Group Encrypted Transport VPN is used to encrypt traffic going through unsecured networks. It uses IPSEC to enforce integrity and confidentiality of data.
Deployment consists of a Key Server router (KS) and Group Member routers (GM).
The KS creates, and maintains, and sends policies to GMs. KSs also generate encryption keys:
- Transport Encryption Key (TEK): This key is used by GMs to encrypt data
- Key encryption Key (KEK): This key is used to encrypt the connection between the KS and the GM
Policies provide information regarding what traffic should be encrypted and what encryption algorithms to use.
There is never an actual IPSEC tunnel between KS and GMs, instead GMs simply receive the policy from the KS and encrypt the specific traffic defined the the policy as needed. When traffic enters the GM that matches the policy, it’s encapsulated in ESP and sent out with Source and Destination IPs preserved.
The KS requires RSA keys to be used for the Rekeying process. The KS sends out a new TEK before the original TEK expires (3600 seconds). The Rekey phase is authenticated and secured via ISAKMP SA between the KS and the GM.
The ISAKMP uses Group Domain of Interpretation (GDOI) messages to build an SA and encrypts GM registration.
GDOI uses UDP 848 as opposed to IKEs UDP 500 to establish SAs.