VPNs provide secure communication between two points across a public network such as the Internet. The traffic flows between these two points passes through shared resources in a secure manner usually encrypted. There are several types of VPNs available – such as Point to Point , Hub and spoke , partial mesh VPN, Get VPN etc.
Today we look more in detail about FlexVPN and Get VPN, how they differ from each other, their advantages and use cases etc.
What is Flex VPN?
FlexVPN is Cisco implementation of IKEv2 framework which combines site to site, remote access, hub and spoke topologies and partial mesh (Spoke to spoke direct) VPNs. Flex VPN offers a simple and modular approach which extensively uses tunnel interface models along with remaining compatible to legacy VPN implementations using crypto maps.
Components of FlexVPN
FlexVPN has two components – Server and client.
- Server acts as VPN head end for remote access and hub-spoke VPNs and
- Clients are IOS router based remote offices and mobile networks which provide connectivity to head office.
FlexVPN can be spoke-to-spoke or we can have MPLS over FlexVPN.
Spoke to Spoke design enabled two clients to establish a direct crypto tunnel and Next Hop Resolution Protocol (NHRP) is used to resolve clients on the network.
MPLS and MP-BGP is used for distribution of overlay labels for different VRFs ideally suited where the customer requires to dynamically discover overlapping networking with NHRP and encryption with IPSec.
What is Get VPN?
Get VPNs provide large scale, connectionless, tunnel free transmission protection taking advantage of existing routing infrastructure and can be used with MPLS, IP, Frame relay and ATM networks. Get VPNs makes point to point connections optional and therefore can be used to transmit voice and video with high quality and managed quality of service (QOS), routing and multicasting. Get VPNs use the concept of ‘trusted’ group members but it only works with Cisco devices.
Components of GetVPN
The two main components of Get VPN architecture are :
- Key server – used to authenticate all group members, performs admission control over Get VPN domain, creates and supplies group authentication key as security association (SA) to group members.
- Group members – provides transmission protection to sensitive site to site (member to member) traffic. Key server distributes keys and policies across all registered and authenticated group members. All communication between key server and group members is encrypted and secured using the Internet key exchange (IKE) Group Domain of Interpretation (GDOI) protocol.
IKE GDOI supports use of two types of keys – Traffic encrypting key (TEK) and Key encrypting key (KEK).
TEK is used for protection of traffic between group members and KEK is used to protect keys during a key refresh between key servers and group members.
Comparison Table: FlexVPN vs GetVPN
Below table summarizes the differences between the two:
|Supported Environments||Flex VPN is more flexible as it allows to deal with Intranet as well as Internet based scenarios||Designed for use in environments which don’t have public/private addressing issue and is well suited for Secure intranet service|
|Methodology||Flex VPN is tunnel based and able to handle environments having dynamic tunnel setup between spokes||Get VPN is tunnel less and relies on trust level shared by VPN users.|
|Security||Flex VPN deploys Point to Point security associations (SA)||Get VPN employs group-based security associations (SA)|
|Use Cases||Flex VPN can be used for site-to-site VPN, remote access (RA VPN) deployments||Get VPN is used for site to site only|
|Protocols Supported||Flex VPN requires IKE version 2||Get VPN uses IKE version 1|
|IP Multicast Support||Multicast replication at hub, native multicast replication supported||Multicast replication in IP WAN network|
|Features||●Can use over any network transport
●Support for multiple topologies like p2p, remote access, hub-spoke, dynamic mesh
●Superior QoS – per tunnel or per SA
●Supports dynamic overlay routing
●Integrates with AAA
●Supports GRE and native IPSec encapsulation technologies
●Supports IPV4 and IPV6 overlay and underlay with auto detection IP transport type
|●Adds encryption to MPLS or IP WANs with preserving any-to-any connectivity
●Offers scalable, full-time mesh for IPSec VPNs
●Enable participation of smaller routers into network
●Simplification of encryption key management along with QoS and multicast support
Download the comparison table: FlexVPN vs GetVPN