- GETVPN
- Key server (KS)
- Group member (GM)
- GDOI
- IOS CLI
- Server
- Client
GETVPN
- group encrypted transport VPN
- proprietary
- tunnel mode: copies address from inner header to outer header – mcast support + polarization workaround
- KEK = key encryption key
- TEK = traffic encryption key
- receive-only: useful on deployment stage, helps verify control plane without impact to data plane
- passive SA: overrides receive-only, encrypts egress traffic
- modes
- fail-open: all traffic – clear-text if GM is not registered with KS
- fail-close:
- only certain traffic is clear-text, other traffic is dropped
- exception: GDOI with GM
- replay protection:
- time-based anti-replay (TBAR) – pseudo-clock
- IP delivery delay detection protocol (IP-D3P)
- IKEv2 limits: no support for COOP, EAP, IP-D3P
Key server (KS)
- up to 8 in group, only 1 active, the others are standby
- cannot be group member
- distributes IPsec keys (SA) among group members
- pushes ACL for crypto map (sec/dst IP/port, protocol)
- only timeout for keys, no rotation on volume
- primary KS
- responsible for rekey
- mcast: default
- unicast
- rekey: KS removes GM from group if no acknowledgement is received for 3 transaction is a row
- election: highest priority → highest address
- no preemption, however, can restore after partition
- tracks secondary with IKE DPD
- sends announcements every 20s; secondary sends request of no announcement received in 30s; dead time – 60s
- IKE tunnels between KS in group (COOP)
- load-balancing:
- registration only: configuration, anycast, SLB
- only primary does rekey
Group member (GM)
- encrypt/decrypt data
- members use the same keys
- IKE policies must match policies on KS
- IPv6 only in dataplane, IPv4-only control plane
- 1 minute timeout for GM registration on KS
GDOI
- group domain of interpretation
- IKEv1 used for GM authC
- UDO 848, DSCP CS6
IOS CLI
Server
; for KS redundancy, must match on all KS
(config)# crypto key generate rsa label <LABEL> exportable
; IKEv1
; IKEv2 ≡ gkm in lieu of gdoi, may coexist
(config)# crypto gdoi group <NAME>
(config-gdoi-group)# identity number <n>
(config-gdoi-group)# server local
(config-local-server)# rekey algorithm <ALG>
; with RSA key label
(config-local-server)# rekey authentication mypubkey rsa <LABEL>
(config-local-server)# rekey transport unicast
; ADDR_ACL specifies group address (host route)
(config-local-server)# rekey address ipv4 <ADDR_ACL>
(config-local-server)# sa ipsec <m>
(gdoi-sa-ipsec)# profile <PROFILE>
; dACL
(gdoi-sa-ipsec)# match address ipv4 <ACL>
; decryption, no encryption
(gdoi-sa-ipsec)# receive-only
; src IP for KS
(config-local-server)# address ipv4 <IP>
(config-local-server)# redundancy
; 1 default
(gdoi-coop-ks-config)# local priority <PRIORITY>
(gdoi-coop-ks-config)# peer address ipv4 <IP>
; override receive-only locally, useful for PoC
# crypto gdoi gm ipsec direction inbound optional
Client
(config)# crypto gdoi group <GROUP>
(config-gdoi-group)# identity number <n>
(config-gdoi-group)# server address ipv4 <IP>
(config)# crypto map <NAME> [seq <m> gdoi] [fail-close]
(config-crypto-map-fail-close)# set group <GROUP>
; fail-close, deny in ACL marks non-encrypted traffic, no permits
(config-crypto-map-fail-close)# match address <ACL>
; enable fail-close
(config-crypto-map-fail-close)# activate
(config-if)# crypto map <MAP>