03-12-2022 11:00 AM
Is it possible to have a Router acting as Group Member and Key Server at same time?
Which means that HUB Router (HQ) can be HUB and key server in same time?
or better to have independent key server router?
03-12-2022 11:10 AM
As per CVD, they are should be separated all time each one does a different role.
The key server has two responsibilities: servicing registration requests and sending rekeys. A group member can register at any time and receive the most current policy and keys. When a group member registers with the key server, the key server verifies the group ID that the group member is attempting to join. If this ID is a valid group ID, the key server sends the SA policy to the group member. After the group member acknowledges that it can handle the downloaded policy, the key server downloads the respective keys.
you can find a good deployment guide :
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-GETVPNDesignGuide-AUG14.pdf
03-12-2022 11:33 AM
Hello ,
I do not think that is possible, since the key server does not use and install the IPSec SA. only the group members do.
03-12-2022 11:46 AM - edited 03-12-2022 12:39 PM
Key Server for GETVPN
hub for what ?
I remember your last post, the 4000 vpn and so you thing with tunnel-less VPN which is GETVPN.
DMVPN vs GETVPN
DMVPN can use if the Spoke know Hub IP and Hub learn all Spoke IP, DMVPN use mGRE which mean use multi GRE tunnel with single one tunnel config.
GETVPN use for only security.
also you can check the flexVPN which give you DVTI and SVTI, DVTI single tunnel in Hub can connect as many as your all Site SVTI.
03-13-2022 08:31 AM
I just want confirmation if Key server router can be implemented on GM Router Which is in HQ , or KS should be independent?
03-13-2022 09:01 AM - edited 03-13-2022 09:07 AM
KS must be router in HQ,
All GM must have reached the KS but they don't need to reach each other.
03-13-2022 12:00 PM - edited 03-13-2022 01:29 PM
You can can not mix as we mentioned already, they are different roles. they need to be independent?
Note : Type issue corrected and edited
03-13-2022 12:22 PM
my question is here because , looking for reducing Hardware
Hub router will be in DC and all branches will connect to it,
So I am looking to deploy KS in Hub router instead of deploying independent KS router to save cost.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide