Cisco IOS Group Encrypted Transport VPN (GETVPN)

Cisco’s Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM. (Note that IPsec CE acts as a GM.) In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is “tunnel-less.”

The IETF standard RFC-6407 Group Domain of Interpretation (GDOI) is an integral part of GET VPN. The GDOI protocol was introduced in 12.4(2)T but the GET VPN solution with several enhancements was released in 12.4(11)T.

1.1 Key GET VPN Benefits

• Instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm
• Takes advantage of underlying IP VPN routing infrastructure and does not require an overlay routing control plane
• Seamlessly integrates with multicast infrastructures without the multicast replication issues typically seen in traditional tunnel-based IPsec solutions.
• Preserves the IP source and destination addresses during the IPsec encryption and encapsulation process. Therefore GET VPN integrates very well with features such as QoS and traffic engineering.

1.2 Technology Overview

• GDOI (RFC 6407)
• Key servers (KSs)
• Cooperative (COOP) KSs
• GMs.
• IP tunnel header preservation
• Group security association
• Rekey mechanism
• Time-based anti-replay (TBAR)

Configuration Guide

Key Server (KS) Configuration

Configuring IKE Policy on KS

crypto isakmp policy 1

 encr aes

 authentication pre-share

! Pre-shared key autentication

 group 2

crypto isakmp key “password” address 0.0.0.0 0.0.0.0

! you can customize passwords for each router

crypto isakmp keepalive 15 periodic

Configuring GDOI Group

crypto key generate rsa general-keys label GDOI_KEY modulus 1024 exportable

! If a redundant KS is present, these keys (Public and Private Keys) must also be exported to this redundant KS manually.

access-list 169 permit ip 192.168.150.40 0.0.0.7 192.168.150.72 0.0.0.7

access-list 169 permit ip 192.168.150.72 0.0.0.7 192.168.150.40 0.0.0.7

!Symmetric ACL Policy – Example used in current scenario

! KS GDOI Configuration follows:

crypto ipsec transform-set GET esp-aes esp-sha-hmac

crypto ipsec profile GET

 set security-association lifetime seconds 7200

! Indicates how long IPSec SAs remain valid before they are renegotiated (can be set to default)

 set transform-set GET

crypto gdoi group GET

 identity number 1

! Group SA identifier

 server local

 ! Indicates this is a Key Server

  rekey algorithm aes 128

  rekey retransmit 10 number 2

 ! Indicates if a change is made on KS, rekey messages will be sent in 10 seconds, twice

  rekey authentication mypubkey rsa GDOI_KEY

! Specifies the keys to be used for a rekey to GDOI GMs

  rekey transport unicast

  sa ipsec 1

! Configuring Security Policies

   !

  profile GET

! Use IPSec Profile configured above

   match address ipv4 169

! Indicates interesting traffic to be encrypted

   replay time window-size 5

! Anti-replay window-size is set to 5

  address ipv4 “IP OF KEYSERVER”

! Use this address to source rekey packets

Group Member  (GM) Configuration

Configuring IKE Policies on GM-1 & GM-2

!All GM’s authenticate with the KS, using pre-shared keys

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

 lifetime 300

crypto isakmp key “password” address 0.0.0.0 0.0.0.0

!

GDOI Group Configuration on GM-1 & GM-2

crypto gdoi group GET

 identity number 1

 server address ipv4 “IP OF KEYSERVER”

! KS Router

 client registration interface “LOCAL INTERFACE”

! LAN Interface – EX: client registration interface Vlan1/ GigabitEthernet0/1

Configuring and Applying Crypto MAP on GMs

crypto map GET 10 gdoi

 set group GET

!

interface “WAN”

 crypto map GET

Note:
No video demonstration in this post. Scenario tested in production network.

Files:
Cisco PDF GETVPN
Cisco VPNs Comparison