Ingredients
-Key Servers (KS)
-Key Encryption Key (KEK) - used between Key server and GMs for rekeying(TEK),policy push down after IKE phase 1 sa is torn down
-Traffic Encryption Key (TEK)- 1 SA(key for encrypting/decrypting traffic for all group members)
-Key Distribution (IKE, Group Domain of Interpretation(GDOI))
-Group Members (GM)
-Group SA
-Rekeying
Why GET VPN?
For other types of VPNs(like site to site VPN), multicast traffic has to send multiple times from Hub to spokes as each spoke has a separate tunnels.
For Flex VPN & DMVPN where dynamic tunnels are built automatically, first few packets might be lost or routed through hub before direct tunnel is built between spokes. This might not be acceptable sometimes.
In GET VPN, they don't need direct tunnel between them and they can still send encrypted traffic.
GET VPN is not the perfect solution for every topology. Default topoloy for GET VPN is designed is for Full Mesh.
In GET VPN, IP header from source A to dest B is not modified; it preserves IP header.So, the ISP or any intermediate routers must know how to route this traffic between source A and dest B. This is different from other VPN types where these source,dest IP headers are hiiden inside IPSec. That's how hub needs to send only once for multicast traffic in GET VPN.
In GET VPN behind IP header, there is still ESP(protocol #50) used by IPSec.
Group members use the same Traffic encryption key(TEK) and same security association (SA).
It is made possible by Group Domain of Interpretation(GDOI).
Which traffic to be encrypted is decided by Policy.
On Key Server, we define what traffic to encrypt/decrypt using ACL.
Who are the GM?
Any device that have registered and authenticated with Key Server.
Group server and Group member authenticate each other using IKE.
GET VPN Configuration
Key ServerR5#crypto isakmp policy 10
#hash sha256/sha
#authentication pre-share
#group 14/5
#lifetime 180
#encryption aes 256
#crypto isakmp key cisco123 address 0.0.0.0
#crypto key gen rsa general label GETVPN mod 1024 exportable
#crypto ipsec transform-set Our-TSET esp-aes 192 esp-sha-hmac
#crypto ipsec profile GDOI-Profile
#set transform-set Our-TSET
#set security-association lifetime seconds 300 //traffic encryption key lifetime
!
#crypto gdoi group Our-GETVPN
#identity number 6783 //need to match in Key server and group members
#server local
# address ipv4 5.5.5.5 //group server address
#rekey transport unicast //adv of unicast is KS will wait for ack from GM.
#rekey lifetime seconds 600 //lifetime of key encryption key
#rekey retransmit 10 number 2
#rekey authentication mypubkey rsa GETVPN //the one generated earlier
#sa ipsec 1
#profile GDOI-Profile //the one we created earlier
#match address ipv4 101 //acl whether to encrypt the traffic
#replay time window-size 5
!
#ip access-list extended 101
#permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
#router ospf 1
#net 0.0.0.0 255.255.255.255 area 0
R1
#crypto isakmp policy 10
#hash sha256/sha
#authentication pre-share
#group 14/5
#lifetime 180
#encryption aes 256
#crypto isakmp key cisco123 address 0.0.0.0
#crypto gdoi group Our-GETVPN
#identity number 6783 //need to match in Key server and group members
#server address ipv4 5.5.5.5 //group server address
#crypto map GETVPN-MAP 10 gdoi
#set group Our-GETVPN //the one we created earlier
#int f0/0 //outside interface
#crypto map GETVPN-MAP
#ip tcp adjust-mss 1360
#router ospf 1
#net 0.0.0.0 255.255.255.255 area 0
sh crypto gdoi
sh crypto gdoi ks policy
sh crypto gdoi ks acl
sh crypto gdoi ks rekey
sh crypto gdoi ks member
sh crypto session
I am looking that this site suggest many great idea about vpn.. security...
ReplyDeletevpn encryption