Cisco Cisco IOS Software Release 12.4(4)T Données agrégées

Page de 299
 
 
Product Bulletin 
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. 
Page 20 of 299
3.1.5) Time-Based Anti-Replay on The VPN Services Adapter (VSA) 
This feature enables Time-Based Anti-Replay (TBAR) support on the VPN Services Adapter (VSA) 
of the 7200 NPE-G2 platform. TBAR is used in the Group Encrypted Transport VPN (GETVPN) 
solution to detect replay attacks since standard sequence-based anti-replay attack detection is not 
supported. This feature prevents ‘man in the middle’ attacks. 
The Cisco GETVPN solution allows organizations to have branch-to-branch secure connectivity 
without having to incur the cost of establishing and maintaining full-mesh connections.  
Benefits
 
● 
Supports anti-replay in the Cisco GET VPN solution 
● 
Allows protection against ‘man in the middle’ attacks, bolstering overall GET VPN security 
Hardware
  
Routers 
●  Cisco 7200 with Network Processing Engine (NPE) G2 
 
Additional Information:
Product Management Contact: 
3.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements  
Several new GET VPN feature enhancements are introduced in Release 12.4(22)T: 
● 
Passive Security Association (SA) 
This feature enables a new mode of IPSec Security Association (SA) with GET VPN. In this 
mode, the SA will accept unencrypted traffic and encrypted traffic on the inbound, while it 
will always encrypt traffic on the outbound. Passive SA mode is configured on the Group 
Member (GM), and is persistent over router restarts: this allows the Group Member to 
modify the SAs downloaded from the Key Server (KS). Passive SA can be used similar to 
the SA receive-only to enable transitions in large scale deployment. 
● 
Fail-Close 
This feature enables GET VPN traffic forwarding to follow the “fail-close” model, wherein an 
unregistered Group Member (GM) stops forwarding data packets rather than send them out 
unencrypted. 
The fail-close command sets up an implicit “permit ip any any” at the end of the crypto map 
during the pre-registration phase. Post successful GDOI registration, the “permit ip any any” 
is removed from the crypto map. 
You can specify exceptions that need to be forwarded in the clear, through a deny entry in 
the ACL. This is useful to allow routing packets and management packets from a particular 
host to get through. However, note that the deny ACL in the GDOI crypto map still takes 
precedence. After the registration is successful, the deny entry in the ACL goes away while 
the deny entry in the GDOI crypto map is persistent.  
Once the GM is successfully registered to all its groups, the policies downloaded from the 
KS take over, governing the GMs behavior and the fail-close ACL and implicit “permit ip any 
any” are taken out. GMs keep the policies downloaded from the KS even if the re-
registration fails and IPSec SA has expired.  
When fail-close is activated, unencrypted packets are prevented prior to and during 
registration. Once the GM is successfully registered to all its groups however, the policies