Group Encrypted Transport (GET) VPN is called as next-generation tunnel-less VPN technology but is not replacement for old good known DMVPN. GET and DMVPN are complementary technologies and can be deployed together.
Due to slow come up of the DMVPN spoke-to-spoke tunnels where IPSec tunnels are built dynamically based on the NHRP and multipoint GRE tunnels, tunnel negotiation time have direct impact for delay sensitive data like voice and video. In this case GET VPN is a good replacement solution where voice and video needs to be transmited between branches and faster static IPSec keys configuration and policy is in place before data go thru.
The distibuted nature of today’s network applications like voice, video and multicast traffic, constant growth of network threats and risks, local, federal and industry regulations, highly confidential traffic in financial enviroment are a key factors for efficient and secure WAN branch to branch interconnectivity.
WAN architecture demands has changed over years from the point-to-point and point-to-multipoint to full mesh connectivity. In today WAN network infrastructure where MPLS technology provides full mesh network connectivity between all branches most companies are still using centralized point-to-multipoint model with not efficient and slow dynamic tunnel negotiation process.
GET VPN is recomended solution when time sensitive data has to be encrypted in addition to multicast appliction and dynamic routing is needed over MPLS WAN architecture with full mesh connectivity.
Following are key fetures of GET VPN that have advantage over traditional IPSec VPN:
- WAN transport full mesh encryption services on demand
- Tunnel-Less Any-to-Any IPSec VPNs
- Native routing
- IP header preservation
- Centralized key and policy management
- Advanced QoS
- Multicast connectivity
- Reliability and redundancy of architecture
The key components of GET VPN are GDOI protocol, Key Server and Group Member.
Group Domain of Interpretation (GDOI) (RFC 3547)
- Uses UDP 848
- Cryptographic protocol for group policy/key management and distribution
- Works based on ISAKMP
- Establishes security associations between authorized group member routers
- Uses two different encryption keys: Key Encryption Key (KEK) – key used to secure the control plane, Traffic Encryption Key (TEK) – key used to encrypt data traffic
Key Server (KS)
- Authenticates Group Member (GM)
- Distributes IPSec keys and policies to all registered and authenticated GMs
- Perform rekey process
Group Member (GM)
- Registers with KS to download IPSec VPN policy
- Encrypts/decrypts traffic between among GMs in the same Group
GET VPN process can be divided on the following 5 steps.
- Registration of GMs in the KS
- Authentication and authorization of GMs by the KS
- IPSec SA policy propagation from KS to GMs
- GM encrypt/decrypt traffic based on group policy
- Rekey process – IPSec SA keys replacement propagation
In next post I’m going to provide you more process details and configuration example with GET VPN.