ASK THE EXPERT - GROUP ENCRYPTED TRANSPORT (GET VPN)

Unanswered Question
Jan 11th, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about Cisco GET VPN which is a revolutionary WAN security technology that defines a new category of VPN, one that does not use tunnels with Cisco expert Haseeb Niazi. Haseeb is a technical leader in Cisco Network Systems Integration & Test Engineering (NSITE) team. Haseeb has over eight years of experience with various security related solutions including Network Based Security Services, EzVPN, DMVPN and GET VPN. He has helped a number of enterprise and service provider customers evaluate and deploy these solutions in their networks.

Remember to use the rating system to let Haseeb know if you have received an adequate response.

Haseeb might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 25, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
sbaddipu Fri, 01/11/2008 - 16:13

Haseeb,

Can you post any good documentation that explains this new GET VPN and benefits against the existing ones?

Thanks

satya

hniazi Mon, 01/14/2008 - 08:15

Hello Satya,

Following slide gives a very good comparison (high level) of various site to site solutions:

http://www.cisco.com/application/pdf/en/us/guest/products/ps7180/c1031/cdccont_0900aecd80582078.pdf

To summerize, major advantages of GETVPN are:

a) No overlay routing

GETVPN does not run into similar scalability concerns that IPSec/GRE or DMVPN solutions run into

b) Tunnel header preservation - superior multicast handling

Source and destination stays intact. Multicast packets only need to be encrypted once and then multicast core is responsible for replicating and distributing traffic.

c) Separation of control and data plane.

Inproved scalability because unlike DMVPN or IPsec/GRE or EzVPN hub, a Key Server is not in the data path and is only responsible for control plane thereby resulting in better network scalability

d) Any to Any connectivity w/o a need to negotiate new IPsec tunnels

Due to groups SA concept, any packet which any group member encrypts, can be decrypted by any other group member.

One thing I must point out is that GETVPN is only suitable in environments where we have end to end routing e.g. MPLS or L2 (FR/ATM) connectivity, This is because of tunnel header preservation. If GETVPN has to be deployed on the Internet, it has to be combined with DMVPN or GRE overlay.

You can find much more info on following URL:

http://www.cisco.com/go/getvpn

Flash demo on the right hand side provides a very good overview.

thx

Haseeb

Kevin Xiong Sat, 01/12/2008 - 06:19

When deploying DMVPN with GDOI over the Internet, how to provide dual key servers and dual hub sites failover and load-share function?

hniazi Mon, 01/14/2008 - 08:44

Hello Kevin,

DMVPN setup with GDOI is no different than a DMVPN only setup from data path point of view. We only have to decide how will we setup the control path. Lets look at roles of various devices:

a) Key Servers - these devices will provide keying material to DMVPN hubs and spokes. Depending on you scalability requirements, these devices can be ISRs or 7200s.

b) GROUP members - Devices actually responsible for encryption decryption. All DMVPN hubs and spokes will be GMs

c) We do not support KS and GM on the same device so KSs can not be deployed on DMVPN hub. We will need extra routers to act as Key Servers

If we have to lay down the deployment steps, here is what we would do:

a) Design the DMVPN network (with or without tunnel protection) and layout the data connections - distribute the spokes load manually OR automatically (using IOS Server Loab Balancer)

b) When you have designed your DMVPN network, you have to place your key servers and make all the DMVPN spokes and hub group members for the Key Servers.

c) Key server placement is completely up to you. All the DMVPN routers will have to be able to reach Key Servers (hence public address on KS) on UDP 848. You can place one KS at one Hub side and other KS at another hub site OR place them at a completely different location as long as KSs are reachable by GMs.

d) Since we support unicast rekeys with GETVPN, rekey transport over Internet should not be a problem.

e) Both the Key servers will run COOP protocol for high availability.

Please let me know if you have any more questions. For more info on GETVPN/GM/KS/COOP, you can refer to:

www.cisco.com/go/getvpn

thx

Haseeb

kianhowtan Wed, 01/16/2008 - 06:33

Hi hniazi,

I got a scenario that needs your advice. My customer had a HQ site with 15 remote sites. My customer is keen to use the GET VPN over their WAN.

Currently, the remote sites are connected back to the HQ via a Layer3 Metro-E Wan connections (RJ45 termination). The HQ router is actually a Layer 3750 switch, while all the remote routers are 877 series ISR. Based on what I read from the GET article, I will need to cater a pair of key servers (for HA purposes) at the HQ. There are a pair of HA firewall connecting to the L3 3750 switch, so I intend to "carve-out" any DMZ zone on the firewall to place my key servers.

Got two questions to ask :-

1. Do I need to replace the L3 3750 switch to a ISR WAN router?

2. Can I connect the key servers behind a firewall, or need to be directly "behind" the L3 switch?

Thanks

howge

hniazi Wed, 01/16/2008 - 13:48

Hi Howge,

The Key Sever can be placed behind a firewall w/o an issue as long as we are not doing NAT on the firewall. We have to allow UDP port 848 for GDOI traffic.

If the remote sites are going to send encrypted traffic to HQ (which I assume they are), we will need to position a group member at the HQ site as well because 3750 does not support GET VPN.

