cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1917
Views
15
Helpful
10
Replies

GET VPN

Aladdin0z
Level 1
Level 1

Can a router be  a KEYS  and  GM  at the same time , i need the traffic to be encrypted between the keys and the GMs

how can i do that ?

if there are any resources that will make it easy for me to understand that plz share with me cuz i am having some trobls , when i added a COOP  i couldn't see ESP any more

thanks

10 Replies 10

Hi,

A router acting as Key Server cannot also be a Group Member. Reference here.

 

HTH

Now if i want the traffic between the KEYS and the GMs to be encrypted can i ! 

 

Now if i want the traffic between the KEYS and the GMs to be encrypted can i !

Well in the guide it states "GMs authenticate with the KS using IKE Phase 1 (pre-shared keys or PKI) and then download the encryption policies and keys required for GET VPN operation." - therefore if the GM and KS have authenticated and established IKE Phase 1 in order to get the group key then it is encrypted a secure.

HTH

yeah i get that but i am talking about data , not just pushing the policies to GMs

What other data? Normally the KS would be acting as just a KS and not routing data, therefore there wouldn't be data flowing through it. The only other traffic would be mgmt traffic, ssh and snmpv3 so therefore secure.

data like a web server or tftp sever siting behind the KEYS

Ok, but like I said normally the KS would be dedicated on to a KS role and not routing traffic. Can you not reconfigure the network to add and additional router that can be a GM and leave the KS dedicated and not routing traffic?

Okey i understand that the keys should just dedicated on to ks role , actually i am working an a testing lab in gns3 , i thought that the keys should be on central site in witch all kind of servers are there , and i think dedicating sash router to do just one role it will make my solution more expansive that's the point

Have a GM on that central site and have the KS sitting behind it or in parallel to it. The only communication that the KS needs is to the GM's and other reduncant KS. 

You can also look at other options like DMVPN, if you want the Hub to participate in routing traffic. This requires a bit more work from a routing standpoint to pass traffic correctly from Hub's to Spoke's and Spoke to Spoke.