Home
Certification Preparation
Cisco
CCIE
Gdoi (getvpn)
vishaw1986
Hello friends ,
Today I want to start discussion on GETVPN, a very good vpn technology. I am expecting more n more Quires on GETVPN technology.
So hope for best.
Thanks & Regards
Vishawdeep Singh
Find more posts tagged with
Comments
tprice5
Besides the fact that it's a good technology, what would you like to say about it? How is your organization using it and what did it replace? Why dont you give us a run down of what it even is.
vishaw1986
Here is the brief description of GETVPN:
First thing that’s good about the same is , it’s ANY to ANY Tunnel less IPSec VPN technology . By Any to Any means, any device in your network can communicate securely with other without creating the tunnel. Like wise tunnel header prevention is there ,Because of tunnel header preservation, GET VPN solution is very well suited for MPLS, Layer-2 (L2), or an IP infrastructure with end to end IP connectivity .
There are few terms in GETVPN , through which we can achieve any to any communication are listed below:-
Key Servers(KS) & Group Members(GM):
Key Server (KS): a device that distributes keys & policies to group members
Group Member (GM): a device that registers with a group controlled by the KS to communicate securely with other GM's
The protocol between GM and KS is GDOI
IKE-based (GDOI defined in RFC 3547)
GDOI between GM's
Traffic Encryption Key (TEK): protects traffic between GM's (IPsec SA)
Key Encryption Key (KEK): protects rekeys between KS and GM's (GDOI SA).
Note: Both TKE & KEK keys are distributed by the key server to the group member on periodic basis.
2. GDOI Protocol :
The registration process is started by the GM . GM register with KS server using IKE Phase 1. The GDOI protocol is protected by a Phase 1 Internet Key Exchange (IKE) SA. All participating VPN gateways must authenticate themselves to the device providing keys using IKE. All IKE authentication methods, for example, pre-shared keys (PSKs) and public key infrastructure (PKI) are supported for initial authentication.
IKE Phase 1 (UDP port 84
provides:
GM authentication
confidentiality
integrity
GDOI Registration provides:
GM authorization
NOTE:-
In GET VPN, we don't "build" an IKE phase 2 tunnel. We get the keys to use for the interesting traffic, and just encrypt and send
3. IPsec Group Policy
Global IPsec policy on KS, in order
:
Global deny statement(s) (don't encrypt)
Global permit statement(s) (encrypt)
Implicit deny any-any (don't encrypt)
Local IPsec policy on GM:
Local deny statement(s) (don't encrypt)
NO permit statements allowed
Resulting policy on GM, in order:
Local deny
Global deny
Global permit
Implicit deny
SecurityThroughObscurity
not usable for internet.
only private networks.
vishaw1986
Yes for private network only because enterprise host IP addresses are typically not routable.
vishaw1986
Adding one information :
We can register multiple groups on single group member with single WAN interface.:)
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
