crypto map NET_MAP 10 gdoi
set group NET_GROUP
#int e0/0
crypto map NET_MAP
Configuration on R5
#crypto isakmp policy 10
encr 3des
hash md5
group 2
authe pre-share
#crypto isakmp key CISCO address 10.0.0.3
#crypto gdoi group NET_GROUP
identity number 1234
server address ipv4 10.0.0.3
#crypto map NET_MAP local-address loop 0
#crypto map NET_MAP 10 gdoi
set group NET_GROUP
#int e0/0
crypto map NET_MAP