28-23
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Using Passive Mode to Migrate to GET VPN
Using Passive Mode to Migrate to GET VPN
If you are migrating an existing VPN to the GET VPN technology, especially a clear-text VPN, you can
use two features to help you migrate in a phased approach to help prevent network down-time. The
features are essentially the same, and involve the passive acceptance of encrypted traffic, but you
configure them on different devices in the GET VPN.
Normally, in a fully-deployed GET VPN, traffic is encrypted in both directions (bidirectional security
associations, or SAs). However, during testing, you can use passive mode. In passive mode, the group
member installs the SA in the inbound direction only, so that the group member receives encrypted
traffic but sends traffic in clear text. You can then test the VPN to ensure that it is performing as expected
before turning on full encryption.
Use the following features to configure passive mode in a GET VPN:
SA Receive-only mode—You configure receive-only mode for security associations on the key
servers in the topology using the Group Encryption Policy. Thus, the setting applies to the entire
topology.
Passive SA mode—You configure passive security association mode on individual group members.
This setting overrides the SA receive-only setting; thus, you can turn on full encryption for the entire
topology, but leave some group members in passive mode. This lets you test the group members in
stages and enable full encryption after you verify each member device.
Tip Passive SA mode on group members requires Cisco IOS Software release 12.4(22)T+ or 15.0+, or
Release 2.3 (12.2(33)XNC)+ on ASRs.
The following procedure shows an example of the end-to-end migration process you might follow to
convert to GET VPN using these passive mode features.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 28-2
Configuring GET VPN, page 28-12
Enable Passive SA Mode Whether to put the group member into passive security association
(SA) mode, which means the group member installs the SA in the
inbound direction only. This means the group member can receive
encrypted data, but it sends clear text data only. This mode is useful for
testing the VPN only, primarily when you are migrating from an
existing VPN to a GET VPN. (The group member must be running
Cisco IOS Software version 12.4(22)T or 15.0 at minimum, or be a
supported ASR, to use this mode.)
This setting is similar to the Receive Only setting in the Group
Encryption Policy, which applies to the topology as a whole. This group
member option overrides the setting in the Group Encryption Policy.
For detailed information on how you can use these passive mode
features to migrate or test a GET VPN, see Using Passive Mode to
Migrate to GET VPN, page 28-23.
Table28-4 Edit Group Member Dialog Box (Continued)
Element Description