Filter
Top Products
28-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Understanding the GET VPN Registration Process
The key server generates the group policy and IPsec security associations (SAs) for the GDOI group.
The information generated by the key server includes multiple TEK attributes, traffic encryption policy,
lifetime, source and destination, a Security Parameter Index (SPI) ID that is associated with each TEK,
and the rekey policy (one KEK). Note that the group member might also have a local security policy
configured that is merged with the one downloaded; for complete information see Understanding the
GET VPN Security Policy and Security Associations, page 28-10.
The following figure illustrates the communication flow between group members and the key server. The
key server, after receiving registration messages from a group member, generates the information that
contains the group policy and new IPsec SAs. The new IPsec SA is then downloaded to the group
member. The key server maintains a table that contains the IP address of each group member per group.
When a group member registers, the key server adds its IP address in its associated group table, thus
allowing the key server to monitor an active group member. A key server can support multiple groups.
A group member can be part of multiple groups.
Figure 28-2 Communication Flow Between Group Members and the Key Server
When you configure the GET VPN topology, you can configure the following registration-related
features:
• Decide whether to use unicast or multicast for group registration and rekeying. For more
information, see Choosing the Rekey Transport Mechanism, page 28-6.
Note If you use multicast, you need to enable multicast on the key servers and group members
manually. Security Manager does not provision multicast commands.
• Decide whether to configure more than one key server to provide redundancy and load balancing.
For more information, see Configuring Redundancy Using Cooperative Key Servers, page 28-7.
• Decide whether to configure fail-close mode on group members to protect their traffic prior to
successful registration with the key server. For more information, see Configuring Fail-Close to
Protect Registration Failures, page 28-8.
Rekey
Keys and
Policy
170833
Private Network
Group Member 1
Rekey
SA
IPsec
SAs
Rekey
SA
IPsec
SAs
IPsec
Keys and
Policy
Rekey
SA
IPsec
SAs
Rekey
SA
IPsec
SAs
Group Member 3
Group Member 2
Group Member 4
Key Server 1
Registration
Subnet 3
Subnet 4
Subnet 1
Subnet 2