GET VPN is a really clever method of enabling a full mesh of VPN connections that can be established dynamically. No longer will an administrator need to worry about the construction of point-to-point VPN tunnels that can be very cumbersome and tedious to create and maintain. Another awesome feature is that there is header preservation with GET VPN. So the solution can eliminate the need for things like GRE tunnels for protecting multicast traffic and NAT traversal.
GET VPN relies upon a new protocol called the Group Domain of Interpretation (GDOI). You can basically think of this protocol as an enhanced version of ISAKMP. It will provide the safety net of keying information in the GET VPN environment. Key Servers (KS) can provide the keying information to Group Members (GMs) in the GET VPN. Note that by design, the Key Server does not participate in the encryption domain. Instead, its job is to distribute the ISAKMP/IPsec Security Association (SAs) to the Group Members.
So the Key Server (or Servers for redundancy) are an important ingredient in the GET VPN. They store the IPsec policies that group members will use to encrypt unicast and multicast traffic to each other! By the way – this device can store multiple policies for multiple different groups to add to the flexibility of the solution. It is also possible to use GET VPN in conjunction with Dynamic Multipoint VPNS (DMVPNs).
What would this configuration look like? Here is a sample Key Server configuration:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 400
crypto isakmp key CISCO address 10.1.1.13
crypto isakmp key CISCO address 10.1.1.9
!
crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
!
crypto ipsec profile PROFILE1
set security-association lifetime seconds 1800
set transform-set TRANS
!
crypto gdoi group GROUP1
identity number 1
server local
rekey lifetime seconds 86400
rekey retransmit 10 number 2
rekey authentication mypubkey rsa group1-export-general
rekey transport unicast
sa ipsec 1
profile PROFILE1
match address ipv4 101
replay counter window-size 64
address ipv4 10.1.1.17
Here is a sample Group Member configuration:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key CISCO address 10.1.1.17
!
crypto gdoi group GROUP1
identity number 1
server address ipv4 10.1.1.17
!
crypto map map-group1 10 gdoi
set group GROUP1
Nice overview!
Thanks so much!
great sir….thank you …love you…..
Well thank you so much! I love you too! 🙂
I use the vpn at arcvpn. It is working ok so far.
Is it this product? Thanks! https://www.le-vpn.com