Which statement about GETVPN is true?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
GET VPN, or Group Encrypted Transport VPN, is a Cisco encryption technology that provides secure VPN connectivity for enterprise WANs. It uses a group key management scheme to encrypt the traffic between the VPN peers, with a central key server acting as the source of the encryption keys.
Let's go through each answer option:
A. The configuration that defines which traffic to encrypt originates from the key server. This statement is not entirely accurate. While the key server does distribute the encryption keys to the VPN peers, it does not define which traffic to encrypt. Instead, the group policy configuration on each VPN peer determines which traffic is eligible for encryption. So this statement is false.
B. TEK rekeys can be load-balanced between two key servers operating in COOP. This statement is true. In GET VPN, Traffic Encryption Keys (TEKs) are periodically refreshed to maintain the security of the encrypted traffic. To avoid any disruption during the key refresh process, GET VPN supports key server redundancy and Cooperative Key Server Load Balancing (COOP). This allows two key servers to work together to distribute the TEKs and handle rekey operations.
C. The pseudotime that is used for replay checking is synchronized via NTP. This statement is also true. GET VPN uses pseudotime to prevent replay attacks, which involve the replay of old packets to disrupt the network. The pseudotime is a timestamp that is inserted into each encrypted packet and is used by the receiving VPN peer to ensure that the packets are not being replayed. To prevent any time synchronization issues between the VPN peers, GET VPN uses the Network Time Protocol (NTP) to synchronize the pseudotime.
D. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration. This statement is false. GET VPN allows for different acknowledgement modes for the Key Encryption Keys (KEKs) and TEKs rekey operations. The acknowledgement modes include unicast, multicast, and none. With unicast acknowledgement, each VPN peer must individually acknowledge the rekey operation, while with multicast acknowledgement, only one VPN peer needs to acknowledge the rekey. The none acknowledgement mode skips the acknowledgement process altogether. Therefore, group members do not need to acknowledge all KEK and TEK rekeys, and this statement is false.
In summary, the correct statement about GET VPN is: B. TEK rekeys can be load-balanced between two key servers operating in COOP.