If you have been following these last few days of my CCIE Security prep – you know that I have been really immersed in one of my overall weaker areas and that is VPN technologies.
In this post, I am going to provide information on the amazingly cool GET VPN capabilities and provide a configuration example. I know there are many CCNP Security candidates that have been following this blog series, so they can really benefit from this as well. In the CCNP Security, this information is important in SECURE and VPN.
GET VPN is a really clever method of enabling a full mesh of VPN connections that can be established dynamically. No longer will an administrator need to worry about the construction of point-to-point VPN tunnels that can be very cumbersome and tedious to create and maintain. Another awesome feature is that there is header preservation with GET VPN. So the solution can eliminate the need for things like GRE tunnels for protecting multicast traffic and NAT traversal.
GET VPN relies upon a new protocol called the Group Domain of Interpretation (GDOI). You can basically think of this protocol as an enhanced version of ISAKMP. It will provide the safety net of keying information in the GET VPN environment. Key Servers (KS) can provide the keying information to Group Members (GMs) in the GET VPN. Note that by design, the Key Server does not participate in the encryption domain. Instead, its job is to distribute the ISAKMP/IPsec Security Association (SAs) to the Group Members.
So the Key Server (or Servers for redundancy) is an important ingredient in the GET VPN. It stores the IPsec policies that group members will use to encrypt unicast and multicast traffic to each other! By the way – this device can store multiple policies for multiple different groups to add to the flexibility of the solution. It is also possible to use GET VPN in conjunction with Dynamic Multipoint VPNS (DMVPNs).
What would this configuration look like? Here is a sample Key Server configuration:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 400 crypto isakmp key cisco address 10.1.1.13 crypto isakmp key cisco address 10.1.1.9 crypto isakmp key cisco address 10.1.1.1 crypto isakmp key cisco address 10.1.1.5 crypto isakmp key cisco address 10.1.1.21 ! crypto ipsec transform-set gdoi-trans-group1 esp-3des esp-sha-hmac ! crypto ipsec profile gdoi-profile-group1 set security-association lifetime seconds 1800 set transform-set gdoi-trans-group1 ! crypto gdoi group group1 identity number 1 server local rekey lifetime seconds 86400 rekey retransmit 10 number 2 rekey authentication mypubkey rsa group1-export-general rekey transport unicast sa ipsec 1 profile gdoi-profile-group1 match address ipv4 101 replay counter window-size 64 address ipv4 10.1.1.17
Here is a sample Group Member configuration:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key cisco address 10.1.1.17 ! crypto gdoi group group1 identity number 1 server address ipv4 10.1.1.17 ! crypto map map-group1 10 gdoi set group group1