cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1132
Views
5
Helpful
3
Replies

GET VPN OVER MPLS

simon clarke
Beginner
Beginner

HI 

 

I wonder if someone could help me understand the attached topology picture, if get vpn doesnt change the source and destination ip how does it route over mpls?

 

my thinking is the ip would have to change to the public ip on the outside interface or a public ip address header would be added?

 

any help much appreciated 

 

simon 

1 Accepted Solution

Accepted Solutions

Spooster IT Services
Rising star
Rising star

Here MPLS is used to provide reachability between sites LAN networks.

Spooster IT Services Team

View solution in original post

3 Replies 3

Spooster IT Services
Rising star
Rising star

Hi Simon, 

 

GDOI protocol is used for Group key and group SA management. GDOI uses Internet Security Association Key Management Protocol (ISAKMP) for authenticating the GMs and KSs. All the standard ISAKMP authentication schemes like RSA Signature (certificates) and Pre-shared key can be used for GETVPN.

All the necessary crypto policies are configured only on the KS. This includes the crypto access list, crypto policies, life times etc.

Typically the KS is installed in the data center of the customer network. The CPE routers connecting to the MPLS core is configured as GMs. The KS should be reachable from all GMs through the core or the enterprise network.

The steps below explain protocol flows that are necessary for Group Members to participate in a GETVPN group:

1. Once the GM boots up, it attempts to register with the KS using the GDOI protocol.
2. Registration goes through after successful mutual authentication.
3. After successful registration GM receives KEK and TEK keys.
4. GMs can now encrypt and decrypt the packets as specified by the SA.
5. KS keeps track of the SA life time. It sends rekey information when the current SA is about to expire. Rekey information includes the new SA and session key details. Rekey messages are sent in advance of the SA expiration time to ensure that valid group keys are always available.

Spooster IT Services Team