GETVPN - Can multiple interfaces on the same Group member be in the same GDOI

gc227s001 · ‎10-16-2020

Hello.

I have a Group member R1 that is currently registered to two different GETVPN GDOI domains and thus two sets of Key Servers.

R1 has one interface in GDOI ABC (crypto map ABC) and one interface in GDOI XYZ (crypto-map XYZ).
R2 has one interface in GDOI XYZ (crypto-map XYZ).

GDOI ABC connects the R1 to the rest of a WAN topology and other GM members.

GDOI XYZ connects this R1 router to a router R2 over a backend 1Gb circuit that is a satellite site to this one, which is also registered to the Key Server for GDOI XYZ

I am being tasked with decommissioning the GDOI XYZ domain key servers so need to get the R1 and R2 routers onto the GDOI ABC domain.

What I am not sure of is whether R1 can have two interfaces with the same crypto-map and would that mean two sets of registration sessions to the ABC Key Server?

And would R2 be able to reach the GDOI ABC Key Servers through R! prior to registration?

Unfortunately I do not have lab or means to test this theory so wondered if someone out there has done something similar or knows the tech well enough to advise.

Thanks & Regards

MHM Cisco World · ‎10-16-2020

As I get there are two group,
R1 is member for both "1"&"2",
R2 is member of Only one group "2",
So you want R2 to also join group "1" while it to have any link to KS of group "2"?
WHY not traffic from R2 will go to R1, this traffic is secure with GDOI of group "2"
then
R1 will send the traffic to destination in group "1" using secure with GDOI group "1"
there will be hard work in R1.

MHM Cisco World · ‎10-16-2020

https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07-624088.html

I search and search to find solution for you.