As you learned in the previous blog that introduced the GET VPN solution, a major facet of this exciting technology is the Group Domain of Interpretation (GDOI) as outlined in RFC 3547. This technology is such a pivotal component of GET VPN because it serves as the mechanisms to provide the cryptographic keys to a group of VPN gateways.

GDOI relies on none other than Internet Key Exchange (IKE) Phase 1 to protect the distribution of the keys. Just as with "traditional" IPSec VPNs, you can utilize such methods as Pre-shared Keys (PSK) or the Public Key Infrastructure (PKI) for authentication with IKE Phase 1.

GDOI actually implements two different encryption keys. The Key Encryption Key (KEK) is used to secure the control plane, while the key used for data encryption is the Traffic Encryption Key (TEK).

Another critical element for the GET VPN is the Key Server (KS). This is the IOS device responsible for creating the GET VPN control plane. The KS is where you actually define the encryption policy (interesting traffic, encryption protocol, etc.) that is pushed to all group members.

Group members in GET VPN are the IOS routers responsible for the actual encryption and decryption of data traffic.

Another excellent aspect of GET VPN is the rekey process built into GDOI. GDOI periodically refreshes cryptographic keying information and distributes it to group members. GDIO has the ability to send rekey messages as unicast or multicast in the network infrastructure.

Obviously, if the Key Server fails, the GET VPN implementation is in big trouble. To help ensure availability of the solution, cooperative Key Servers (COOP KSs) provide redundancy. Under COOP, one of your KSs serves as the primary Key Server, while other KSs are the secondary devices. Messaging between the KSs ensure a failover election occurs if a downing of the primary device is detected through the lack of primary device messages.

Stay tuned to the blog for more information on the GET VPN, including basic configurations.


One of the new technologies to be featured in the CCIE Security 3.0 blueprint is the GET VPN. This blog post will give you the basics of this new and exciting technology.

Here is the scenario; you are a large corporation with multiple branch offices that need VPN connections between them in order to protect data that needs to be shared from branch to branch. The standard Cisco solution is to create point-to-point IPSec VPNs between these branch offices. This can quickly become a nightmare for administration, obviously, as this "any to any" encryption model using traditional VPN methodologies simply does not scale. Helping to exasperate this issue is the replication of multicast traffic and the extreme difficulty of implementing Quality of Service mechanisms across the core of the network.

The Group Encrypted Transport VPN model has your routers become trusted members of VPN groups as a replacement for the point-to-point model. Secured packets now use the existing router infrastructure and have their original IP header preserved. This helps to ensure that intelligent services like QoS and multicast are no longer implementation problems!

Another huge scalability issue with the traditional, point-to-point approach for "any to any" VPNs is key management. The GET VPN features simplified security policy and key distribution thanks to the Group Key Distribution Model. This model uses Group Domain of Interpretation (GDOI) as specified in RFC 3547.  The Group Key Distribution Model features a Key Server (a Cisco router) that authenticates group members, and handles the distribution of security policies and any required keys. In the interests of further scaling this already scalable solution, as well as improving availability, Cooperative Key Servers can be used across wide geographic distributions.

Here are the core technologies to explore with the GET VPN feature:

  • Group Domain of Interpretation (GDOI) RFC 3547
  • Key Servers (KS)
  • Cooperative Key Server (COOP KSs)
  • Group Member (GM)
  • IP tunnel header preservation
  • Group security assocaition
  • Rekey mechanism
  • Time-based anti-replay (TBAR)

Here are the GET VPN core benefits:

  • Large scale any-to-any IPSec security
  • Utilizes the underlying IP VPN routing infrastructure
  • Integration with existing multicast infrastructures
  • IP source and destination address preservation

I certainly hope this post wets your appetite and gives you a framework to begin your studies of the GET VPN technology.

Subscribe to INE Blog Updates

New Blog Posts!