You can replace the 3750 with an ISR OR add a router (GM) inline between your HQ 3750 and HQ network so that the traffic after aggregation gets decrypted before getting forwarded to the HQ network.

thx

Haseeb

csco11335292 Thu, 01/17/2008 - 23:05

Thanks Haseeb but what do you know on the following topics

Implement Cisco Layer 2 security

Utilize Cisco IOS commands to mitigate Layer 2 attacks

Implement Cisco Identity-Based Networking Services on Cisco Catalyst Switches

Implement Identity Management using ACS as the Authentication Server

I would really appreciate if you can assist.

Best regards

Greg

hniazi Fri, 01/18/2008 - 12:30

Hi Greg,

Unfortunately I have no experience in these areas. You might want to try posting your questions on general security forum OR by contacting your account/sales team. They can help you pull in the right resources.

thx

Haseeb

hniazi Sun, 01/20/2008 - 19:48

Hi,

GETVPN support is chalked out for 6500 towards the end of 2008 on the next generation VPN SPA. Support on 7600 is not committed yet. If the project does get committed, we will see GETVPN on 7600 after 6500.

thx

Haseeb

sspage Tue, 01/22/2008 - 06:04

Does GET VPN support a Key server and Group member running on the same router?

On a previous netpro forum on GET (held Jun 20, 2007) it was stated that this was a high priority feature on the development plan.

hniazi Tue, 01/22/2008 - 07:55

Hi,

Unfortunately this is still not possible and won't be possible for quite some time. While running GM and KS makes sense for some of the smaller deployments and looks like an attractive feature, in reality we have not seen field pushing for this feature. The reason is that most of the customers like the separation of control plane and the data plane provided by using a separate pair of KSs because of increased stability and scalability. I would love to understand your requirements and scenarios you are targeting and take the feedback back to product marketing and development.

thx

Haseeb

sspage Tue, 01/22/2008 - 08:40

Haseeb,

thanks for the quick response. I agree, my preference would be to seperate KS and GM for stability and security purposes.

We are just comparing the options for costs and kit deployment on customer site.At most 2 KS would be used , so no great cost savings to be made.

ZCarolinaVPN Tue, 01/22/2008 - 09:27

My VPN is shutting down and giving me a blue screen. I have version 5.0.01.0600. It was also doing this with another version also. Please help or point me to someone who can help to remedy my problem.

Thank you,

Matt

hniazi Tue, 01/22/2008 - 15:23

Hi Matt,

VPN client installation/troubleshooting cases are best handled by TAC because of their experience with a wide variety of PC platforms and NICs. You might want to open a case with Cisco TAC.

Just a side note - GETVPN is not supported on PC clients.

thx

Haseeb

chucktiede Wed, 01/23/2008 - 15:31

Hi Haseeb, We are looking to move away from our current WAN, which is DMVPN over Internet and going to a MPLS WAN and are evaluating DMVPN and GETVPN as possible encryption solutions. But we are looking to get some insight into the percentage of company's that are deploying MPLS that are using encryption vs plain text. Being that Cisco has invested and developed GETVPN which seems to be targeted at MPLS deployments the number must be significant. Do you have any idea of what percentage of MPLS customers are using an encryption technology to protect it?

hniazi Wed, 01/23/2008 - 21:25

Hi,

Just like you, recently we have seen a large number of enterprise customers migrate either from leased lines or in some cases from Internet to MPLS. They join an long list of existing MPLS customers.

Due to recent federal regulatory requirements, most of these customers are looking to deploy encryption on their networks. I do not have any hard numbers but as you might already know almost all the customers who deal with sensitive data (credit cards transactions, financial transactions, medial records etc etc) have aready deployed or are in the process of deploying encryption on their WAN. This means the customer percentage considerably large and is growing.

thx

Haseeb

sujitkr7cisco Thu, 01/24/2008 - 23:36

Hi,

I have CISCO ASA 5510 , i configured remote vpn for roming users which are connected through vpn clint .My email and one application is working fine but users wants also web browsing through it .Is their any option in ASDM , through which we manage easisly accessbility of vpn clints user (roming users)..My all vpn users are following single group.

hniazi Fri, 01/25/2008 - 08:23

Hi,

Its been while since I have worked on ASA (which btw does not support GETVPN) but there are two options as far as I can tell:

a) Allow split tunneling - users can access Internet directly and only encrypt when they need to access email

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

b) If you want the traffic to always go through firewall and do not want to use split-tunneling, use a configuration like following:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

I am sorry I do not know how these configurations translates to ASDM. Maybe a call to TAC would clarify the confusion.

thx

Haseeb

daniel.espi Fri, 01/25/2008 - 05:00

Hi Haseeb,

I'm trying to configure an IPsec L2L over other IPsec L2L. Head-end router has two crypto-map in two differents interfaces WAN1 and WAN2. Crypto map in WAN2 encrypts real traffic and crypto map in WAN1 encrypts traffic from crypto map in WAN2. I have configured one route for peer of crypto map in WAN2 through WAN1.

IPSec L2L in WAN1 is able to establish, but not IPsec L2L in WAN2. Is this configuration possible?

hniazi Fri, 01/25/2008 - 08:41

I am not too clear about how you have configured the headend but obviously this is not a very common configuration.

If your setup is something like following:

IPsecA-NET-IPSecB-INET-IPsecB-NET-IPsecA

Double-Encryption might just work (never tried it). If not, maybe we can change the tunnel between IPsecA devices to GRE OR may be encapsulate IPsec tunnel into a GRE tunnel.

I am not sure how will be be able to configure a single head-end ti terminate both VPNs.

thx

Haseeb

Actions

This Discussion