Tunneling Technologies: GET VPN

Group Encrypted Transport VPN is used to encrypt traffic going through unsecured networks.  It uses IPSEC to enforce integrity and confidentiality of data.

Deployment consists of a Key Server router (KS) and Group Member routers (GM).

The KS creates, and maintains, and sends policies to GMs.  KSs also generate encryption keys:

  • Transport Encryption Key (TEK): This key is used by GMs to encrypt data
  • Key encryption Key (KEK): This key is used to encrypt the connection between the KS and the GM

Policies provide information regarding what traffic should be encrypted and what encryption algorithms to use.

There is never an actual IPSEC tunnel between KS and GMs, instead GMs simply receive the policy from the KS and encrypt the specific traffic defined the the policy as needed.  When traffic enters the GM that matches the policy, it’s encapsulated in ESP and sent out with Source and Destination IPs preserved.

The KS requires RSA keys to be used for the Rekeying process.  The KS sends out a new TEK before the original TEK expires (3600 seconds).  The Rekey phase is authenticated and secured via ISAKMP SA between the KS and the GM.

The ISAKMP uses Group Domain of Interpretation (GDOI) messages to build an SA and encrypts GM registration.

GDOI uses UDP 848 as opposed to IKEs UDP 500 to establish SAs.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s