E-Mail Security
and Spam Terminology
Sample VPN configurations
Get Vpn is new VPN technology that was disigned to provide scalable encryption of multicast traffic.

Traditional IPsec VPNs only allow for point to point IPSec SA .

Key features

  1. Preservation of orginal IP packet header.
  2. Instead of adding a second layer of encap GET VPN simply replicate the orginal packet header in tunnel mode.
  3. It is an integrated multicat infrastructure without the multicast replication.
  4. It is the perfect solution for MPLS WAN n/ws.
  5. It is large scale any to any IP connectivity using Group IPsec SA.
  6. It is integrated with QoS and TE.
  7. It uses key server for centrally distriburting encryption policies, interesting traffic , Encryption protocols,SAs and rekey timers.
  8. COOPkey servers are used for Load balancing and redundacy
  9. GM Group members are responsible for actual encryption and decription . Need to configure only IKE phase 1 parameters.
  10. Rekey mechanism is included
  11. IT uses GDOI for communication between GM and key servers.( shared Group encryption keys are send using GDOI)
  12. It uses time based anti replay .



Operation

    All group members register with KS and establish Phase 1 IKE SA.
    Every member receive two group keys. KEK ang TEK
    KEK is used for control plane messages.
    TEK is used for Dataplane traffic.
    Both keys are shared by all nodes and periodically refreshed.
    The key server mayh use multicast or unicast messages to refresh KEK/TEK.

Repaly protection

    IPsec prevent replay by running sequence numbers for each end of the tunnel connection and incrementing it for every next packet sent. If the packet doesnot recive the packet with expected sequence number it will dicard.

Instead of this tunnel end pint run a special pseudo-time virtual clock, and distribute this time to GM.
Every GM sync with the pseudo-time with the KS and time stamp all outgoing packet. the receiving side check that time stamp is with in the acceptable window. + 10 or - 10 other wise discard.



Here R3 is the key server , R4 and R5 are Group members

R3 Configuration

        #crypto isakmp policy 10
                encr 3des
                hash md5
                group 2
                authe pre-share

        #crpto isakmp key CISCO address 0.0.0.0 0.0.0.0
       
        #crypto ipsec transform-set NETSET esp-3des esp-md5-hmac
       
        #crypto ipsec profile NETPROFILE
                set transform-set NATSET
       
        #crypto key generate rsa general-key label NET_GET modulus 1024 exportable

        #crypto gdoi group GET_GROUP
                identity number 1234
                server local
                    rekey authentication mypubkey rsa NET_GET
                    rekey transport unicast
                    address ipv4 10.0.0.3
                    sa ipsec 1
                        profile NETPROFILE
                        replay time window-size 5

Configuration on R4

        #crypto isakmp policy 10
                encr 3des
                hash md5
                group 2
                authe pre-share

        #crypto isakmp key CISCO address 10.0.0.3
        #crypto gdoi group NET_GROUP
                identity number 1234
                   server address ipv4 10.0.0.3
       #crypto map NET_MAP local-address loop 0
       #crypto map NET_MAP 10 gdoi
                    set group NET_GROUP
       #int e0/0
                crypto map NET_MAP       




Configuration on R5

        #crypto isakmp policy 10
                encr 3des
                hash md5
                group 2
                authe pre-share

        #crypto isakmp key CISCO address 10.0.0.3
        #crypto gdoi group NET_GROUP
                identity number 1234
                   server address ipv4 10.0.0.3
       #crypto map NET_MAP local-address loop 0
       #crypto map NET_MAP 10 gdoi
                    set group NET_GROUP
       #int e0/0
                crypto map NET_MAP