Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1302
Views
0
Helpful
4
Replies

GETVPN

Go to solution
cool rohan
Level 1
Level 1

‎07-31-2017 11:21 AM - edited ‎02-21-2020 09:23 PM

GETVPN is providing redundancy. but can it provide load balancing ? If yes then how please explain

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to cool rohan

‎08-01-2017 01:18 AM

ETEHi,

Thanks for clarifying.

COOP KSs provide redundancy to GET VPN. Multiple KSs are supported by GET VPN to ensure redundancy, high availability (HA), and fast recovery in case of network failure.

The primary KS is responsible for creating and distributing group policy. It also periodically sends out group information updates to all other KSs to keep those servers in synchronization. If the secondary KSs somehow miss the updates, they contact the primary KS to directly request information updates. The secondary KSs mark the primary KS as unreachable if the updates are not received for an extended period of time.

Cooperative GDOI KSs can jointly manage the GDOI registrations for the group, which achieves load balancing during GM registration process. When a new policy is created on a primary KS, the primary KS to distribute rekey messages to GDOI GMs regardless of which KS a GM is registered with.

COOP KSs use announcement messages to communicate with each other. These messages are exchanged on UDP port 848, as defined for GDOI. All KS-to-KS messages are secured using Phase I (ISAKMP) negotiated keys.

Primary KSs periodically send announcement messages to the secondary KSs. These messages enable the KSs to exchange state information about GMs and policies. The various components of these messages are:


----KS sender priority:


This value describes the priority of the sender, which is configurable using the CLI. The KS with the highest priority becomes the primary KS. If two KSs have the same priority, the KS with the highest IP address becomes the primary KS.


--- KS role:

This value describes the role of a KS (primary or secondary).

--- Group policies:


---Group policies are maintained for a group and include information such as GM information and IPsec SAs and keys.

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-31-2017 10:14 PM

Hi,

GETVPN is just a feature. It is used to encrypt traffic but won't change the flow of traffic in the network and cannot load balance traffic on its own.

Remember that one of GETVPN's key features is IP Header Preservation - the original IP header inside the  IPsec packet is preserved so the packet will be routed the same.

So the answer to your question is as long as HSRP/VRRP/GLBP is enabled and
working in your network to route traffic across the network GETVPN will continue doing its job of encrypting the packets.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Go to solution
cool rohan
Level 1
Level 1
In response to Aditya Ganjoo

‎07-31-2017 11:52 PM

I am talking in the case of GETVPN COOP. When there are multiple key servers then in that case it does not provide load balance? see in the topology i have attached

Preview file
52 KB
0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to cool rohan

‎08-01-2017 01:18 AM

ETEHi,

Thanks for clarifying.

COOP KSs provide redundancy to GET VPN. Multiple KSs are supported by GET VPN to ensure redundancy, high availability (HA), and fast recovery in case of network failure.

The primary KS is responsible for creating and distributing group policy. It also periodically sends out group information updates to all other KSs to keep those servers in synchronization. If the secondary KSs somehow miss the updates, they contact the primary KS to directly request information updates. The secondary KSs mark the primary KS as unreachable if the updates are not received for an extended period of time.

Cooperative GDOI KSs can jointly manage the GDOI registrations for the group, which achieves load balancing during GM registration process. When a new policy is created on a primary KS, the primary KS to distribute rekey messages to GDOI GMs regardless of which KS a GM is registered with.

COOP KSs use announcement messages to communicate with each other. These messages are exchanged on UDP port 848, as defined for GDOI. All KS-to-KS messages are secured using Phase I (ISAKMP) negotiated keys.

Primary KSs periodically send announcement messages to the secondary KSs. These messages enable the KSs to exchange state information about GMs and policies. The various components of these messages are:


----KS sender priority:


This value describes the priority of the sender, which is configurable using the CLI. The KS with the highest priority becomes the primary KS. If two KSs have the same priority, the KS with the highest IP address becomes the primary KS.


--- KS role:

This value describes the role of a KS (primary or secondary).

--- Group policies:


---Group policies are maintained for a group and include information such as GM information and IPsec SAs and keys.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Go to solution
cool rohan
Level 1
Level 1
In response to Aditya Ganjoo

‎08-01-2017 03:22 AM

Thanks Aditya

0 Helpful
Customers Also Viewed These Support Documents