Securing network traffic while in transit is one of key requirements of security. VPNs are usually used to encapsulate IP packets and provision a secure tunnel to transmit private traffic in encrypted form over public networks. Point to Point IPsec tunnels are cumbersome, so network leaders like Cisco had developed their own proprietary technology to secure communication between groups thus eliminating the need to negotiate point to point IPsec tunnels between group members. 

Today we look more in detail about Cisco proprietary technology known as GETVPN, its features and use cases , advantages and disadvantages and so on.   

About GETVPN

GETVPN or Group Encrypted Transport VPN is Cisco implementation of GDOI standard. GDOI is a group domain of interpretation and it is defined in RFC 6407. It was established originally to allow encryption of multicast traffic. Secure multicast applications could be audio or video broadcasts and GETVPN is used for encrypting any type of traffic over private networks. MPLS VPNs use it for encryption.

It establishes a set of rotating encryption keys that a group uses and shares. Any group member can encrypt data and any other group member can decrypt data without setting up a point-to-point tunnel with another group member. The entire system is tunnel-less. GETVPN uses the original IP header and the underlying routing is preserved. 

Components of GETVPN

It has four main components : 

• GM (Group member)
• KS (Key server)
• GDOI (Group domain of interpretation)
• IPsec

GM (Group member)

GM (Group member) is a VPN router and is a member of a group which encrypts traffic with other GMs. All GMs have same IPsec SA so encryption could be performed by any GM

KS (Key server)

KS (key server) is ‘caretaker’ of the GM group. Group registrations and authentication of GMs is taken care of by KS server. Any GM who wants to join the group is required to be successfully authenticated in the group and sends encryption keys and policy to be used within the group.

When GM is making an attempt to register to KS server , it verifies group ID and IKE credentials, post checking it sends back below to GM server :

• The security policy used by group
• Two keys:
  • KEK (Key encryption Key) – used for encrypting rekey messages, this is used by GMs to decrypt relay messages from KMs
  • TEK (Traffic encryption key) – The IPsec SA which is used by all GMs to encrypted traffic within each other

The KS will send relay message when the current IPsec SA is about to expire or when there is any change in security policy.  Relay can be done using unicast or multicast. In unicast GM sends an acknowledgement to the KS post receiving the key. When KS don’t receive acknowledgement after three transmissions it deletes the GM. Multicast method is more scalable but it does not support acknowledgement. 

KS ensures registration, authentication and security policy and keys but it is not a GM and neither becomes part of the GM group and also not install IPsec SA.

GDOI (Group domain of interpretation)

GDOI (Group domain of interpretation) is protocol used between GM and KM. It is protected with ISAKMP which is used in regular IPsec. All ISAKMP options related to authentication such as pre-shared keys or certificates can be used here . In phase 2 two keys (KEK and TEK) are sent by KS server and the security policy. KS keeps a track of SA lifetime and rekeys a new SA when the old one is about to expire. Rekey messages are signed with a private key to safeguard from anyone pretending to be KS server. GETVPN doesn’t use volume-based SA expiry.

IPsec

IPsec – uses ESP (Encapsulating security payload) which is similar to IPsec VPNs. It supports tunnel mode to encapsulate the entire IP packet and adds a new IP header. GETVPN uses tunnel mode with address preservation which means the inner IP header is copied to the outer IP header. The network can route packets based on the actual destination and find the best path for each destination. GETVPN is meant for private networks where full reachability is not an issue between all sites.

Features of GETVPN

• Any to Any large scale encrypted communication
• No tunnel overlay along with native routing
• Improves application performance – optimal for QoS and multicast support
• Seamless integration with multicast infrastructures without multicast replication issues 
• Preservation of IP source and IP destination address during IPsec encryption and encapsulation
• Transport agnostic – private LAN / WAN, FR/ATM , IP and MPLS
• Large scale any-to any connectivity using group IPsec program instantly 

How to configure GETVPN 

Here we use a topology as an example to see how to configure GETVPN. We have one key server and two group members. The cloud in the center will represent a private WAN. OSPF is configured on GM routers to advertise loopback interfaces.

Key server 

IKE phase 1 policy 

Use a pre-shared key for all GMs

GETVPN use IPsec ESP (transform set)

Add transform set instead of crypto profile

Create a new RSA key pair 

Create access list to match ICMP traffic

Configure GDOI group

Command to tell router it is KS

Add our own KS IP address

Inform router to use the RSA key-pair to protect the rekey messages and to send them with unicast:

Configure the IPsec policy – add IPsec profile and access list 

Now GETVPN is configured and running.

Continue Reading:

GETVPN vs DMVPN

DMVPN over IPSec

ABOUT THE AUTHOR

Rashmi Bhardwaj

I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”

I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.

I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)