Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
3
Replies

GETVPN getting key server to participate in encryption

pick25690
Level 1
Level 1

‎06-21-2018 10:52 AM - edited ‎03-12-2019 05:24 AM

Hi all,

 

Just working through configuring GETVPN which is pretty straightforward and group members have registered fine and are sending encrypted traffic to each other with no issues. 

 

I was wondering is there a way to get the keyserver to participate in the encryption kind of like a hub would in a DMVPN? The way I am planning it is that the keyserver will be DC router connected to the remote sites, I would need the traffic sent from the key server to be encrypted (data traffic using TEK). I have tried creating a crypto map and applying it to the interface on the keyserver but I just get the message failed to dertermine local IP address for group 1 on interface gig 1.  

 

Thanks,

 

Dan 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎06-21-2018 11:30 AM

Hi,  A device acting as a KS cannot be configured as a GM, this is confirmed here (page 6).


HTH

0 Helpful

pick25690
Level 1
Level 1
In response to Rob Ingram

‎06-21-2018 12:52 PM

Thanks for the reply. Yeah certainly looks that way, I have read about something called KOOP Key Servers. Looks like this allows the KS to register as a member on the redundant group which would allow it to participate in the actual group encryption. Haven't actually tried this yet, will give it a blast tomorrow. 

 

 

http://blog.ine.com/2009/11/21/minimalistic-get-vpn-example/

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to pick25690

‎06-21-2018 03:03 PM

COOP is just a redundancy functionality between 2 KS. That means, both KS can be contacted by GM's to register. The author of that document has taken advantage of this functionality to register one KS to another and vice versa. However, this is not going to be officially supported to Cisco. Definitely test it out in a lab environment before using production devices for this kind of setup. 

0 Helpful
Customers Also Viewed These Support Documents