GETVPN
- One SA
- Any-to-Any
- No tunnels
- Does not change the IPs
- IPSEC Tunnel mode with Address Preservation
- Works well with QoS or Traffic Engineering
- Replicates multicast well
HIPAA, GLBA, and PCI DSS all mandate encryption even over private IP networks.
DMVPN is OK, but requires an overlay, with additional complexity.
Point-to-point IPSec tunnels are poor at multicast replication, because the multicast must be replicated before it enters the tunnel.
Terms
GETVPN — Group Encrypted Transport VPN
GDOI — Group Domain of Interpretation
- Implements IKE
G-IKEv2
- Replaces GDOI
GM — Group Member
- All share the same crypto SA
KS — Key Server
TEK — Traffic Encryption Key
KEK — Key Encryption Key
- Control plane traffic
G-IKEv2
Message Exchange
sequenceDiagram
participant GM as Group Member
participant KS as Key Server
GM ->> KS: HDR, initiator SA, initiator key exchange, initiator nonce
KS -->> GM: HDR, responder SA, responder key exchange, responder nonce
GM ->> KS: HDR, encryption and authentication, initiator ID, group identification, vendor ID
KS -->> GM: HDR, encryption and authentication, responder ID, authentication data,<br/>sequence, group security association, key download
Migration Help
References
Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide
Security and VPN Configuration Guide - GETVPN G-IKEv2 Support - Cisco
Group Encrypted Transport VPN - Cisco
GETVPN Troubleshoot Guide - Cisco
RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2) | RFC Editor