Gdoi (getvpn)

vishaw1986vishaw1986 Member Posts: 40 ■■□□□□□□□□
Hello friends ,

Today I want to start discussion on GETVPN, a very good vpn technology. I am expecting more n more Quires on GETVPN technology.

So hope for best.

Thanks & Regards

Vishawdeep Singh


  • tprice5tprice5 Member Posts: 770
    Besides the fact that it's a good technology, what would you like to say about it? How is your organization using it and what did it replace? Why dont you give us a run down of what it even is.
    Certification To-Do: CEH [ ], CHFI [ ], NCSA [ ], E10-001 [ ], 70-413 [ ], 70-414 [ ]
    Start Date: 10/01/2014 | Complete Date: ASAP
    All Courses: LOT2, LYT2 , UVC2, ORA1, VUT2, VLT2 , FNV2 , TFT2 , JIT2 , FMV2, FXT2 , LQT2
  • vishaw1986vishaw1986 Member Posts: 40 ■■□□□□□□□□
    Here is the brief description of GETVPN:

    First thing that’s good about the same is , it’s ANY to ANY Tunnel less IPSec VPN technology . By Any to Any means, any device in your network can communicate securely with other without creating the tunnel. Like wise tunnel header prevention is there ,Because of tunnel header preservation, GET VPN solution is very well suited for MPLS, Layer-2 (L2), or an IP infrastructure with end to end IP connectivity .

    There are few terms in GETVPN , through which we can achieve any to any communication are listed below:-

    1. Key Servers(KS) & Group Members(GM):

    • Key Server (KS): a device that distributes keys & policies to group members
    • Group Member (GM): a device that registers with a group controlled by the KS to communicate securely with other GM's
    • The protocol between GM and KS is GDOI
    IKE-based (GDOI defined in RFC 3547)
    GDOI between GM's
    • Traffic Encryption Key (TEK): protects traffic between GM's (IPsec SA)
    • Key Encryption Key (KEK): protects rekeys between KS and GM's (GDOI SA).

    Note: Both TKE & KEK keys are distributed by the key server to the group member on periodic basis.

    2. GDOI Protocol :
    The registration process is started by the GM . GM register with KS server using IKE Phase 1. The GDOI protocol is protected by a Phase 1 Internet Key Exchange (IKE) SA. All participating VPN gateways must authenticate themselves to the device providing keys using IKE. All IKE authentication methods, for example, pre-shared keys (PSKs) and public key infrastructure (PKI) are supported for initial authentication.

      • IKE Phase 1 (UDP port 84icon_cool.gif provides:
      • GM authentication
      • confidentiality
      • integrity
      • GDOI Registration provides:
      • GM authorization

      NOTE:- In GET VPN, we don't "build" an IKE phase 2 tunnel. We get the keys to use for the interesting traffic, and just encrypt and send

      3. IPsec Group Policy
        • Global IPsec policy on KS, in order:
        • Global deny statement(s) (don't encrypt)
        • Global permit statement(s) (encrypt)
        • Implicit deny any-any (don't encrypt)
        • Local IPsec policy on GM:
        • Local deny statement(s) (don't encrypt)
        • NO permit statements allowed
        • Resulting policy on GM, in order:
        • Local deny
        • Global deny
        • Global permit
        • Implicit deny
      1. not usable for internet.
        only private networks.
      2. vishaw1986vishaw1986 Member Posts: 40 ■■□□□□□□□□
        Yes for private network only because enterprise host IP addresses are typically not routable.
      3. vishaw1986vishaw1986 Member Posts: 40 ■■□□□□□□□□
        Adding one information :

        We can register multiple groups on single group member with single WAN interface.:)
      Sign In or Register to comment.