cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1493
Views
5
Helpful
3
Replies

GET VPN OVER MPLS

simon clarke
Level 1
Level 1

HI 

 

I wonder if someone could help me understand the attached topology picture, if get vpn doesnt change the source and destination ip how does it route over mpls?

 

my thinking is the ip would have to change to the public ip on the outside interface or a public ip address header would be added?

 

any help much appreciated 

 

simon 

1 Accepted Solution

Accepted Solutions

Here MPLS is used to provide reachability between sites LAN networks.

Spooster IT Services Team

View solution in original post

3 Replies 3

Hi Simon, 

 

GDOI protocol is used for Group key and group SA management. GDOI uses Internet Security Association Key Management Protocol (ISAKMP) for authenticating the GMs and KSs. All the standard ISAKMP authentication schemes like RSA Signature (certificates) and Pre-shared key can be used for GETVPN.

All the necessary crypto policies are configured only on the KS. This includes the crypto access list, crypto policies, life times etc.

Typically the KS is installed in the data center of the customer network. The CPE routers connecting to the MPLS core is configured as GMs. The KS should be reachable from all GMs through the core or the enterprise network.

The steps below explain protocol flows that are necessary for Group Members to participate in a GETVPN group:

1. Once the GM boots up, it attempts to register with the KS using the GDOI protocol.
2. Registration goes through after successful mutual authentication.
3. After successful registration GM receives KEK and TEK keys.
4. GMs can now encrypt and decrypt the packets as specified by the SA.
5. KS keeps track of the SA life time. It sends rekey information when the current SA is about to expire. Rekey information includes the new SA and session key details. Rekey messages are sent in advance of the SA expiration time to ensure that valid group keys are always available.

Spooster IT Services Team

HI 

 

The only part i don't understand is how would it keep the same source and destination ip address if it has to go over and mpls??

 

surely the CE and PE router would peer via BGP then on the ce redistribute from ospf/eigrp into bgp ?

 

so if the 192.168.1.x wanted to contacted the 192.168.2.x it would need to change the destination ip address to the next hop which would be the public address of the PE router ?

 

any help appreciated 

Here MPLS is used to provide reachability between sites LAN networks.

Spooster IT Services Team
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: