Cisco GET VPN

By | 04/03/2015

This is a Cisco proprietary technology used for encrypting data across networks that require full mesh connectivity. Traditional VPN topologies are hub and spoke.

Components:

  • Key server – Centrally manages encryption keys. Not part of the encryption. Dedicated router.
  • Group Member – Routers that will encrypt the data

GDOI protocol – Group Domain of Interpretation. Modified version of ISAKMP. It uses UDP 848.

Header preservation – This allows QoS and Multicast to continue working through the MPLS although data is encrypted.

Set of keys:

  • KEK – Key Encryption Key – Used to encrypt the rekeys.
  • TEK – Traffic Encryption Key – used to encrypt the traffic between the Group Members

Recommended to use AES128 because it has much longer lifetime.

Coop configuration requires to generate RSA keys in on of the KS servers and import them to the other KS servers.

Modes:

Fail Open – Default mode. Data will be sent clear until the router registers to the KS.

Fail Close – All traffic is dropped until the router registers to the KS.

KS Configuration

crypto isakmp policy 1
 encr aes
 hash sha
 authentication pre-share
 group 2 
 lifetime 300
!
crytpo isakmp key cisco address 0.0.0.0 0.0.0.0

crytpo ipsec transform-set GET esp-aes esp-sha-hmac
crytpo ipsec profile GET
 set transform-set GET

crypto gdoi group GET
 identity number 1
 server local
rekey authentication mypubkey rsa r1.test.com
 rekey transport unicast
 sa ipsec 1
  profile GET
  match address ipv4 101
 address ipv4 KS1_IP // ip address of the KS reachable by the GMs
 
 ! for coop configuration
 redundancy
 peer address ipv4 KS2_IP

access-list 101 permit icmp any any

GM Configuration

crypto isakmp policy 1
 encr aes
 hash sha
 authentication pre-share
 group 2
 lifetime 300
crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto gdoi group GET
 identity number 1
 server address ipv4 KS1_IP
 server address ipv4 KS2_IP
crypto map GET 10 gdoi
 set group GET

interface s0/0/0
 crypto map GET

Troubleshooting

GDOI configuration – members, keys, active servers, server list

KS# show crypto gdoi
GM# show crypto gdoi

Check that there are packets encapsulated

GM# show crypto ipsec sa

 

References

GET VPN Webinar

GET VPN Deployment Guide