Some Useful links Our Website: http://inecert.com/ Our Blogs http://inecert.com/Blogs.html Our Study Groups http://inecert.com/Cisco_Study_Groups.

html

GET VPN (Group Encrypted Transport)

GET VPN is a centralized solution for IPSEC policy enforcement. The major difference is GET VPN doesnt setup any IPSEC Tunnels like DMVPN between GMs. Every GM has the policy what to encrypt what encryption algorithm to use etc and just encrypt the packet and send it out using ESP (Encapsulated security Payload). It uses the original IP address to route the data to the network. KS has to send the TEK & KEK key every 3600 seconds by default this phase is called Rekey phase. ISA KMP uses GDOI messages to build SA and encrypts the GMs registration. It uses UDP 848 port number to encrypt. There are two types of routers in the GET VPN deployment 1) Key Server(KS) Key server is used to create maintain and send the IPSEC policy to Group members, the policy is an information that which traffic need to be encrypt and which encryptions policies should be imposed. The most important function of KS is to generate Keys. There are two types of keys TEK ( Transport Encryption Key) This Key is used by GM to encrypt the data. KEK ( Key Encryption Key) This Key is used to secure the communication between KS and GM 2) Group Members Revocation-Check command: When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example, due to security concerns or a change of name or association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking forces the security appliance to check

that the CA has not revoked a certificate every time it uses that certificate for authentication. CRLs are by default method. NONE- to ignore the certification validation status. 3) COOP Protocol Cisco has developed (CO-operate KS) concept to sync redundant servers so that they could give the same TAK & KEK keys to continue the communication

REMOTE ACCESS VPN:

Easy VPN and remote access VPN are the same thing. There are three modes of client configuration. 1) Client: This is a Default Group. In this mode Client gets an IP address from the server and translate all the traffic to that address (PAT). In most cases it is suitable. There will be one INSIDE interface and one OUTSIDE interface where the traffic will be translated. 2) Network Extension The clients work like its a part of that company. The ip address of that client must be route able in the network (Not assigned by the Server). 3) Network Extension-Plus This Mode is similar to the previous-one but in this mode client gets an ipaddress from the Server and assigns it to its loopback. This could be used for management purposes. There are three connection Methods: 1) Auto Its mean the client will initiate the VPN as soon as the GET VPN is enabled on its interface. 2) Manual The client waits for the command to setup the tunnel 3) ACL Tunnel will be initiated as soon as the interesting traffic is seen on the network