cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1354
Views
0
Helpful
4
Replies

GETVPN --Some Questions..Keyserver, tunnel/transport mode.

abhisar patil
Level 1
Level 1

Dear All,

 

We are in phase of implementing GETVPN over MPLS network. Before that I wanted to test in LAB.

I have tested, but got following doubts, can you please help to clear.

 

1. Does Key server participated in Traffic encryption.

    ex. I have network behind Key server, but I tried pinging from other branch it is not working. I can see there no output when I do show crypto ipsec sa. (Branch to branch encryption working fine.)

R1#show crypto ipsec sa

R1#

If I ping from Key server to branch, I am getting following log on branch router.

CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.2.1, src_addr= 192.168.1.1, prot= 1

 

 

2. Tunnel mode vs Transport

I read GETVPN is transport mode. When I define tipsec encryption parameter, by default it configures in tunnel mode, still GETVPN works well. I manaully changed to transport mode, it works well as well.

#crypto ipsec transform-set TRANS esp-aes esp-sha-hmac

  mode tunnel

3. In unicast mode,

 

In unicast mode why we need to generate key?

crypto key generate rsa modulus 2048 label KEY exportable

 

 

Please help to clear.

1 Accepted Solution

Accepted Solutions

Hi,

 

1. The KS cannot also be a GM, so it will not encrypt data plane traffic.

2. GETVPN is tunneless, but uses Tunnel mode with IP header preservation

3. The key pair is used for rekeying, this key is pushed to the GM's during registration.

 

HTH

View solution in original post

4 Replies 4

Hi,

 

1. The KS cannot also be a GM, so it will not encrypt data plane traffic.

2. GETVPN is tunneless, but uses Tunnel mode with IP header preservation

3. The key pair is used for rekeying, this key is pushed to the GM's during registration.

 

HTH

Hi RJI,

 

Thanks for reply.

 

Point 1 is clear.

For point 2, is also fine.

For point 3, so in multicast mode we don't need this key? Why? 

I got that this key is required to encrypt communication between GM and KS (encrypt the traffic keys) but in mutlticast mode as well we should be requiring this.

Hi Abhisar, You'd still need the key pair, it will be used for the re-key, regardless of whether you are using unicast or multicast.
HTH

Ok let me recheck..thanks.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: