GETVPN

  1. GETVPN
  2. Key server (KS)
  3. Group member (GM)
  4. GDOI
  5. IOS CLI
    1. Server
    2. Client

GETVPN

  • group encrypted transport VPN
  • proprietary
  • tunnel mode: copies address from inner header to outer header – mcast support + polarization workaround
  • KEK = key encryption key
  • TEK = traffic encryption key
  • receive-only: useful on deployment stage, helps verify control plane without impact to data plane
  • passive SA: overrides receive-only, encrypts egress traffic
  • modes
    • fail-open: all traffic – clear-text if GM is not registered with KS
    • fail-close:
      • only certain traffic is clear-text, other traffic is dropped
      • exception: GDOI with GM
  • replay protection:
    • time-based anti-replay (TBAR) – pseudo-clock
    • IP delivery delay detection protocol (IP-D3P)
  • IKEv2 limits: no support for COOP, EAP, IP-D3P

Key server (KS)

  • up to 8 in group, only 1 active, the others are standby
  • cannot be group member
  • distributes IPsec keys (SA) among group members
  • pushes ACL for crypto map (sec/dst IP/port, protocol)
  • only timeout for keys, no rotation on volume
  • primary KS
    • responsible for rekey
      • mcast: default
      • unicast
        • rekey: KS removes GM from group if no acknowledgement is received for 3 transaction is a row
    • election: highest priority → highest address
    • no preemption, however, can restore after partition
    • tracks secondary with IKE DPD
    • sends announcements every 20s; secondary sends request of no announcement received in 30s; dead time – 60s
  • IKE tunnels between KS in group (COOP)
  • load-balancing:
    • registration only: configuration, anycast, SLB
    • only primary does rekey

Group member (GM)

  • encrypt/decrypt data
  • members use the same keys
  • IKE policies must match policies on KS
  • IPv6 only in dataplane, IPv4-only control plane
  • 1 minute timeout for GM registration on KS

GDOI

  • group domain of interpretation
  • IKEv1 used for GM authC
  • UDO 848, DSCP CS6

IOS CLI

Server

; for KS redundancy, must match on all KS
(config)# crypto key generate rsa label <LABEL> exportable

; IKEv1
; IKEv2 ≡ gkm in lieu of gdoi, may coexist
(config)# crypto gdoi group <NAME>
(config-gdoi-group)# identity number <n>

(config-gdoi-group)# server local
(config-local-server)# rekey algorithm <ALG>
; with RSA key label
(config-local-server)# rekey authentication mypubkey rsa <LABEL>
(config-local-server)# rekey transport unicast
; ADDR_ACL specifies group address (host route)
(config-local-server)# rekey address ipv4 <ADDR_ACL>

(config-local-server)# sa ipsec <m>
(gdoi-sa-ipsec)# profile <PROFILE>
; dACL
(gdoi-sa-ipsec)# match address ipv4 <ACL>
; decryption, no encryption
(gdoi-sa-ipsec)# receive-only

; src IP for KS
(config-local-server)# address ipv4 <IP>
(config-local-server)# redundancy
; 1 default
(gdoi-coop-ks-config)# local priority <PRIORITY>
(gdoi-coop-ks-config)# peer address ipv4 <IP>
; override receive-only locally, useful for PoC
# crypto gdoi gm ipsec direction inbound optional

Client

(config)# crypto gdoi group <GROUP>
(config-gdoi-group)# identity number <n>
(config-gdoi-group)# server address ipv4 <IP>

(config)# crypto map <NAME> [seq <m> gdoi] [fail-close]
(config-crypto-map-fail-close)# set group <GROUP>
; fail-close, deny in ACL marks non-encrypted traffic, no permits
(config-crypto-map-fail-close)# match address <ACL>
; enable fail-close
(config-crypto-map-fail-close)# activate 
(config-if)# crypto map <MAP>