28-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Understanding Group Encrypted Transport (GET) VPNs
Configuring Global Settings for GET VPN, page 28-16
Configuring GET VPN Key Servers, page28-18
Configuring GET VPN Group Members, page 28-20
Using Passive Mode to Migrate to GET VPN, page 28-23
Troubleshooting GET VPN Configurations, page28-25
Understanding Group Encrypted Transport (GET) VPNs
Networked applications such as voice and video increase the need for instantaneous,
branch-interconnected, and QoS-enabled WANs. The distributed nature of these applications results in
increased demands for scale. At the same time, enterprise WAN technologies force businesses to trade
off between QoS-enabled branch interconnectivity and transport security. As network security risks
increase and regulatory compliance becomes essential, Group Encrypted Transport VPN (GET VPN), a
WAN encryption technology, eliminates the need to compromise between network intelligence and data
privacy.
With GET, Cisco provides tunnelless VPN, which eliminates the need for IPsec tunnels. By removing
the need for point-to-point tunnels, meshed networks can scale higher while maintaining
network-intelligence features critical to voice and video quality. GET is a standards-based security
model that is based on the concept of a trusted group to eliminate point-to-point IPsec tunnels and their
associated overlay routing. Trusted group members share a common security association (SA), also
known as a group SA. This enables group members to decrypt traffic that was encrypted by any other
group member. By using trusted groups instead of point-to-point tunnels, full-mesh networks can scale
higher while maintaining network-intelligence features (such as QoS, routing, and multicast), which are
critical to voice and video quality.
GET-based networks can be used in a variety of WAN environments, including IP and Multiprotocol
Label Switching (MPLS). MPLS VPNs that use this encryption technology are highly scalable,
manageable, and cost-effective, and they meet government-mandated encryption requirements. The
flexible nature of GET allows security-conscious enterprises either to manage their own network
security over a service provider WAN service or to offload encryption services to their providers. GET
simplifies securing large Layer 2 or MPLS networks that require partial or full-mesh connectivity.
In addition to leveraging the existing IKE, IPsec and multicast technologies, a GET VPN topology
includes these key elements and features:
Group members—The routers that exchange the actual traffic within the VPN are called group
members. Group members provide encryption services to the traffic. Encryption policies are defined
centrally on the key server and downloaded to the group member at the time of registration. Based
on these downloaded policies, a group member decides whether traffic needs to be encrypted or
decrypted and what keys to use.
Although group members primarily obtain encryption policies from the key server, you can
configure local service policy ACLs on the group members to exclude traffic from encryption based
on local requirements. For more information, see Understanding the GET VPN Security Policy and
Security Associations, page 28-10.
Note A device can be a group member of more than one group.