cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
0
Helpful
4
Replies
Highlighted
Beginner

GETVPN --Some Questions..Keyserver, tunnel/transport mode.

Dear All,

 

We are in phase of implementing GETVPN over MPLS network. Before that I wanted to test in LAB.

I have tested, but got following doubts, can you please help to clear.

 

1. Does Key server participated in Traffic encryption.

    ex. I have network behind Key server, but I tried pinging from other branch it is not working. I can see there no output when I do show crypto ipsec sa. (Branch to branch encryption working fine.)

R1#show crypto ipsec sa

R1#

If I ping from Key server to branch, I am getting following log on branch router.

CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.2.1, src_addr= 192.168.1.1, prot= 1

 

 

2. Tunnel mode vs Transport

I read GETVPN is transport mode. When I define tipsec encryption parameter, by default it configures in tunnel mode, still GETVPN works well. I manaully changed to transport mode, it works well as well.

#crypto ipsec transform-set TRANS esp-aes esp-sha-hmac

  mode tunnel

3. In unicast mode,

 

In unicast mode why we need to generate key?

crypto key generate rsa modulus 2048 label KEY exportable

 

 

Please help to clear.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hi,

 

1. The KS cannot also be a GM, so it will not encrypt data plane traffic.

2. GETVPN is tunneless, but uses Tunnel mode with IP header preservation

3. The key pair is used for rekeying, this key is pushed to the GM's during registration.

 

HTH

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

Hi,

 

1. The KS cannot also be a GM, so it will not encrypt data plane traffic.

2. GETVPN is tunneless, but uses Tunnel mode with IP header preservation

3. The key pair is used for rekeying, this key is pushed to the GM's during registration.

 

HTH

View solution in original post

Highlighted

Hi RJI,

 

Thanks for reply.

 

Point 1 is clear.

For point 2, is also fine.

For point 3, so in multicast mode we don't need this key? Why? 

I got that this key is required to encrypt communication between GM and KS (encrypt the traffic keys) but in mutlticast mode as well we should be requiring this.

Highlighted

Hi Abhisar, You'd still need the key pair, it will be used for the re-key, regardless of whether you are using unicast or multicast.
HTH
Highlighted

Ok let me recheck..thanks.