GETVPN With Multicast Rekeying

Hi All,
A post by fellow CCIE-Sec Candidate TacAck made me do some research/revision on GETVPN Rekey. I would highlight my findings in this post.
1. There are 2 modes: Unicast and Multicast.
2. The Rekey address command references an access-list that is downloaded to the group members which makes them automatically join the group (for multicast Rekeying)
3. With Rekey Authentication, The crypto keys must be generated
4. Rekey is triggered by changing the SA access-list. Rekeys are retransmitted for a number of times n after a period p. This can be adjusted with the "rekey retransmit p n" command

Here is a sample config for the KS:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 192.168.123.1
crypto isakmp key CISCO address 192.168.123.2
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto ipsec profile GET
set transform-set TRANS
crypto gdoi group GET
identity number 123
server local
rekey address ipv4 REKEY
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GET
sa ipsec 1
profile GET
match address ipv4 GET
replay counter window-size 64
address ipv4 192.168.32.3
ip access-list ext REKEY
permit udp host 192.168.32.3 ho 239.0.0.1

5. If an ASA is placed in between the KS and the GMs; two things must be considered.
1. Allowing GETVPN traffic especially if GMs are outside since the GM initiate the registration process. A hole should be punched to allow udp destination 848
2. Multicast traffic should be forwarded by the ASA. If the GMs are directly connected as in a STUB, then the "igmp forward" should be enough to forward the traffic.


Nuff said, time to take a break :)
Cheers, Amplebrain