« Version 4.1 - 6.6.b DMVPN | Main | Version 4.1 - 6.6.d Cisco EasyVPN »

Version 4.1 - 6.6.c GETVPN

GETVPN is Group Encrypted Transport VPN. "Group Encrypted" is the key here - it tells you what it does. Fortunately, I have a lot of experience with this, so this section is not going to be a problem for me. If you don't have experience with this, start by reading the GETVPN Design and Implementation Guide. Another good reference is the Cisco IOS GETVPN Solution Deployment Guide.

INE has some really good videos on this in the SIMOS section, Advanced Technologies section and check the R/S section too. Remember this is the one that only runs on IOS routers.

Know your keyserver - and how to configure it. Know that this is where all the "real" information resides. Then learn how to configure Group Members. Know your TEK and KEK. If you know what those letters stand for, you know which one encrypts the traffic and which one encrypts the key. Know what GDOI is (Group Domain of Interpretation).

The steps below explain protocol flows that are necessary for Group Members to participate in a GETVPN group:

1.     Once the GM boots up, it attempts to register with the KS using the GDOI protocol.
2.     Registration goes through after successful mutual authentication.
3.     After successful registration GM receives KEK and TEK keys.
4.     GMs can now encrypt and decrypt the packets as specified by the SA.
5.     KS keeps track of the SA life time. It sends rekey information when the current SA is about to expire. Rekey information includes the new SA and session key details. Rekey messages are sent in advance of the SA expiration time to ensure that valid group keys are always available.

Also remember with GETVPN that you're seeing the real source and destination addresses - versus other VPN technologies that use the tunnel interface as the source and destination.

Remember the importance of the identity number!

crypto gdoi group GDOI-GROUP1
 identity number 12345
 server address ipv4 10.0.0.1
 server address ipv4 10.0.6.1

And there is a Cisco GETVPN Troubleshoot Guide.

When a group member registers with the key server, the key server verifies the group ID that the group member is attempting to join. If this ID is a valid group ID, the key server sends the SA policy to the group member. After the group member acknowledges that it can handle the downloaded policy, the key server downloads the respective keys.

Note that the group name is not what this is identifying - it's using the identity number.

Note that any GM can encrypt/decrypt each other's traffic - so you don't need to configure P2P or P2M tunnels.

Sections

Powered by
Movable Type 3.2