Cisco’s Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM. (Note that IPsec CE acts as a GM.) In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is “tunnel-less.”
The IETF standard RFC-6407 Group Domain of Interpretation (GDOI) is an integral part of GET VPN. The GDOI protocol was introduced in 12.4(2)T but the GET VPN solution with several enhancements was released in 12.4(11)T.
1.1 Key GET VPN Benefits1.2 Technology Overview
- Instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm
- Takes advantage of underlying IP VPN routing infrastructure and does not require an overlay routing control plane
- Seamlessly integrates with multicast infrastructures without the multicast replication issues typically seen in traditional tunnel-based IPsec solutions.
- Preserves the IP source and destination addresses during the IPsec encryption and encapsulation process. Therefore GET VPN integrates very well with features such as QoS and traffic engineering.
- GDOI (RFC 6407)
- Key servers (KSs)
- Cooperative (COOP) KSs
- GMs.
- IP tunnel header preservation
- Group security association
- Rekey mechanism
- Time-based anti-replay (TBAR)
Note:
No video demonstration in this post. Scenario tested in production network.
Files:
Cisco PDF GETVPN
Cisco VPNs Comparison
